Bitcoin Forum
December 02, 2021, 09:09:48 PM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
Author Topic: If you used Brainwallet.org - MUST READ! - Security Breach!  (Read 52653 times)
mechs
Full Member
***
Offline Offline

Activity: 210
Merit: 100



View Profile
July 06, 2013, 05:30:17 AM
 #1

I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2

I am very security conscience and am certain my wallet file was not compromised.  My only thought is the brainwallet website has been compromised instead and some bot is stealing the private keys generated there and then instantly transfering any funds deposited to these compromised wallets to their own bitcoin addresses.  DO NOT USE www.brainwallet.org and if you have used it, then immediately move your funds to a new location ASAP.

I am not complaining though, I only lost 0.178BTC - it could have been much worse.
1638479388
Hero Member
*
Offline Offline

Posts: 1638479388

View Profile Personal Message (Offline)

Ignore
1638479388
Reply with quote  #2

1638479388
Report to moderator
1638479388
Hero Member
*
Offline Offline

Posts: 1638479388

View Profile Personal Message (Offline)

Ignore
1638479388
Reply with quote  #2

1638479388
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1638479388
Hero Member
*
Offline Offline

Posts: 1638479388

View Profile Personal Message (Offline)

Ignore
1638479388
Reply with quote  #2

1638479388
Report to moderator
1638479388
Hero Member
*
Offline Offline

Posts: 1638479388

View Profile Personal Message (Offline)

Ignore
1638479388
Reply with quote  #2

1638479388
Report to moderator
1638479388
Hero Member
*
Offline Offline

Posts: 1638479388

View Profile Personal Message (Offline)

Ignore
1638479388
Reply with quote  #2

1638479388
Report to moderator
mechs
Full Member
***
Offline Offline

Activity: 210
Merit: 100



View Profile
July 06, 2013, 06:01:13 AM
 #2

I don't think you can download the script from the site.  Regardless, whether it is the website author or a hacker, the site is compromised.  I don't think it had anything to do with my wallet.dat password being compromised - it is a very long, secure password and I do not believe there are any trojans on my system.
jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1010


View Profile
July 06, 2013, 06:08:39 AM
 #3

I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2

I am very security conscience and am certain my wallet file was not compromised.  My only thought is the brainwallet website has been compromised instead and some bot is stealing the private keys generated there and then instantly transfering any funds deposited to these compromised wallets to their own bitcoin addresses.  DO NOT USE www.brainwallet.org and if you have used it, then immediately move your funds to a new location ASAP.

I am not complaining though, I only lost 0.178BTC - it could have been much worse.


Is your passphrase just too simple?

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1015


Ian Knowles - CIYAM Lead Developer


View Profile WWW
July 06, 2013, 06:08:54 AM
 #4

You can save the website for offline usage or better yet get it from github.

I use from a computer with no internet access - and it works fine for generating the key pairs this way.

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
giszmo
Legendary
*
Offline Offline

Activity: 1820
Merit: 1063


WalletScrutiny.com


View Profile WWW
July 06, 2013, 06:09:35 AM
 #5

/sub

I used Brainwallet for a friend half a year ago on an offline pc with the code from github. The money is still there. I wouldn't trust the version that happens to be on any website but for now I do trust github to not mess with repos. I wish there was some signing involved though. If reputable dev would confirm to have seen nothing fishy about version [hash], I would pick up the changelog (if any) from there and decide if I use the signed version or the updated version. I picked the most recent version as it was old already, so I assumed it was reviewed by quite some people but I guess git's feature to mess with the history would allow to forge an old-looking head easily.

ɃɃWalletScrutiny.comIs your wallet secure?(Methodology)
WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value.
ɃɃ
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
July 06, 2013, 06:15:46 AM
 #6

Is your passphrase just too simple?
Any passphrase you can memorize is almost too simple by definition.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1260
Merit: 1036

👻


View Profile
July 06, 2013, 06:31:51 AM
 #7

What passphrase did you use?

ireallylikecookies -> not ok
poweroutletsmmaybeeshockyuoifyuotuochit -> a lot better.
virtualmaster
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 06, 2013, 07:45:06 AM
 #8

How could be compromised a brainwallet ?
Breaking known algorithms should we exclude because that would affect all kind of wallets.

You have a javascript brainwallet like brainwallet.org or bitaddress.org or namecoinia.org.
1. It has a connection to the internet and transmitting your private keys.
You can avoid this if you save the page on your computer and switch off the internet connection when you are generating the keypairs.
Alternatively you can do it in a virtualbox container which has no internet connection.
2. You are generating a random keypair however it isn't random in the reality, but follows a deterministic or stored pattern known to the brainwallet creator.
The source is known (javascript) but it is obfuscated and difficult to check it. In this case it doesn't matter if you are offline or online.

Best if you generate deterministic wallet with a passphrase which is random and long enough but you choose it and your computer is offline.
In this case I cannot imagine how could the brainwallet creator know the private keys.

Of  course they are other attack possibilities also but they are not brainwallet specific.
If you downloaded from a pishing site, you have some trojans on your computer or you have written the passphrase on a paper and let on the table on your bureau.

Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
Namecoinia.org  -  take the planet in your hands
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba   |  NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1033


View Profile
July 06, 2013, 08:18:00 AM
 #9

The owner of that site needs to shut it down. This kind of thing was inevitable and we warned about it from the start. Someone has calculated a rainbow table and the passphrase you chose is in it.

Which wallet software did you import the key into? Do we need to put a warning about this site into wallet apps? We need to find some way to kill this stupid and dangerous site asap.
J35st3r
Full Member
***
Offline Offline

Activity: 196
Merit: 100



View Profile
July 06, 2013, 09:01:10 AM
 #10

Brainwallet just uses this python code ...

privkey_hex = hashlib.sha256(keyphrase).hexdigest()

(Not that actual code since its from one of my scripts, but something similar). Its trivial to do your own version and avoid the web site entirely (then import the private key into the wallet of your choice). The slightly more tricky part is obtaining the WIF key and addresses, I posted a simple script here https://bitcointalk.org/index.php?topic=247178.msg2642261#msg2642261 but there are probably more professional versions elsewhere on this forum.

But as has been said earlier, if you don't understand what a script is doing, then don't use it.

1Jest66T6Jw1gSVpvYpYLXR6qgnch6QYU1 NumberOfTheBeast ... go on, give it a try Grin
stelmoi
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
July 06, 2013, 09:09:56 AM
 #11

Since the coins are already gone, please post what password you used for your brain wallet.    We can then confirm to you that it was a bad and easily hackable password.

Don't try to be funny and drop the wrong password, everyone will know immediately.
willphase
Hero Member
*****
Offline Offline

Activity: 768
Merit: 500


View Profile
July 06, 2013, 10:33:18 AM
 #12

Sounds like a weak passphrase to me.  We already know that people have created huge 'rainbow tables' of bitcoin addresses generated from SHA256 of weak passphrases, and they just sit watching the blockchain for any of them to come up and then siphon off the funds.  This is yet another reason why a 'brain wallet' is such a terribly bad idea for anyone to do.

Will

OutCast3k
Hero Member
*****
Offline Offline

Activity: 714
Merit: 575


View Profile WWW
July 06, 2013, 10:47:07 AM
 #13

Since the coins are already gone, please post what password you used for your brain wallet.    We can then confirm to you that it was a bad and easily hackable password.

Don't try to be funny and drop the wrong password, everyone will know immediately.

+1, and its not like he can use the address again...

coinb.in - Open Source, Multi Signature, HD Wallet and more! | Donate: 33tht1bKDgZVxb39MnZsWa8oxHXHvUYE4G
Abdussamad
Legendary
*
Offline Offline

Activity: 2940
Merit: 1357



View Profile
July 06, 2013, 10:56:31 AM
 #14

Sounds like a weak passphrase to me.  We already know that people have created huge 'rainbow tables' of bitcoin addresses generated from SHA256 of weak passphrases, and they just sit watching the blockchain for any of them to come up and then siphon off the funds.  This is yet another reason why a 'brain wallet' is such a terribly bad idea for anyone to do.

Will

A brain wallet when done right is perfectly fine. A deterministic wallet like electrum is like a brain wallet. 12 words that are the seed to all your bitcoin keys. Of course the entropy is greater than your typical brain wallet. 128 bits for electrum.
ThomasV
Legendary
*
Offline Offline

Activity: 1894
Merit: 1125



View Profile WWW
July 06, 2013, 11:00:56 AM
 #15

Electrum users are advised not to type their seed in brainwallet.org (or any other website).

Electrum: the convenience of a web wallet, without the risks
ymgve
Newbie
*
Offline Offline

Activity: 24
Merit: 0


View Profile
July 06, 2013, 01:54:18 PM
Last edit: July 06, 2013, 02:04:46 PM by ymgve
 #16

I did a small investigation some time ago to see how widespread the problem was, and these were the results:

 - Sent 0.001 BTC to an address generated with a password you will find in any top 10 common password list. Taken immediately.
 - Sent 0.001 BTC to an address generated with a six digit password. Taken immediately.
 - Sent 0.001 BTC to an address generated with the same six digit password as above, but with Point Conversion set to "Compressed". Untouched.
 - Sent 0.001 BTC to an address generated with an upper/lower/digit six character randomly generated password, normal Point Conversion. Untouched.

Someone is definitely out there grabbing things from weak-passworded wallets, but even a six-character random password thwarts them.


Edit:
Mechs, tell us which password you used. It's already compromised, so there should be no harm in revealing it.
If you can't reveal it because you use that password in multiple places then guess what - that's how they got your password in the first place - by stealing it from some other place you used it.
willphase
Hero Member
*****
Offline Offline

Activity: 768
Merit: 500


View Profile
July 06, 2013, 02:19:25 PM
 #17

If you can't reveal it because you use that password in multiple places then guess what - that's how they got your password in the first place - by stealing it from some other place you used it.

indeed, it would make sense for an attacker to find as many compromised password lists as possible (hint: there was one for mtgox a while back) and use those as seeds as well.

Quote
A brain wallet when done right is perfectly fine.

Anything, done well, is perfectly fine!  The problem is that there are so many bad ways to do a brain wallet, for example:

 - picking a weak passphrase
 - forgetting your passphrase
 - not understanding Change addresses, and losing bitcoins

and it's so trivially easy to compromise a brain wallet with a bad passphrase, that it's probably better, for most users, to use an alternative form of key generation and storage.   I would never recommend a brain wallet to a new user, but I would recommend blockchain.info with OTP and a strong passphrase to a new user.

Will

DobZombie
Hero Member
*****
Offline Offline

Activity: 896
Merit: 532


Former curator of The Bitcoin Museum


View Profile
July 06, 2013, 02:31:21 PM
 #18

I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2

I am very security conscience and am certain my wallet file was not compromised.  My only thought is the brainwallet website has been compromised instead and some bot is stealing the private keys generated there and then instantly transfering any funds deposited to these compromised wallets to their own bitcoin addresses.  DO NOT USE www.brainwallet.org and if you have used it, then immediately move your funds to a new location ASAP.

I am not complaining though, I only lost 0.178BTC - it could have been much worse.


Tell us what pass phrase you used already!! Smiley

Tip Me if believe BTC1 will hit $1 Million by 2030
1DobZomBiE2gngvy6zDFKY5b76yvDbqRra
giszmo
Legendary
*
Offline Offline

Activity: 1820
Merit: 1063


WalletScrutiny.com


View Profile WWW
July 06, 2013, 02:39:45 PM
 #19

The owner of that site needs to shut it down. This kind of thing was inevitable and we warned about it from the start. Someone has calculated a rainbow table and the passphrase you chose is in it.

Which wallet software did you import the key into? Do we need to put a warning about this site into wallet apps? We need to find some way to kill this stupid and dangerous site asap.
The owner of that site should at least warn that "correct horse battery staple" is a particularly bad password. The fact that barely any bitcoins flow through this one tells me that there is no significant amount of noobs using the site. With mass adoption I bet at least 1% of all users would be thankful for this "random" suggestion and go with it. Brainwallet instead should give the user feedback on how secure his key is, although this might make them feel safe where they shouldn't, it can tell them when they are not safe where they feel safe.
Else it should suggest to actually use it to use the github version and verify that the signature of these 4 persons confirms the version to not be tampered with.

How could be compromised a brainwallet ?
Breaking known algorithms should we exclude because that would affect all kind of wallets.

You have a javascript brainwallet like brainwallet.org or bitaddress.org or namecoinia.org.
1. It has a connection to the internet and transmitting your private keys.
You can avoid this if you save the page on your computer and switch off the internet connection when you are generating the keypairs.
Alternatively you can do it in a virtualbox container which has no internet connection.
2. You are generating a random keypair however it isn't random in the reality, but follows a deterministic or stored pattern known to the brainwallet creator.
The source is known (javascript) but it is obfuscated and difficult to check it. In this case it doesn't matter if you are offline or online.

Best if you generate deterministic wallet with a passphrase which is random and long enough but you choose it and your computer is offline.
In this case I cannot imagine how could the brainwallet creator know the private keys.

Of  course they are other attack possibilities also but they are not brainwallet specific.
If you downloaded from a pishing site, you have some trojans on your computer or you have written the passphrase on a paper and let on the table on your bureau.

If the minimized/obfuscated code reduces the entropy by doing something like changing this
privkey_hex = sha256(keyphrase).hexdigest() to this:
privkey_hex = sha256("evilhackersalt" + sha256(keyphrase)[:3]).hexdigest()
you would get "totally random" keys with every change to your input, but the attacker would actually be the only one to know your private key in a trivial list of a million keys.

You would only notice this once you try to use your password on a non-poisoned brainwallet. Good luck finding your money if you didn't also backup your priv key, just in case this attacker needs time to swipe your money.

ɃɃWalletScrutiny.comIs your wallet secure?(Methodology)
WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value.
ɃɃ
prof7bit
Hero Member
*****
Offline Offline

Activity: 938
Merit: 500


https://youengine.io/


View Profile WWW
July 06, 2013, 03:04:14 PM
 #20

My only thought is the brainwallet website has been compromised instead and some bot is stealing the private keys

No. You just used a weak passphrase. They have *huge* lists of keys already calculated in advance from all kinds of weak passphrases, they knew your passphrase (and with it the key) already long before you even had the idea to use a brain wallet. They are sitting somewhere with a huge list of such weak keys, permanently scanning the network for new transactions and waiting for your coins to arrive at one of their addresses.

Next time you should use a long computer generated random passphrase. Use a tool like pwgen that creates pronounceable random nonsense (not in any dictionary) words, so its easy to remember but still completely random.

Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!