Pages:
Author

Topic: Blockchain.info isn't safe - My Wallet Password Stealer (Passes the "Verifier") - page 2. (Read 30007 times)

hero member
Activity: 826
Merit: 500
would need the end-user install a browser-plugin to achieve this...
donator
Activity: 2772
Merit: 1019
Could you please be more specific as to what "not safe" is supposed to mean and what kind of attack could be done with that?

As far as I can tell for now: what piuk says, you're just displaying your own password.

EDIT: just saw your other thread about JAIL and BLOCKCHAIN.INFO and shit? I'm having a hard time believing you don't have some sort of personal issue with blockchain.info. This is pure FUD in my eyes.

hero member
Activity: 910
Merit: 1005
You have just modified the javascript in your own browser. The javascript is the bitcoin client and if you modify the client then of course you can change it to print the password or private keys etc. It would be trivial to modify the Bitcoin-Qt source to add an alert box which prints the password in a similar fashion.

This is how the service works, client side.
donator
Activity: 1120
Merit: 1001
hero member
Activity: 686
Merit: 564
Damn, why didn't I think of this?  Angry
vip
Activity: 1316
Merit: 1043
👻
Didn't take me this long: https://i.imgur.com/y905u.png

Yes, it passes all the "verifiers". The alert stopped script execution, but after that there is "Not modified". I used MS Paint to remove the checksum and potentially unique identifiers.

Feel free to disregard / think this is fake / etc at your own risk (the attacker could have modified it to send your password to their server). I don't plan on releasing the proof of concept unless there is sufficient demand for it.

I have nothing personal against blockchain.info, but I'm not going to bother finding the quote by blockchain.info saying how they take loads of (ineffective) security precautions.. Just saying your blockchain wallet isn't safe.
Pages:
Jump to: