Bitcoin Forum
April 26, 2019, 11:01:44 AM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: Blockchain.info security [FUNDS STOLEN]  (Read 27572 times)
NewLiberty
Legendary
*
Offline Offline

Activity: 1204
Merit: 1001


Gresham's Lawyer


View Profile WWW
August 20, 2013, 01:31:45 AM
 #21

I'm thinking of augmenting it so that it snatches weak funds immediately
The legal risk is too high.
On the other hand, I thought about writing and releasing such scanner without touching funds myself and letting people to catch and sue each other. I see every bitcoin-related court case as a good thing that make adoption of Bitcoin by business easier.

There's only one address implicated in all the recent thefts so I'm not sure how useful releasing a scanner would be ... other than increasing competition for snatching funds from weak addresses.

Although your first point brings up a larger legal question ... if someone makes their private key public (intentionally or non-intentionally) ... under what conditions (if any) and under what legal theory could a 3rd party be liable for signing with it?  Any lawyers out there?


In the USA?
You have a civil claim of course.  And for criminal, Wire Fraud.  If interstate or international, Federal rules apply:
http://www.law.cornell.edu/uscode/text/18/1343

FREE MONEY1 Bitcoin for Silver and Gold NewLibertyDollar.com and now BITCOIN SPECIE (silver 1 ozt) shows value by QR
Bulk premiums as low as .0012 BTC "BETTER, MORE COLLECTIBLE, AND CHEAPER THAN SILVER EAGLES" 1Free of Government
1556276504
Hero Member
*
Offline Offline

Posts: 1556276504

View Profile Personal Message (Offline)

Ignore
1556276504
Reply with quote  #2

1556276504
Report to moderator
1556276504
Hero Member
*
Offline Offline

Posts: 1556276504

View Profile Personal Message (Offline)

Ignore
1556276504
Reply with quote  #2

1556276504
Report to moderator
1556276504
Hero Member
*
Offline Offline

Posts: 1556276504

View Profile Personal Message (Offline)

Ignore
1556276504
Reply with quote  #2

1556276504
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1556276504
Hero Member
*
Offline Offline

Posts: 1556276504

View Profile Personal Message (Offline)

Ignore
1556276504
Reply with quote  #2

1556276504
Report to moderator
1556276504
Hero Member
*
Offline Offline

Posts: 1556276504

View Profile Personal Message (Offline)

Ignore
1556276504
Reply with quote  #2

1556276504
Report to moderator
Jesse James
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
August 20, 2013, 07:17:40 AM
Last edit: August 20, 2013, 08:29:10 AM by Jesse James
 #22

After reviewing the blockchain.info wallet source code, I can not recommend using it at the moment.  I had a full monty write-up on this earlier, but as I've dug deeper I've decided to take it down so I can communicate my findings to blockchain.info exclusively first.  Stay tuned.
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1008


View Profile
August 20, 2013, 09:25:55 AM
 #23

My understanding is that b.i uses the "web crypto" APIs when available, and they should be more or less a direct path through to the platform crypto RNG.

However if the browser does not support those APIs then it basically just invents its own RNG. I recall bringing this issue up before, a long time ago, but I don't remember what became of it.
VTC
Member
**
Offline Offline

Activity: 76
Merit: 14



View Profile
August 20, 2013, 09:47:31 AM
 #24

After reviewing the blockchain.info wallet source code, I can not recommend using it at the moment.  I had a full monty write-up on this earlier, but as I've dug deeper I've decided to take it down so I can communicate my findings to blockchain.info exclusively first.  Stay tuned.

Do you advise to meanwhile sweep funds to a fresh new address with blockchain wallet?  Is the blockchain wallet safe to make transactions with manual key rotation?
Jesse James
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
August 20, 2013, 10:16:12 AM
 #25

After reviewing the blockchain.info wallet source code, I can not recommend using it at the moment.  I had a full monty write-up on this earlier, but as I've dug deeper I've decided to take it down so I can communicate my findings to blockchain.info exclusively first.  Stay tuned.

Do you advise to meanwhile sweep funds to a fresh new address with blockchain wallet?  Is the blockchain wallet safe to make transactions with manual key rotation?

If you are feeling careful, IMHO it would be wise to move to a non-javascript wallet for the time being ... and when you move, do it with a single transaction ... that way even if your signature(s) expose the private key you're moving from, they'll be nothing there left to spend.
gmaxwell
Staff
Legendary
*
Online Online

Activity: 2716
Merit: 2156



View Profile
August 20, 2013, 10:21:48 AM
 #26

Careful with that "move all at once". If your move transaction reveals your private key it may be the case that people are attacking in realtime now and might beat you w/ a double spend.

I would prefer to move the keys into something that doesn't have known DSA nonce concerns and send that movement transaction from there, if at all possible.
piuk
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1001



View Profile WWW
August 20, 2013, 11:11:40 AM
 #27

Jesse James has informed me of a problem with the rng used by blockchain.info javascript clients being poorly seeded when initialised in a background webworker task. In some browsers this could lead to duplicate R values being used when signing transactions (Firefox is likely to be particularly vulnerable). This issue effects the transaction signing code only, not the generation of private keys.

Patches have now been deployed, Please ensure you upgrade to the latest version of your Blockchain.info client.

Chrome extension - v2.85
Fixefox extension - v1.97
Mac client - v0.11

Users of the web interface should clear their browsers cache before next login.

Only a handful of addresses are known to be affected thus far. Likely if you have been affected by this problem your coins will have been taken already. All affected users will be refunded in full, please PM me or email help@blockchain.info.

TradeFortress 🏕
VIP
Legendary
*
Offline Offline

Activity: 1134
Merit: 1023


View Profile
August 20, 2013, 11:22:35 AM
 #28

Nice speedy fix Smiley

Could you push out the source code changes to https://github.com/blockchain/My-Wallet-Chrome-Extension ? It hasn't been updated for 3 months.
Gaff
Hero Member
*****
Offline Offline

Activity: 868
Merit: 502



View Profile
August 20, 2013, 01:01:56 PM
 #29

Is it possible for a bitcoin wallet to scan all previous transactions to check that the r value isn't being reused before broadcasting the new transaction? I appreiciate it might be expensive to calculate if you have a lot of transactions in your wallet O(n^2)? but for most wallets that's a small enough number I'd have thought?

           ▄▄████▄▄
      ▄▄███▀    ▀███▄▄
   ▄████████▄▄▄▄████████▄
  ▀██████████████████████▀
▐█▄▄ ▀▀████▀    ▀████▀▀ ▄▄██
▐█████▄▄ ▀██▄▄▄▄██▀ ▄▄██▀  █
▐██ ▀████▄▄ ▀██▀ ▄▄████  ▄██
▐██  ███████▄  ▄████████████
▐██  █▌▐█ ▀██  ██████▀  ████
▐██  █▌▐█  ██  █████  ▄█████
 ███▄ ▌▐█  ██  ████████████▀
  ▀▀████▄ ▄██  ██▀  ████▀▀
      ▀▀█████  █  ▄██▀▀
         ▀▀██  ██▀▀
.
.WINDICE.
.


      ▄████████▀
     ▄████████
    ▄███████▀
   ▄███████▀
  ▄█████████████
 ▄████████████▀
▄███████████▀
     █████▀
    ████▀
   ████
  ███▀
 ██▀
█▀
.


     ▄▄█████▄   ▄▄▄▄
    ██████████▄███████▄
  ▄████████████████████▌
 ████████████████████████
▐████████████████████████▌
 ▀██████████████████████▀
     ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
     ▄█     ▄█     ▄█
   ▄██▌   ▄██▌   ▄██▌
   ▀▀▀    ▀▀▀    ▀▀▀
       ▄█     ▄█
     ▄██▌   ▄██▌
     ▀▀▀    ▀▀▀
.


                   ▄█▄
                 ▄█████▄
                █████████▄
       ▄       ██ ████████▌
     ▄███▄    ▐█▌▐█████████
   ▄███████▄   ██ ▀███████▀
 ▄███████████▄  ▀██▄▄████▀
▐█ ▄███████████    ▀▀▀▀
█ █████████████▌      ▄
█▄▀████████████▌    ▄███▄
▐█▄▀███████████    ▐█▐███▌
 ▀██▄▄▀▀█████▀      ▀█▄█▀
   ▀▀▀███▀▀▀
.


.


.
iOPlay NowOi
.


.



.
.
Follow Us
▀▀▀▀▀▀▀▀▀▀▀▀
lenny_
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


DARKNETMARKETS.COM


View Profile WWW
August 20, 2013, 01:14:28 PM
 #30

I've been using blockchain.info wallet directly in my Firefox, without installing any browser extension. Am I vulnerable to this bug?

DARKNET MARKETS >> https://DARKNETMARKETS.COM
Mushoz
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Bitbuy


View Profile WWW
August 20, 2013, 03:06:51 PM
 #31

I've been using blockchain.info wallet directly in my Firefox, without installing any browser extension. Am I vulnerable to this bug?

You are vulnerable, yes. But since no funds were stolen from you (I presume?), the bug luckily wasn't triggered (it didn't use the same R value twice) as it seems some people are actively scanning the blockchain and stealing whenever the bug happens. The bug is already fixed according to Piuk. Just clear your browser cache and you should be safe again.

www.bitbuy.nl - Koop eenvoudig, snel en goedkoop bitcoins bij Bitbuy!
BurtW
Legendary
*
Offline Offline

Activity: 2422
Merit: 1033

All paid signature campaigns should be banned.


View Profile WWW
August 20, 2013, 03:11:26 PM
 #32

Can someone please run the script on these two addresses and determine if this theft was caused by the bad signatures and comment in this thread:

https://bitcointalk.org/index.php?topic=277601.0

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
Marko Schmid
Newbie
*
Offline Offline

Activity: 8
Merit: 0



View Profile
August 20, 2013, 03:14:08 PM
 #33

Patches have now been deployed, Please ensure you upgrade to the latest version of your Blockchain.info client.

Chrome extension - v2.85
Fixefox extension - v1.97
Mac client - v0.11

Here's how to manually force the update in Chrome.

1. Go to "chrome://extensions"
2. Select "developer mode"
3. Click "update extensions now"
BurtW
Legendary
*
Offline Offline

Activity: 2422
Merit: 1033

All paid signature campaigns should be banned.


View Profile WWW
August 20, 2013, 03:25:26 PM
 #34

However, at this point I'm thinking of augmenting it so that it snatches weak funds immediately so I can return funds to peeps who are able to prove ownership of the victim address by signing a message with a bunch of keys with a 1-degree relationship to that address.
I believe that if you can prove that change was sent to the address in a transaction from an address you can prove ownership to (by signing a message) then that should good enough.  However, this obviously does not work if no change was ever sent to the address in question.

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
guitarplinker
Legendary
*
Offline Offline

Activity: 1582
Merit: 1000



View Profile WWW
August 20, 2013, 03:38:46 PM
 #35

I have a few questions:
1. I've only used Google Chrome with my blockchain wallet, and haven't installed the blockchain extensions, only used the website. I've also cleared my cache just a minute ago, am I vulnerable?
2. Were paper wallets at risk with this? Like, just an imported public address, with no private key.
3.) After clearing my cache, is there anything else I should do to make sure I'm secure?
Jouke
Sr. Member
****
Offline Offline

Activity: 427
Merit: 250



View Profile WWW
August 20, 2013, 03:40:36 PM
 #36

Can someone please run the script on these two addresses and determine if this theft was caused by the bad signatures and comment in this thread:

https://bitcointalk.org/index.php?topic=277601.0

afaik these addresses were not compromised by non-random numbers. But my script is not really sophisticated, so I might be wrong.

Koop en verkoop snel en veilig bitcoins via iDeal op Bitonic.nl
dc81
Member
**
Offline Offline

Activity: 109
Merit: 100


View Profile
August 20, 2013, 04:25:42 PM
 #37

Nice speedy fix Smiley

Could you push out the source code changes to https://github.com/blockchain/My-Wallet-Chrome-Extension ? It hasn't been updated for 3 months.

looks like the commit has been pushed now - https://github.com/blockchain/My-Wallet-Chrome-Extension/commit/a1fbd4a5ac14a188f1dc1144397446fb6ec6cdbf

nubbins
Legendary
*
Offline Offline

Activity: 1386
Merit: 1000



View Profile
August 20, 2013, 04:25:54 PM
 #38

All affected users will be refunded in full, please PM me or email help@blockchain.info.

Customer service win!

No longer buying/selling Casascius coins. Beware scammers.
My OTC Web of Trust ratings / What's a PGP chain of custody?
kyledrake
Newbie
*
Offline Offline

Activity: 7
Merit: 0



View Profile WWW
August 20, 2013, 04:37:17 PM
 #39

Jesse James has informed me of a problem with the rng used by blockchain.info javascript clients being poorly seeded when initialised in a background webworker task. In some browsers this could lead to duplicate R values being used when signing transactions (Firefox is likely to be particularly vulnerable). This issue effects the transaction signing code only, not the generation of private keys.

Was this an issue related to a problem with window.crypto.getRandomValues when webworkers are used? If so, please inform so that I can make Firefox aware of the problem.

I am working on Coinpunk, which is (like blockchain.info) using bitcoinjs-lib as a sort-of ancestor of the current code base. After the Android vulnerability was disclosed, I started looking at the existing RNG code and I was not impressed: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/jsbn/rng.js

You can see where the RNG gets fed in here: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js#L237

I wanted to split the RNG code out into something that would use the best-available approach for its platform, so I put this together, which is the current development version, and has tests you can run in the browser: https://github.com/kyledrake/randjs.

I would really appreciate an audit and feedback on this code, as I intend to eventually use this in production. My e-mail is kyledrake@gmail.com if you want to IM/email me directly. Thanks!
Jesse James
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
August 20, 2013, 06:11:39 PM
 #40

Was this an issue related to a problem with window.crypto.getRandomValues when webworkers are used? If so, please inform so that I can make Firefox aware of the problem.

window.crypto.getRandomValues is not available in webworkers because the window object doesn't exist in webworkers (by design).


I am working on Coinpunk, which is (like blockchain.info) using bitcoinjs-lib as a sort-of ancestor of the current code base. After the Android vulnerability was disclosed, I started looking at the existing RNG code and I was not impressed: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/jsbn/rng.js

You can see where the RNG gets fed in here: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js#L237

I wanted to split the RNG code out into something that would use the best-available approach for its platform, so I put this together, which is the current development version, and has tests you can run in the browser: https://github.com/kyledrake/randjs.

I would really appreciate an audit and feedback on this code, as I intend to eventually use this in production. My e-mail is kyledrake@gmail.com if you want to IM/email me directly. Thanks!
IMHO, it's worth looking at puik's modifications to bitcoinjs-lib that he's maintaining in his branch ... he's made fixes to the RNG in particular.

Honestly, if I were doing JS crypto my approach would be to just mainline randomness directly from window.crypto.getRandomValues and bail if it's not available.  If you need randomness from the context of a webworker, you have no choice but to message pass it into the worker from the foreground.

I don't have time at the moment to do a comprehensive audit, sorry Sad   ... but javascript honestly isn't really my bag baby so I'm not sure I would be the best person to look at it.
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!