Topic: Blockchain.info isn't safe - My Wallet Password Stealer (Passes the "Verifier") - page 2. (Read 29987 times)
December 23, 2012, 11:39:04 AM
would need the end-user install a browser-plugin to achieve this...
December 23, 2012, 10:26:59 AM
Could you please be more specific as to what "not safe" is supposed to mean and what kind of attack could be done with that?
As far as I can tell for now: what piuk says, you're just displaying your own password.
EDIT: just saw your other thread about JAIL and BLOCKCHAIN.INFO and shit? I'm having a hard time believing you don't have some sort of personal issue with blockchain.info. This is pure FUD in my eyes.
As far as I can tell for now: what piuk says, you're just displaying your own password.
EDIT: just saw your other thread about JAIL and BLOCKCHAIN.INFO and shit? I'm having a hard time believing you don't have some sort of personal issue with blockchain.info. This is pure FUD in my eyes.
December 23, 2012, 09:43:49 AM
You have just modified the javascript in your own browser. The javascript is the bitcoin client and if you modify the client then of course you can change it to print the password or private keys etc. It would be trivial to modify the Bitcoin-Qt source to add an alert box which prints the password in a similar fashion.
This is how the service works, client side.
This is how the service works, client side.
December 23, 2012, 08:40:42 AM
watch.
December 23, 2012, 08:29:47 AM
Damn, why didn't I think of this? 
December 23, 2012, 08:00:22 AM
Didn't take me this long: https://i.imgur.com/y905u.png
Yes, it passes all the "verifiers". The alert stopped script execution, but after that there is "Not modified". I used MS Paint to remove the checksum and potentially unique identifiers.
Feel free to disregard / think this is fake / etc at your own risk (the attacker could have modified it to send your password to their server). I don't plan on releasing the proof of concept unless there is sufficient demand for it.
I have nothing personal against blockchain.info, but I'm not going to bother finding the quote by blockchain.info saying how they take loads of (ineffective) security precautions.. Just saying your blockchain wallet isn't safe.
Yes, it passes all the "verifiers". The alert stopped script execution, but after that there is "Not modified". I used MS Paint to remove the checksum and potentially unique identifiers.
Feel free to disregard / think this is fake / etc at your own risk (the attacker could have modified it to send your password to their server). I don't plan on releasing the proof of concept unless there is sufficient demand for it.
I have nothing personal against blockchain.info, but I'm not going to bother finding the quote by blockchain.info saying how they take loads of (ineffective) security precautions.. Just saying your blockchain wallet isn't safe.
Jump to: