Bitcoin wallets hacked

Gotta love having a decentralized currency and a centralized exchange/wallet!!! lol!

http://www.theguardian.com/technology/2015/jun/01/bitcoin-app-critical-update-bug-crypto-breakdown

"The flaw apparently came about through a series of bad development choices which all failed in the worst way possible. Bitcoin wallets are typically created by randomly generating a public address and a related private key. As a result, it is important for address and key to be truly random, or else it may be possible to guess the private key by looking at the public address.

To that end, Blockchain used two sources of random numbers, in what ought to have been a belt-and-braces approach: it pulled a random number from the Android operating system’s built-in random number generator, and then connected to online service Random.org to get a second random number, which it combined with the first.

Unfortunately, on some Android phones (reportedly including devices from the Sony Xperia range), the built-in random number generator failed to report back to the blockchain app. Normally, this should have been survivable, because the app used a second source of random numbers.

But on 4 January, Random.org strengthened the security of its website, requiring all visits to be made over an encrypted connection. The blockchain app, however, continued to access the site through an unencrypted connection. So rather than getting a random number, as expected, it got an error code telling it that the site had moved.

It then used that error code as the random number, every single time."

7 Likes

Its not centralised exchange/wallet (from the quote anyway), but a really dumb (unaudited) piece of coding in the most critical part of the app. That this happened to blockchain.com shows the importance of open source in anything to do with security and trust. These guys cannot be trusted to write a “hello world” program.

5 Likes

That’s awesome, kinda bad though that random.org decided to let its API return a non-random value. It’s not like they didn’t know the possible implication of that, or if they didn’t know, that’s not reassuring either.

1 Like