Author

Topic: blockchain.info help (Read 1503 times)

legendary
Activity: 3472
Merit: 4801
January 07, 2015, 06:45:18 PM
#22
Well, it seems that this situation is going to be resolved soon. Wink
They will certainly secure their site from this flaw and avoid a repeat of this incident again in the future. Smiley

Right, because if there's one thing human beings are very good at, it's avoiding making the same mistake more than once.
hero member
Activity: 534
Merit: 500
January 07, 2015, 06:20:17 PM
#21
Well, it seems that this situation is going to be resolved soon. Wink
They will certainly secure their site from this flaw and avoid a repeat of this incident again in the future. Smiley
legendary
Activity: 3472
Merit: 4801
January 07, 2015, 01:28:35 AM
#20
- snip -
However, since I use a strong password + 2-factor login authentication at blockchain in addition to having 2-factor login authentication on my e-mail account, I think that I shouldn't have anything to worry about.
- snip -

Every time you send a bitcoin transaction from your blockchain.info wallet, the blockchain.info software needs to use a private key to sign that transaction.  If they re-use an R value that they used on a previous transaction, and you are re-using the same bitcoin address in your blockchain.info wallet for multiple transactions, then attackers that monitor the bitcoin network will be able to compute the private key.  They won't need your "strong" password, and they won't need your 2-factor login.  The hacker can simply create and broadcast a transaction that empties your wallet.



Should such an event take place, shouldn't Blockchain.info be held liable?
After all, it's their system that would have caused the screw-up!

Liability doesn't get you your money back if they don't have anything left to pay you with (just ask MtGox about that).

Liability also often doesn't help you much if the business you are "holding liable" is based in a country that doesn't cooperate with your desire to get your money back.

hero member
Activity: 534
Merit: 500
January 07, 2015, 01:18:58 AM
#19
- snip -
However, since I use a strong password + 2-factor login authentication at blockchain in addition to having 2-factor login authentication on my e-mail account, I think that I shouldn't have anything to worry about.
- snip -

Every time you send a bitcoin transaction from your blockchain.info wallet, the blockchain.info software needs to use a private key to sign that transaction.  If they re-use an R value that they used on a previous transaction, and you are re-using the same bitcoin address in your blockchain.info wallet for multiple transactions, then attackers that monitor the bitcoin network will be able to compute the private key.  They won't need your "strong" password, and they won't need your 2-factor login.  The hacker can simply create and broadcast a transaction that empties your wallet.



Should such an event take place, shouldn't Blockchain.info be held liable?
After all, it's their system that would have caused the screw-up!
legendary
Activity: 3472
Merit: 4801
January 06, 2015, 11:11:53 PM
#18
- snip -
However, since I use a strong password + 2-factor login authentication at blockchain in addition to having 2-factor login authentication on my e-mail account, I think that I shouldn't have anything to worry about.
- snip -

Every time you send a bitcoin transaction from your blockchain.info wallet, the blockchain.info software needs to use a private key to sign that transaction.  If the signature has a re-used R value from a previous transaction, and you are re-using the same bitcoin address in your blockchain.info wallet for multiple transactions, then attackers that monitor the bitcoin network will be able to compute the private key.  They won't need your "strong" password, and they won't need your 2-factor login.  The hacker can simply create and broadcast a transaction that empties your wallet.

hero member
Activity: 534
Merit: 500
January 06, 2015, 10:57:23 PM
#17
Thanks for the explanation Danny!
Well I can tell you that I am certainly not interested in that level of technical detail. Grin
However, since I use a strong password + 2-factor login authentication at blockchain in addition to having 2-factor login authentication on my e-mail account, I think that I shouldn't have anything to worry about.

I recently had a blockchain issue where my ip address was changed from my modem and I had ip security authentication enabled and got blocked from my account. I contacted support with my details and they reinstated my account 2 weeks later. Cool
legendary
Activity: 3472
Merit: 4801
January 06, 2015, 07:56:50 PM
#16
I would be very grateful if someone could explain what is this R-Value problem I am reading about.

Understanding the "R-Value" problem requires understanding the technical details of how an ECDSA signature is created and verified.

Assuming that you aren't interested in that level of technical detail, the basic idea is that an ECDSA digital signature requires you to choose a number that nobody knows (and is essentially impossible to guess) and perform some calculations with that number.  As long as you use a new number every time that you create a new signature (and as long as nobody guesses the number you used) it isn't possible for anyone to calculate your private key from the signature.

However, if you re-use the number for two different signatures (or if you are choosing your number from a very small set of numbers so that it becomes possible for someone to figure out which one you are using), then it becomes possible to use the information to calculate your private key.

hero member
Activity: 534
Merit: 500
January 06, 2015, 07:42:33 PM
#15
I would be very grateful if someone could explain what is this R-Value problem I am reading about.
hero member
Activity: 882
Merit: 1006
January 06, 2015, 01:14:32 PM
#14
Since the R-Value problem, I had an bci account with only about 0.5 coins in it.  The gmail account that it was registered with was shut down too by google without warning.

Now when I try log in to BCI I get an message saying I have to check my email.  Sigh.

I have the original passphrase.  Is BCI a HD wallet?  Can I just import my pass phrase into another HD wallet app?  Its not the end of the world, but I wouldn't mind getting that half a coin out.

If you have the backup (they are named "wallet.aes.json") and the passphrase, simply visit https://blockchain.info/wallet/import-wallet and use it to create a new wallet from your backup.
sr. member
Activity: 504
Merit: 250
January 06, 2015, 10:03:26 AM
#13
Since the R-Value problem, I had an bci account with only about 0.5 coins in it.  The gmail account that it was registered with was shut down too by google without warning.

Now when I try log in to BCI I get an message saying I have to check my email.  Sigh.

I have the original passphrase.  Is BCI a HD wallet?  Can I just import my pass phrase into another HD wallet app?  Its not the end of the world, but I wouldn't mind getting that half a coin out.
what you've sent an email to his CS, which is used to check email from the your identifier  ..
hero member
Activity: 765
Merit: 503
January 05, 2015, 09:06:54 PM
#12
As I'm sure you've guessed, BC.i requires each browser/OS combination to be email-authenticated (just once, unless you nuke your cookies regularly) for all accounts that have a registered email address, even those which haven't enabled 2FA. This is a fairly recent change (a few weeks ago).

If you don't have a backup, and can't locate a browser with a cached copy, your only choice is to open a support request as others have already pointed out....



I have the original pass phrase, but created addresses since then.  Thank, 2fa reset form submitted.
hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
January 05, 2015, 08:59:30 PM
#11
As I'm sure you've guessed, BC.i requires each browser/OS combination to be email-authenticated (just once, unless you nuke your cookies regularly) for all accounts that have a registered email address, even those which haven't enabled 2FA. This is a fairly recent change (a few weeks ago).

If you don't have a backup, and can't locate a browser with a cached copy, your only choice is to open a support request as others have already pointed out....

newbie
Activity: 2
Merit: 0
January 05, 2015, 07:56:46 PM
#10
You need to fill out the form at https://blockchain.info/wallet/reset-two-factor and wait a few days.
hero member
Activity: 765
Merit: 503
January 05, 2015, 07:50:06 PM
#9
Looks like the site is making a json call with a different wallet identifier

https://blockchain.info/wallet/ce07adb1-[removed]?format=json&resend_code=false&ct=1420505310923
hero member
Activity: 765
Merit: 503
January 05, 2015, 07:45:05 PM
#8
Did you have 2FA enabled? If you didn't, there's some chance your wallet is still cached in your browser (unless you've logged into it successfully in the last few weeks -- BC.i disabled caching a few weeks ago).

To find out if you do have it cached, visit the login page (don't try to log in), press F12 to open the debugging tools, choose the Console tab at the top of the debugging tools, and in the console window type (depending on the browser, the console field where you can type things may be at the bottom of the console window):

Code:
localStorage["payload"]

If you get something back in the console besides "undefined", copy the entire thing into a text file for safe keeping in case BC.i support can't/won't restore your access.

No I didn't have 2fa enabled.  Ok, this is odd.  Following your advice, I thought id try in a different machine (Windows FF).  I get the error as soon as I navigate to the wallet page.

hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
January 05, 2015, 02:51:18 PM
#7
Did you have 2FA enabled? If you didn't, there's some chance your wallet is still cached in your browser (unless you've logged into it successfully in the last few weeks -- BC.i disabled caching a few weeks ago).

To find out if you do have it cached, visit the login page (don't try to log in), press F12 to open the debugging tools, choose the Console tab at the top of the debugging tools, and in the console window type (depending on the browser, the console field where you can type things may be at the bottom of the console window):

Code:
localStorage["payload"]

If you get something back in the console besides "undefined", copy the entire thing into a text file for safe keeping in case BC.i support can't/won't restore your access.
hero member
Activity: 518
Merit: 500
January 05, 2015, 12:06:45 AM
#6
ur best option is to try contacting support and providing valid information and change ur email.
hero member
Activity: 765
Merit: 503
January 04, 2015, 11:08:35 PM
#5
  Is BCI a HD wallet? 

No.


If you have the .aes backup anywhere (usually in your emails), you can decrypt that using your password, no 2FA needed.
There where in gmail, but that's closed now.
hero member
Activity: 765
Merit: 503
January 04, 2015, 11:08:03 PM
#4
If you have the handle and the password, write to their support, explain to them that you no longer have access to your email address and ask them to assign another. I know someone who had similar problem and they helped him out.
I logged in the other day, after the first R value thread, but now shes locked.  Ill try emailing them tonight.  Thanks.
hero member
Activity: 672
Merit: 502
January 04, 2015, 10:18:28 PM
#3
If you have the handle and the password, write to their support, explain to them that you no longer have access to your email address and ask them to assign another. I know someone who had similar problem and they helped him out.
sr. member
Activity: 336
Merit: 254
CEO of Privex Inc. (www.privex.io)
January 04, 2015, 10:07:18 PM
#2
  Is BCI a HD wallet? 

No.


If you have the .aes backup anywhere (usually in your emails), you can decrypt that using your password, no 2FA needed.
hero member
Activity: 765
Merit: 503
January 04, 2015, 09:03:27 PM
#1
Since the R-Value problem, I had an bci account with only about 0.5 coins in it.  The gmail account that it was registered with was shut down too by google without warning.

Now when I try log in to BCI I get an message saying I have to check my email.  Sigh.

I have the original passphrase.  Is BCI a HD wallet?  Can I just import my pass phrase into another HD wallet app?  Its not the end of the world, but I wouldn't mind getting that half a coin out.
Jump to: