Bitcoin Forum
November 21, 2017, 09:35:18 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: StrongCoin key leak.  (Read 4522 times)
pelleb
Newbie
*
Offline Offline

Activity: 8


View Profile
April 03, 2013, 02:04:28 PM
 #21

There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P
1511300118
Hero Member
*
Offline Offline

Posts: 1511300118

View Profile Personal Message (Offline)

Ignore
1511300118
Reply with quote  #2

1511300118
Report to moderator
1511300118
Hero Member
*
Offline Offline

Posts: 1511300118

View Profile Personal Message (Offline)

Ignore
1511300118
Reply with quote  #2

1511300118
Report to moderator
1511300118
Hero Member
*
Offline Offline

Posts: 1511300118

View Profile Personal Message (Offline)

Ignore
1511300118
Reply with quote  #2

1511300118
Report to moderator
The grue lurks in the darkest places of the earth. Its favorite diet is adventurers, but its insatiable appetite is tempered by its fear of light. No grue has ever been seen by the light of day, and few have survived its fearsome jaws to tell the tale.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
jp
Member
**
Offline Offline

Activity: 69



View Profile WWW
April 03, 2013, 02:31:10 PM
 #22

Quote
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.
dogisland
Sr. Member
****
Offline Offline

Activity: 262



View Profile
April 03, 2013, 02:37:11 PM
 #23

Quote
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.


They could see the key, but it was still AES 256 encrypted. So they would see something like

U2FsdGVkX19ZvPGX+4T98zGnTjwKs1CmkzXpm8fEJjzuubAY/3wg1JoC6BcqiqR6
mKhdlqyLTeRHc59VfW9ebfwWOfOKnK9qqN8TXXSL4Nw=

So the issue here is that if a user had a low quality password and had given extra info in the clue field then there is a chance they have lost coins.
dansmith
Full Member
***
Offline Offline

Activity: 202


View Profile
April 03, 2013, 03:13:02 PM
 #24

Quote
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?

https://tlsnotary.org
Transferable webpage content notarization.
whiskers75
Hero Member
*****
Offline Offline

Activity: 658


Doesn't use these forums that often.


View Profile
April 03, 2013, 03:17:49 PM
 #25

For the record: blockchain.info/wallet stores your wallet locally and on their servers, encrypted at both places and only ever decrypted on your computer. Looks like StrongCoin was a bit late to the party.  Tongue
And it doesn't charge a 1% fee.
And you can do 'off-site backups' by email, Dropbox and Google Drive - yes, you can keep your wallet.
Blockchain.info wins!
(and it doesn't leak keys  Undecided)

Elastic.pw Elastic - The Decentralized Supercomputer
ELASTIC ANNOUNCEMENT THREAD | ELASTIC SLACK | ELASTIC FORUM
dogisland
Sr. Member
****
Offline Offline

Activity: 262



View Profile
April 03, 2013, 03:20:42 PM
 #26

Quote
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?

I mean a bitcoin private key encrypted in AES 256. The AES 256 encryption is performed on the client side (javascript) using a password the user supplies. I never see that password.

So basically in StrongCoin when a private key is created, it is create in the browser. The user supplies a password to the Javascript and then Javascript AES encrypts the private key before sending it to the server.

So we only have AES encrypted private keys and a clue field. The user could supply a clue to help them remember the password. Some users may have given too much information in the clue field.

The AES encrypted key (still protected) was leaked along with the clue field.

The clue field has now been removed from Strongcoin and a warning added to encourage users to create more secure passwords.
dogisland
Sr. Member
****
Offline Offline

Activity: 262



View Profile
April 03, 2013, 03:25:32 PM
 #27

Looks like StrongCoin was a bit late to the party. 

We were around before Blockchain.info i.e. 2011 https://bitcointalk.org/index.php?topic=36169.0
dansmith
Full Member
***
Offline Offline

Activity: 202


View Profile
April 03, 2013, 03:40:15 PM
 #28

Thank you for explaining.
So, I guess that your web app has full access to all tables of your DB?

What do you think about creating a separate DB user for each wallet account. This way there will be no way a user could see other users' tables. Certainly, this will kill DB performance. But who cares about performance when money is at stake?

https://tlsnotary.org
Transferable webpage content notarization.
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
April 03, 2013, 07:30:06 PM
 #29

There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P

Quote
19. Do you use Google Analytics ?
No. Making a BTC financials website and then slapping GA on it is really akin to going to a cancer survivor's survival party and bringing them chemo drugs as a gift. Yes, it's that insulting/thoughtless. Really. Yes, it does show that level of outright contempt for the user. Really.

Also GA does break Tor in many cases.

Will people read FAQs? Will people implement the better solutions as demonstrated? Etc.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
springy
Newbie
*
Offline Offline

Activity: 6


View Profile
April 03, 2013, 07:34:59 PM
 #30

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Agree, laziness and ego got in the way I think!
jonitas
Jr. Member
*
Offline Offline

Activity: 57


View Profile
April 04, 2013, 09:48:54 PM
 #31

And it doesn't charge a 1% fee.

Ok, so how do I get my money out without paying the 1% fee? I go to Blockchain.info -> import/export -> import -> import private key ? Will that transfer my wallet to blockchain and leave the wallet I already have in the same account alone?

Just checking because I don´t want to overwrite any current balance I have.

I guess my password was strong enough because I still have all of my bitcoins that I hold at strongcoin. But due to the increased price of bitcoin I should definitely diversify into more wallets.

gjk
Newbie
*
Offline Offline

Activity: 1


View Profile
April 07, 2013, 10:44:25 AM
 #32

...I tried to send my money to other BTC-adresses, but everytime a warning namend "undefinded" occured. What's wrong?  Huh

I also asked via mail, but I didnt get an answer yet (one week ago).  Undecided
aussie_striker
Sr. Member
****
Offline Offline

Activity: 432


View Profile WWW
May 16, 2013, 10:32:40 AM
 #33

I changed my password after this happened and it stated around 4 years to break it. Today I looked at my account and there is a transaction that cleared out my whole account (5.48134 BTC) 4 days ago.
Needless to say I'm not happy about it.

I've looked at my strongcoin and also on bitchain, not sure why but it shows a different address it went to or am I reading that wrong?

According to Strongcoin
From 1JE5dWuwo7z67VAAgzrfRUiNpvHsenhW5U
To    1PKSK8TyvQrCGjQbsbNVQNoo4ftcEiBUSk
   - 5.48 134

On Blockchain it shows
1GKVf2b4QTV3TzBUWFzT5FQbmhKBPU861m 5.48134135 BTC

Not sure if it is due to the same problem or there is a new problem. I've changed passwords again but now have nothing.





                                         ▄
                 ▄▄████████▄▄         ▄▄██
 ▄▄           ▄██▀▀        ▀▀██▄    ▄███▀
 ▀███▄▄     ▄█▀                ▀█▄▄█████▀
  ▀██████▄▄█▀                ▄▄███████▀
   ▐█████████▄           ▄▄███████████
     ▀█████████▄▄      ▄█████████████
       ▀██████████    ███████████████
        ▐▀█████████  █████████████▀ ▐▌
        ▐▌ ▀▀██████ ▐███████████▀   ▐▌
        ▐▌      ▀██ ▐█████████▀     ▐▌
         █        ▀  ██████         █
         ▐█          ▐█████▄       █▌
          ▀█▄         ▀██████▄   ▄█▀
            ▀█▄         ▀█████▌▄█▀
              ▀██▄▄       ▀▄▄██▀
                ▀▀████████▀▀
T
.ANGEL TOKEN.
[]

                                         ▄
                 ▄▄████████▄▄         ▄▄██
 ▄▄           ▄██▀▀        ▀▀██▄    ▄█▀█▀
 ▀█▀█▄▄     ▄█▀                ▀█▄▄█  ▄█▀
  ▀█  ▀▀█▄▄█▀                ▄▄██░   █▀
   ▐▄▄  ░░░▀█▄           ▄▄█▀▀░░░   ▄█
     ▀█▄ ░░░▒▒█▄▄      ▄██▒▒▒▒▒░    █
       ▀▄▄ ░░▒▒▒▓█    ██▒▒▒▒▒▒░   ▄▄█
        ▐▀█▄░░▒▒▓██  █▓▒▒▒▒▒▒░  ▄█▀ ▐▌
        ▐▌ ▀▀█▒▓███░▐█▓▒▒▒▒░░ ▄█▀   ▐▌
        ▐▌      ▀██ ▐█▓▓▒▒▄▄▄█▀     ▐▌
         █        ▀  █▓█▀▀█         █
         ▐█          ▐▄▓░ █▄       █▌
          ▀█▄         ▀█▒░ ▀█▄   ▄█▀
            ▀█▄         ▀█▄▄▄█▌▄█▀
              ▀██▄▄       ▀▄▄██▀
                 ▀▀████████▀▀
vesperwillow
Hero Member
*****
Offline Offline

Activity: 616


View Profile
August 22, 2013, 02:06:47 PM
 #34

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Here's the most valuable question in this thread: Who's the babe in your profile pic??

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!