Bitcoin Forum
April 17, 2014, 07:46:03 AM *
News: ♦♦ A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. More info.
The same bug also affected the forum. Changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4  All
  Print  
Author Topic: Blockchain.info security [FUNDS STOLEN]  (Read 13678 times)
giantdragon
Hero Member
*****
Offline Offline

Activity: 1022


View Profile

Ignore
August 19, 2013, 03:27:16 PM
 #1

I used Blockchain.info online wallet for small transactions on my Windows 7 64-bit PC with strong password kept in KeePass.
Today I noticed that about 1.8 BTC was stolen from one of the addresses (which used for Anonymous Ads earnings), but funds from other addresses in this wallet were not affected.
This leads me on thoughts that Blockchain.info or Firefox may have some weakness in random number generator like the vulnerability was recently found in the Android.

TXID with my funds gone: https://blockchain.info/tx/975412ecc21a0ad949deba3f47c6ac41e42fb7bd3f7eeb36cc071f151003d8c9


GAWMiners.com - Buy 4 ASIC Miners get ONE FREE!
Limited 24hr Offer Code: BUY4GET1
Mining Made Easy
For Everyone

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397720763
Hero Member
*
Offline Offline

Posts: 1397720763

View Profile Personal Message (Offline)

Ignore
1397720763
Reply with quote  #2

1397720763
Report to moderator
1397720763
Hero Member
*
Offline Offline

Posts: 1397720763

View Profile Personal Message (Offline)

Ignore
1397720763
Reply with quote  #2

1397720763
Report to moderator
1397720763
Hero Member
*
Offline Offline

Posts: 1397720763

View Profile Personal Message (Offline)

Ignore
1397720763
Reply with quote  #2

1397720763
Report to moderator
1397720763
Hero Member
*
Offline Offline

Posts: 1397720763

View Profile Personal Message (Offline)

Ignore
1397720763
Reply with quote  #2

1397720763
Report to moderator
escrow.ms
Sr. Member
****
Offline Offline

Activity: 364


GPG Key-ID: B82BA7E1 | I don't use skype.


View Profile WWW

Ignore
August 19, 2013, 03:37:08 PM
 #2

https://bitcointalk.org/index.php?topic=271486.msg2907468#msg2907468

Same address, are you sure that you never used wallet on android cell?
I mean same identifier etc.

giantdragon
Hero Member
*****
Offline Offline

Activity: 1022


View Profile

Ignore
August 19, 2013, 03:40:05 PM
 #3

Same address, are you sure that you never used wallet on android cell?
I mean same identifier etc.
Newer used on Android. Only on Windows 7 and few times on Linux Mint.

P.S. Does it mean that all Blockchain.info addresses are vulnerable and funds from them could be stolen at any time? Huh

gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
August 19, 2013, 06:40:37 PM
 #4

Were any of the keys imported / brainwallets / or vanity?
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 19, 2013, 09:15:46 PM
 #5

We need the tool that scans for re-used R values.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
giantdragon
Hero Member
*****
Offline Offline

Activity: 1022


View Profile

Ignore
August 19, 2013, 09:19:10 PM
 #6

Were any of the keys imported / brainwallets / or vanity?
No one address was ever imported. All generated into the browser (mostly Chrome, few times Firefox).

Jesse James
Newbie
*
Offline Offline

Activity: 22


View Profile

Ignore
August 19, 2013, 11:14:12 PM
 #7

Your transaction with the repeated signature R values is this one:

https://blockchain.info/tx/e05d98ee17d4610eb4e63cf27dd4e63f7128dc28187ae73588ca5562d9391bb8

Inputs 0 and 2 specifically.  If you can 100% confirm the exact client software / platform / browser that generated this transaction, that would be helpful.

The 'k' value was 0x7f561ff2d0a848480f575773dd8b72f17cabc9f202951d9c7392b331b0565f28

I have a tool that can find these things and solve for the private keys but it's a total kludge and I don't use it to snatch funds nor run it on a rolling basis.   However, at this point I'm thinking of augmenting it so that it snatches weak funds immediately so I can return funds to peeps who are able to prove ownership of the victim address by signing a message with a bunch of keys with a 1-degree relationship to that address.

... since the guy currently exploiting this at the moment https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj is just cleaning em up and I'm not holding out hope he has plans to return anything.
Luke-Jr
Hero Member
*****
Offline Offline

Activity: 1204



View Profile

Ignore
August 19, 2013, 11:27:58 PM
 #8

However, at this point I'm thinking of augmenting it so that it snatches weak funds immediately so I can return funds to peeps who are able to prove ownership of the victim address by signing a message with a bunch of keys with a 1-degree relationship to that address.
I'd suggest just requiring the signature of the key itself, plus verifying a name/address.
Then share the name/address with others signing for it and let the legit party sue the fraudulent claimee(s) in court. Smiley

smolen
Sr. Member
****
Offline Offline

Activity: 252


View Profile

Ignore
August 19, 2013, 11:59:35 PM
 #9

I'm thinking of augmenting it so that it snatches weak funds immediately
The legal risk is too high.
On the other hand, I thought about writing and releasing such scanner without touching funds myself and letting people to catch and sue each other. I see every bitcoin-related court case as a good thing that make adoption of Bitcoin by business easier.

Of course I gave you bad advice. Good one is way out of your price range.
gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
August 20, 2013, 12:11:06 AM
 #10

FWIW, My logs show someone was complaining at one point a while back their new wallet under chrome had someone elses coin in it. They dropped out before I could extract useful information from them. May be related.

One thing that has long really frightened me about all these webwallets is that if they fail to read from the secure rng they just use some snake oil "randomness" (the mouse position) that has practically no entropy.
Jesse James
Newbie
*
Offline Offline

Activity: 22


View Profile

Ignore
August 20, 2013, 12:22:16 AM
 #11

I'm thinking of augmenting it so that it snatches weak funds immediately
The legal risk is too high.
On the other hand, I thought about writing and releasing such scanner without touching funds myself and letting people to catch and sue each other. I see every bitcoin-related court case as a good thing that make adoption of Bitcoin by business easier.

There's only one address implicated in all the recent thefts so I'm not sure how useful releasing a scanner would be ... other than increasing competition for snatching funds from weak addresses.

Although your first point brings up a larger legal question ... if someone makes their private key public (intentionally or non-intentionally) ... under what conditions (if any) and under what legal theory could a 3rd party be liable for signing with it?  Any lawyers out there?
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 20, 2013, 12:36:37 AM
 #12

Another blockchain.info wallet here loss https://bitcointalk.org/index.php?topic=277601.0

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
smolen
Sr. Member
****
Offline Offline

Activity: 252


View Profile

Ignore
August 20, 2013, 12:44:21 AM
 #13

There's only one address implicated in all the recent thefts so I'm not sure how useful releasing a scanner would be ... other than increasing competition for snatching funds from weak addresses.
I'm eager to refresh my math skills and play with modern cryptography a bit. Looks like RNGs are good target to try bit diffusion methods. But if such attempt will succeed, touching any weak address by myself would be both unethical and legally risky. And by publishing research results I'll shift all such problems to someone else Smiley
Although your first point brings up a larger legal question ... if someone makes their private key public (intentionally or non-intentionally) ... under what conditions (if any) and under what legal theory could a 3rd party be liable for signing with it?  Any lawyers out there?
The only way I can see under Russian Federation laws to get to such third party is deriving private key from something protected by copyright. OK, IANAL and that's offtopic here.

Of course I gave you bad advice. Good one is way out of your price range.
giantdragon
Hero Member
*****
Offline Offline

Activity: 1022


View Profile

Ignore
August 20, 2013, 12:44:26 AM
 #14

If you can 100% confirm the exact client software / platform / browser that generated this transaction, that would be helpful.
I created this address in April 2013 with Google Chrome on Windows 7 64-bit.

P.S. This hacker stole 0.02 BTC again from the same address right after I received earnings from Anonymous Ads!
https://blockchain.info/tx/edf891400feba38339738910aeb40545a77e7c69ad9ff58ab208999df3d6db4f

giantdragon
Hero Member
*****
Offline Offline

Activity: 1022


View Profile

Ignore
August 20, 2013, 12:49:12 AM
 #15

The only way I can see under Russian Federation laws to get to such third party is deriving private key from something protected by copyright. OK, IANAL and that's offtopic here.
According to Russian criminal code it seems to be fraud (article 159 applies to any property, not only fiat money).

gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
August 20, 2013, 12:52:43 AM
 #16

I created this address in April 2013 with Google Chrome on Windows 7 64-bit.
We need to know what system created the transactions that were linked above as reusing R values.

Though the sudden reports suggests to me that this was a product of recent bc.i code changes, not the browsers.
giantdragon
Hero Member
*****
Offline Offline

Activity: 1022


View Profile

Ignore
August 20, 2013, 12:58:19 AM
 #17

We need to know what system created the transactions that were linked above as reusing R values.
Do you mean that need to know what was hacker's system?

smolen
Sr. Member
****
Offline Offline

Activity: 252


View Profile

Ignore
August 20, 2013, 01:03:37 AM
 #18

The only way I can see under Russian Federation laws to get to such third party is deriving private key from something protected by copyright. OK, IANAL and that's offtopic here.
According to Russian criminal code it seems to be fraud (article 159 applies to any property, not only fiat money).
It would be rather article 158 or freshly minted 159.6. But the Bitcoin should pass tests defined in article 128 of Civil Code first. When (and if) it will be deemed as some kind of property, the advances in tax planning art would be astounding!

Of course I gave you bad advice. Good one is way out of your price range.
giantdragon
Hero Member
*****
Offline Offline

Activity: 1022


View Profile

Ignore
August 20, 2013, 01:11:36 AM
 #19

It would be rather article 158 or freshly minted 159.6. But the Bitcoin should pass tests defined in article 128 of Civil Code first. When (and if) it will be deemed as some kind of property, the advances in tax planning art would be astounding!
In Russia class-action lawsuits are impossible, but individual litigation is too time-consuming and just not worth.

Jesse James
Newbie
*
Offline Offline

Activity: 22


View Profile

Ignore
August 20, 2013, 01:25:07 AM
 #20

Holy shit ... I just re-examined my research on all repeated R-values in signatures made in July/Aug.  

I now suspect blockchain.info was responsible for all of these R repeats except the last .... (note this data is through today - block 253081).



The more serious of the 2 android SecureRandom bugs as detailed by the commenter Nikolay Elenkov, only could cause repeated R's across application invocations (and not in the same transaction), thus one would expect to see a R repeat from an android client spaced in time (across transactions) and not relayed directly through blockchain.info.  This fits the pattern of the last example.  

All the other R repeats happen within the same transaction and the transactions are relayed directly through blockchain.info.  Being relayed directly though blockchain.info means it was likely submitted by their wallet (or less likely but also possible ... another wallet that uses their API).  

Edit 1: Updated research to include repeats from recent blocks.
Pages: [1] 2 3 4  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!