StrongCoin key leak.

[pelleb]

There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P

[jp]

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.

[dogisland]

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.

They could see the key, but it was still AES 256 encrypted. So they would see something like

U2FsdGVkX19ZvPGX+4T98zGnTjwKs1CmkzXpm8fEJjzuubAY/3wg1JoC6BcqiqR6
mKhdlqyLTeRHc59VfW9ebfwWOfOKnK9qqN8TXXSL4Nw=

So the issue here is that if a user had a low quality password and had given extra info in the clue field then there is a chance they have lost coins.

[dansmith]

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?

[whiskers75]

For the record: blockchain.info/wallet stores your wallet locally and on their servers, encrypted at both places and only ever decrypted on your computer. Looks like StrongCoin was a bit late to the party. 
And it doesn't charge a 1% fee.
And you can do 'off-site backups' by email, Dropbox and Google Drive - yes, you can keep your wallet.
Blockchain.info wins!
(and it doesn't leak keys  )

[dogisland]

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?

I mean a bitcoin private key encrypted in AES 256. The AES 256 encryption is performed on the client side (javascript) using a password the user supplies. I never see that password.

So basically in StrongCoin when a private key is created, it is create in the browser. The user supplies a password to the Javascript and then Javascript AES encrypts the private key before sending it to the server.

So we only have AES encrypted private keys and a clue field. The user could supply a clue to help them remember the password. Some users may have given too much information in the clue field.

The AES encrypted key (still protected) was leaked along with the clue field.

The clue field has now been removed from Strongcoin and a warning added to encourage users to create more secure passwords.

[dogisland]

Looks like StrongCoin was a bit late to the party. 

We were around before Blockchain.info i.e. 2011 https://bitcointalk.org/index.php?topic=36169.0

[dansmith]

Thank you for explaining.
So, I guess that your web app has full access to all tables of your DB?

What do you think about creating a separate DB user for each wallet account. This way there will be no way a user could see other users' tables. Certainly, this will kill DB performance. But who cares about performance when money is at stake?

[MPOE-PR]

There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P

19. Do you use Google Analytics ?
No. Making a BTC financials website and then slapping GA on it is really akin to going to a cancer survivor's survival party and bringing them chemo drugs as a gift. Yes, it's that insulting/thoughtless. Really. Yes, it does show that level of outright contempt for the user. Really.

Also GA does break Tor in many cases.

Will people read FAQs? Will people implement the better solutions as demonstrated? Etc.

[springy]

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Agree, laziness and ego got in the way I think!

[jonitas]

And it doesn't charge a 1% fee.

Ok, so how do I get my money out without paying the 1% fee? I go to Blockchain.info -> import/export -> import -> import private key ? Will that transfer my wallet to blockchain and leave the wallet I already have in the same account alone?

Just checking because I don´t want to overwrite any current balance I have.

I guess my password was strong enough because I still have all of my bitcoins that I hold at strongcoin. But due to the increased price of bitcoin I should definitely diversify into more wallets.

[gjk]

...I tried to send my money to other BTC-adresses, but everytime a warning namend "undefinded" occured. What's wrong? 

I also asked via mail, but I didnt get an answer yet (one week ago). 

[aussie_striker]

I changed my password after this happened and it stated around 4 years to break it. Today I looked at my account and there is a transaction that cleared out my whole account (5.48134 BTC) 4 days ago.
Needless to say I'm not happy about it.

I've looked at my strongcoin and also on bitchain, not sure why but it shows a different address it went to or am I reading that wrong?

According to Strongcoin
From 1JE5dWuwo7z67VAAgzrfRUiNpvHsenhW5U
To    1PKSK8TyvQrCGjQbsbNVQNoo4ftcEiBUSk
   - 5.48 134

On Blockchain it shows
1GKVf2b4QTV3TzBUWFzT5FQbmhKBPU861m 5.48134135 BTC

Not sure if it is due to the same problem or there is a new problem. I've changed passwords again but now have nothing.

[vesperwillow]

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Here's the most valuable question in this thread: Who's the babe in your profile pic??