Pages:
Author

Topic: Blockchain.info Unauthorized Withdraw (Read 3383 times)

member
Activity: 87
Merit: 10
April 26, 2013, 09:55:51 AM
#24
it would be good to understand how the hacker got to copy the private keys in the first place. maybe blockchain can add implement a fix.
obviously these 2 guys are not the only people that lost coins this way... 500BTC in total was taken this way.

the blockchain wallet runs client side (JS) right?
when that wallet is running, is it possible to have some other client side app hack the JS wallet somehow?

@elrodvoss

Does your browser have Java enabled?  click here and find out-> http://isjavaenabled.com




As stated in above responce,  java is running on computer
hero member
Activity: 798
Merit: 1000
April 25, 2013, 11:02:27 PM
#23
Its the no log that really irks me.  How can a withdraw be made without an entry made.?
Agreed, this is the main worry in all this I think...

Blockchain.info is only a client. It doesn't store bitcoins itself, it only stores credentials needed to send bitcoins from your addresses (that is private keys for your bitcoin addresses). If his computer/phone has been compromised, these credentials might be logged/copied during one of his legitimate logins to blockchain.info and sent to the attacker. The attacker could then use these stolen credentials with any other bitcoin client (like Bitcoin-Qt, Armory, Multibit, etc) to send bitcoins - and that's why blockchain.info didn't have any suspicious logins.

Right, gotcha
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
April 25, 2013, 11:00:34 PM
#22
it would be good to understand how the hacker got to copy the private keys in the first place. maybe blockchain can add implement a fix.
obviously these 2 guys are not the only people that lost coins this way... 500BTC in total was taken this way.

the blockchain wallet runs client side (JS) right?
when that wallet is running, is it possible to have some other client side app hack the JS wallet somehow?

@elrodvoss

Does your browser have Java enabled?  click here and find out-> http://isjavaenabled.com


member
Activity: 87
Merit: 10
April 25, 2013, 10:57:28 PM
#21
Its the no log that really irks me.  How can a withdraw be made without an entry made.?
Agreed, this is the main worry in all this I think...

Blockchain.info is only a client. It doesn't store bitcoins itself, it only stores credentials needed to send bitcoins from your addresses (that is private keys for your bitcoin addresses). If his computer/phone has been compromised, these credentials might be logged/copied during one of his legitimate logins to blockchain.info and sent to the attacker. The attacker could then use these stolen credentials with any other bitcoin client (like Bitcoin-Qt, Armory, Multibit, etc) to send bitcoins - and that's why blockchain.info didn't have any suspicious logins.

Well i guess what Ill have to do is

  • Remake a new blockchain.info wallet.
  • Use a unique PW vs any other site.
  • Enable IP restriction so it can only be used at my home location

I would think that with those three, esp the IP restriction, at account creation, there should be no way a thief could access my account and view my private key.  Of course I have been wrong before.  Blockchain even states that the app will work, as long as its "synced" with account.  So that should be secure as well.  In my mind, that tells me that even if they got my password, they couldn't access my account due to IP restriction.


member
Activity: 87
Merit: 10
April 25, 2013, 10:50:26 PM
#20

Unfortunately I think more users are likely to be affected by this transaction.

Any users who own an address used in the above transaction (https://blockchain.info/tx/89f8223bc1d9140889496dea843df1854f17aee35b8ac5006ec1efee2ba5bd80) please could you answer the following questions:

  • A:  Do you have a bitcoin app on your android phone?
  • B:  Do you have a blockchain.info wallet holding the address in question?
  • C:  If you have a blockchain wallet do you use a public alias the same as your bitcointalk, bitcoin-otc or irc username?
  • D:  Do you have accounts on one of the following sites: BTC-e, bitcoin-central or mining.bitcoin.cz?
  • E:  Do you reuse the same wallet password on different websites (specifically the above sites)?
  • F:  Do you read the BTC-e chat box?
  • G:  Does your browser have Java enabled? http://isjavaenabled.com


Maybe we can figure out what's going on,
I suspect  BTC-e has some flaw that allows hackers to run some custom JS...
have you ever use  BTC-e?



A:  I have several bitcoin apps.  Nothing new in last several months.  Blockchain, bitcoin calculator, miner status.
B:  I posted above the wallet that was used today.   Unsure of that was same one only cause I havent looked and compared at the moment.
C:  Same name on blockchain and bitcointalk
D:  I mine at bitcoin.cz (slush)
E:  Sadly same password, though it was a strong 10+ character using capital and lowercase letters, numbers, and symbols
F:   Do not read the BTC-e chat box (dont even know what it is)
G:  Java is enabled on this computer.

For myself this only started in the last 14 days.

4/13 was withdraw, but though it was from email hack. 
Wallet address was:  1Nr8BbTNTYutpdHKYzDJpAUcuo2wToL1C2
That only had 5.2 Coins removed from various accounts.

The one from today was over 500 coins in their attack, though my loss was only 1.


I have ordered a "rasberry pi" rig that I will be using as my solo bitcoin interface.  So that should take care of most issues.  Ill have to come up with unique passwords for rest of my bitcoin accounts.  Of course only fear is that with multiple passwords I will forget/lose them and writing them down defeats the purpose on some level.

I could go back to a two wallet system.  But if they get into my slush account or blockchain they could see the address (public not private).


legendary
Activity: 4410
Merit: 4788
April 25, 2013, 10:46:30 PM
#19
no log means they didnt log into your acount to send the funds.

it means they got your private key previously. and then added it to their own client/wallet and decided today was the day to empty you out.

so if elrodvoss only had the private key in blockchain.info and not a electrum or qt client. then obviously someone at some point got into his and silvereagles blockchain.info account at an earlier date and copied the private keys.. and just waited a few days/week before sweeping them.

hero member
Activity: 616
Merit: 522
April 25, 2013, 10:40:26 PM
#18
Its the no log that really irks me.  How can a withdraw be made without an entry made.?
Agreed, this is the main worry in all this I think...

Blockchain.info is only a client. It doesn't store bitcoins itself, it only stores credentials needed to send bitcoins from your addresses (that is private keys for your bitcoin addresses). If his computer/phone has been compromised, these credentials might be logged/copied during one of his legitimate logins to blockchain.info and sent to the attacker. The attacker could then use these stolen credentials with any other bitcoin client (like Bitcoin-Qt, Armory, Multibit, etc) to send bitcoins - and that's why blockchain.info didn't have any suspicious logins.
hero member
Activity: 798
Merit: 1000
April 25, 2013, 10:33:53 PM
#17


Its the no log that really irks me.  How can a withdraw be made without an entry made.?



Agreed, this is the main worry in all this I think...
member
Activity: 87
Merit: 10
April 25, 2013, 10:30:54 PM
#16
silvereagle

elrodvoss

have both of you contacted PIUK (the guy behind blockchain.info) he might be able to help you out more
https://bitcointalksearch.org/user/piuk-17928

also is there any other places that you BOTH imported your private keys into.

maybe you both downloaded a rogue program that keylogged you both and decided today was the day to take some funds.
as the transaction reveals that someone somewhere has both of your private keys in one wallet. so check with each other if you both use any other mobile app wallets or other things, even check where you both downloaded your miners or qt clients from.

i think silvereagle said in another thread he had his email hacked and had his blockchain compromised ages ago before this loss, has elrodvoss had previous losses?

seems strange 2 "noobs" have had losses due to this same attack and no key/long established member's have claimed losses.(yet)


Ive placed a ticket with blockchain.info site.  No word from them yet other then confirmation email.

I have never imported any other keys or wallets into blockchain.  I was using blockchain since I could easily transfer funds from blockchain -> mt. gox -> bitinstant.  

As mentioned before I was hit week ago and just though someone got into my email.  Though that just changing all my passwords would do trick.  Shows that it didn't sadly.

member
Activity: 87
Merit: 10
April 25, 2013, 10:29:47 PM
#15
its just bad practice giving your phone access to your main hoard of bitcoin. blockchain.info wallet stores password in plaintext afaik. its not a problem because the app is sandboxed so no other apps should have access to it (unless the phone is rooted or modded). however the phone is just another way for a keylogger or malware. its a potential backdoor if you give it acces to your main hoard.
member
Activity: 87
Merit: 10
April 25, 2013, 10:23:32 PM
#14
if you are using their phone app dont. it makes you vulnerable. especially if you have a rooted phone.

Which?
Blockchains app
or
Mt. Gox mobile site?

And phone it not rooted.
member
Activity: 87
Merit: 10
April 25, 2013, 10:04:27 PM
#13
if you are using their phone app dont. it makes you vulnerable. especially if you have a rooted/modded phone.
member
Activity: 87
Merit: 10
April 25, 2013, 09:54:54 PM
#12
My email was possiblely hacked. I had coins removed from my account last week (1 coin) and that's when I changed all my passowords for everything.  Bank,  google, credit cards, etc

I have main computer and laptop.  Both with antivirus and malware protection.  Nothing new installed other then dls for linux distros for new rig.

Have several apps on  gs3, but nothing new.

I have no idea how I could have been a victom esp in last 2-3 weeks. 

I do use slush pool and know that has been attacked over last 3 weeks.  But it was stated that everything was secure.  Pw changed there and wallet address checked as well.

Still on phone but may be more detailed when I get home. 

Only other thing was I been looking for new ways to cash coins since mt gox changed,  but that was after first issue a week ago.  So doubt that was the issue.

On phone I use mt gox mobile and blockchain app.

Use two rigs with main computer running slush's proxy program for straium.  That been running for 2 months.

Been using blockchain for 6-8months without issue.
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
April 25, 2013, 09:17:40 PM
#11
elrodvoss

please answer these question too.

Unfortunately I think more users are likely to be affected by this transaction.

Any users who own an address used in the above transaction (https://blockchain.info/tx/89f8223bc1d9140889496dea843df1854f17aee35b8ac5006ec1efee2ba5bd80) please could you answer the following questions:

  • Do you have a bitcoin app on your android phone?
  • Do you have a blockchain.info wallet holding the address in question?
  • If you have a blockchain wallet do you use a public alias the same as your bitcointalk, bitcoin-otc or irc username?
  • Do you have accounts on one of the following sites: BTC-e, bitcoin-central or mining.bitcoin.cz?
  • Do you reuse the same wallet password on different websites (specifically the above sites)?
  • Do you read the BTC-e chat box?
  • Does your browser have Java enabled? http://isjavaenabled.com


Maybe we can figure out what's going on,
I suspect  BTC-e has some flaw that allows hackers to run some custom JS...
have you ever use  BTC-e?
newbie
Activity: 28
Merit: 0
April 25, 2013, 08:51:38 PM
#10
silvereagle

elrodvoss

have both of you contacted PIUK (the guy behind blockchain.info) he might be able to help you out more
https://bitcointalksearch.org/user/piuk-17928

also is there any other places that you BOTH imported your private keys into.

maybe you both downloaded a rogue program that keylogged you both and decided today was the day to take some funds.
as the transaction reveals that someone somewhere has both of your private keys in one wallet. so check with each other if you both use any other mobile app wallets or other things, even check where you both downloaded your miners or qt clients from.

i think silvereagle said in another thread he had his email hacked and had his blockchain compromised ages ago before this loss, has elrodvoss had previous losses?

seems strange 2 "noobs" have had losses due to this same attack and no key/long established member's have claimed losses.(yet)


Just interacted with PIUK on the other thread we've been discussing this in - the one I started.  Ideally just looking to determine which apps I can trust again.
sr. member
Activity: 315
Merit: 255
April 25, 2013, 08:49:48 PM
#9
Blockchain.info really needs to start forcing 2 factor on all new accounts. Otherwise this will keep happening.

In addition it would be helpful if they provided information like in DeathAndTaxes' post to users after having their passwords stolen.
legendary
Activity: 4410
Merit: 4788
April 25, 2013, 08:08:19 PM
#8
silvereagle

elrodvoss

have both of you contacted PIUK (the guy behind blockchain.info) he might be able to help you out more
https://bitcointalksearch.org/user/piuk-17928

also is there any other places that you BOTH imported your private keys into.

maybe you both downloaded a rogue program that keylogged you both and decided today was the day to take some funds.
as the transaction reveals that someone somewhere has both of your private keys in one wallet. so check with each other if you both use any other mobile app wallets or other things, even check where you both downloaded your miners or qt clients from.

i think silvereagle said in another thread he had his email hacked and had his blockchain compromised ages ago before this loss, has elrodvoss had previous losses?

seems strange 2 "noobs" have had losses due to this same attack and no key/long established member's have claimed losses.(yet)
newbie
Activity: 28
Merit: 0
April 25, 2013, 06:44:17 PM
#7
That's the same address mine went to.
member
Activity: 87
Merit: 10
April 25, 2013, 06:40:48 PM
#6
This is the address that is listed in my transactions as to where my coins were sent to the second time:
1JKJdYSZNrWSca1b9ajejdmjuqooE7TLFr


Details of transaction:
You Sent
1.00779078 BTC ($ 142.60)

Value at time of transaction $ 146.94
Hash
89f8223bc1d9140889496dea8...
Sent Time
2013-04-25 22:22:48 (+26 minutes to confirm)
Confirmations
8 Confirmations
Double Spend
No Double Spend Detected
Transaction Fee
0.0155 BTC


Not sure if this will show but here is the detailed info of that address:
https://blockchain.info/address/1JKJdYSZNrWSca1b9ajejdmjuqooE7TLFr
So if im reading that right, that person just made 542 coins in less then 5 mins from several dozen account.



My wallet is 1J71jWZqvoK6n9TLvuQjy3kgxctx9QbpQ8, and is at zero coins and in 5 hours will be defunct.



member
Activity: 84
Merit: 10
April 25, 2013, 06:29:14 PM
#5
Sad that it cost me $200 to learn that lesson. 

Didn't relize/remember they would have access due to private keys.

Guess ill have to get new wallet and start fresh.

Such a kick in the balls though.  From what I learned they got over 500 coins in transactionsto the account that it was transfered too.

Grrr. 

Thanks anyways.  Lesson learned hard way.

Fyi parden any bad typing.  On with phone at work. 





So you're saying your address is in the same transaction as this one?

https://bitcointalksearch.org/topic/wallet-hack-on-425-187822
Pages:
Jump to: