4/23 - URGENT SECURITY NOTICE
With our focus on maximizing the security of Counterwallet, we now have two experts (a bitcoinjslib expert, and a web application security expert) in the process of reviewing the codebase.
What Happened
Due in part to this process, we have been notified of a security bug in bitcoinjs-lib (the bitcoin javascript library counterwallet uses) that was internally disclosed to us by the bitcoinjs-lib team yesterday evening. We worked with them on applying a fix, which was made live late last night and this security notice was drafted pending confirmation from the team. However it appears the bug has already been exploited in the wild to take BTC.
A list of these addresses is available here: https://blockchain.info/tx/474cce51a9c4b265d4da0257acb21a554563fd41200970996e2b8914dc6f1d68
(if you were a counterwallet user that was affected whose address is NOT on this list, please email [email protected] let us know)
Who is affected?
This bug affected The new counterwallet.co wallet (the old.counterwallet.co seems to be unaffected, and counterpartyd users / BootleXCP users are NOT affected). Also, the bug only affects addresses that have made two or more transactions from a given address, and then, will only affect that address. At this point, it appears only BTC was taken with a subset of counterwallet users.
What do I do?
To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:
1. Log into your existing wallet account
2. Retrieve any copy down the private key for each address in your wallet (for each address, click on Address Actions, then Show Private Key, and copy that down)
3. Log out of the site, and then click Create New Wallet, and then log in with that new passphrase
4. Utilize the Import Funds feature to move the assets over.
Alternatively (if having problems with sweep), one can create the new wallet, then log into the old wallet and manually send the funds over. Please send over ALL funds, including XCP and other Counterparty assets.
I lost BTC. Can I get it back?
The Counterparty team is preparing a reimbursement program for people impacted by this bug. More details will be posted shortly.
EDIT: After creating your new wallet and transferring the funds over, send an email to [email protected] including:
Thanks guys for working with us to get counterwallet (and bitcoinjs-lib) through this beta period. We remain committed to security of the web wallet, and will be continuing to make improvements on this front and work with our partners to do so.
With our focus on maximizing the security of Counterwallet, we now have two experts (a bitcoinjslib expert, and a web application security expert) in the process of reviewing the codebase.
What Happened
Due in part to this process, we have been notified of a security bug in bitcoinjs-lib (the bitcoin javascript library counterwallet uses) that was internally disclosed to us by the bitcoinjs-lib team yesterday evening. We worked with them on applying a fix, which was made live late last night and this security notice was drafted pending confirmation from the team. However it appears the bug has already been exploited in the wild to take BTC.
A list of these addresses is available here: https://blockchain.info/tx/474cce51a9c4b265d4da0257acb21a554563fd41200970996e2b8914dc6f1d68
(if you were a counterwallet user that was affected whose address is NOT on this list, please email [email protected] let us know)
Who is affected?
This bug affected The new counterwallet.co wallet (the old.counterwallet.co seems to be unaffected, and counterpartyd users / BootleXCP users are NOT affected). Also, the bug only affects addresses that have made two or more transactions from a given address, and then, will only affect that address. At this point, it appears only BTC was taken with a subset of counterwallet users.
What do I do?
To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:
1. Log into your existing wallet account
2. Retrieve any copy down the private key for each address in your wallet (for each address, click on Address Actions, then Show Private Key, and copy that down)
3. Log out of the site, and then click Create New Wallet, and then log in with that new passphrase
4. Utilize the Import Funds feature to move the assets over.
Alternatively (if having problems with sweep), one can create the new wallet, then log into the old wallet and manually send the funds over. Please send over ALL funds, including XCP and other Counterparty assets.
I lost BTC. Can I get it back?
EDIT: After creating your new wallet and transferring the funds over, send an email to [email protected] including:
- a new address to which to send the reimbursed BTC funds
- the passphrase of the compromised wallet (i.e. the one with the address from which the funds were stolen). Please only send this passphrase after you have moved all of the funds out of this wallet. Unfortunately, we need this passphrase to prove that you are the actual owner of the address in this situation, as signing a message from the compromised address is not enough here, as the hacker could do that, as well.
Please keep in mind that the Counterparty team will never ask for the passphrase of a wallet which holds funds
Thanks guys for working with us to get counterwallet (and bitcoinjs-lib) through this beta period. We remain committed to security of the web wallet, and will be continuing to make improvements on this front and work with our partners to do so.
Note that this bug was not a problem with the Counterparty Protocol or with counterpartyd, which were previously audited by Sergio Lerner. This was a bug that was very similar to the Android wallet one from a while back, and was with bitcoinjs-lib and Counterwallet, which (as stated above) are being audited right now.
Please publish an address for donations so that we could help out with damage recovery.
