After the discovery of a new bug in a Bitcoin wallet – this time, it was Blockchain.info’s wallet -, about 50 BTC were stolen since Monday (19). However, the service has already announced it will refund all the users affected by the flaw.
The popular Blockchain website has the primary goal to provide market data and works as the main block chain explorer for Bitcoin, but users can also make the most of it and create a crypto wallet. The first sign of problems with the service arose a couple of days ago, when the Bitcointalk.org user giantdragon posted this concerned message on the forum:
I used Blockchain.info online wallet for small transactions on my Windows 7 64-bit PC with strong password kept in KeePass.
Today I noticed that about 1.8 BTC was stolen from one of the addresses (which used for Anonymous Ads earnings), but funds from other addresses in this wallet were not affected.
This leads me on thoughts that Blockchain.info or Firefox may have some weakness in random number generator like the vulnerability was recently found in the Android.
Questioned about the possibility of a connection to the recent security vulnerability that affected the Android-based wallets, the user denied any link, so the problem had to be elsewhere.
After a short investigation, Blockchain.info discovered that the bug was lying in the random number generator that the web wallet was using to sign each Bitcoin transaction. Similar to the previous case, when the problem was the generator Java SecureRandom, this time the flaw was detected on the random numbers generated through the web browsers using the JavaScript programming language. This was giantdragon‘s first bet, since his funds from other addresses in the same wallet weren’t affected at the time.
However, unlike the Android-related bug, this new flaw only affected the signing of transactions, not the creation of private keys. The confirmation came from Blockchain’s Ben Reeves, known online as Piuk, who published on the Bitcointalk.org forum.
“Only a handful of addresses are known to be affected thus far. Likely if you have been affected by this problem your coins will have been taken already. All affected users will be refunded in full”, he wrote this Tuesday (20). After patching the bug, Piuk asked users to “upgrade to the latest version of your Blockchain.info client” with Chrome extension – v2.85, Fixefox extension – v1.97 or Mac client – v0.11. Also, the victims who just use the web wallet should clear their browser cache before using the Blockchain website again.
Talking with Coindesk, Reeves assured Blockchain.info’s intention: “if someone thinks they have had funds stolen, if it is due to this bug it is very likely the coins will have been sent to the above address. If in doubt they can contact [email protected] and I will investigate further. Only a couple of BTC have been refunded so far”.
