Pages:
Author

Topic: Recent breach at Blockchain.info -- Android App did a stupid. - page 3. (Read 4928 times)

sr. member
Activity: 322
Merit: 250
https://dadice.com | Click my signature to join!
=snip=
The result was that all of those clients generated the private key corresponding to 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F and sent bitcoins to it.

And somebody who noticed a whole lot of coins accumulating at "his" address, spent them.  
=snip=

This "someone" really got a winning lottery ticket. 34+BTC are really some nice bucks.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
Damn. This is ridiculous. Why did they need to call random.org ?

To get increased randomness.
Right, but that is patentenly ridiculous (imo).  If you have a device with a radio, a gyroscope, a wifi-antenna, a java-random-number generator (that was recently hardened for use with crypto) and then you decide to make a call to a website to get a random number, that seems nuts.

True. They could just do like Bither do.

What's even more nuts is that they weren't getting back a random number but an error page and somehow they weren't even looking at that.  It's pretty shocking.

The worst thing they were not using HTTP to make the webservice call to random.org. On Jan 4, random.org started enforcing HTTPS and returning a 301 Permanently Moved error for HTTP. So from that day onwards, the entropy has actually been the error message which turned into bytes instead of the expected 256-bit number. Using that seed, SecureRandom generated private key for 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F. When will they learn? Huh Undecided
legendary
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
Damn. This is ridiculous. Why did they need to call random.org ?

To get increased randomness.
Right, but that is patentenly ridiculous (imo).  If you have a device with a radio, a gyroscope, a wifi-antenna, a java-random-number generator (that was recently hardened for use with crypto) and then you decide to make a call to a website to get a random number, that seems nuts.  What's even more nuts is that they weren't getting back a random number but an error page and somehow they weren't even looking at that.  It's pretty shocking.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
Damn. This is ridiculous. Why did they need to call random.org ?

To get increased randomness.

Does not an android phone provide enough entropy ?

I think, if phone location (lat, long) is used along with phone number, then better entropy can be created.

Most users' doesn't allow GPS connection to apps like these and also some users' doesn't want to expose their phone number because of privacy concerns. They may give access to these if everything is stored/done locally but Blockchain.info is a web-wallet.

Does anyone know how blockchain.info generates the random number for an address while we create it through browser ? Do they call random.org there as well ?

I think they only call random.org in Android for increased randomness.
legendary
Activity: 1662
Merit: 1050
Damn. This is ridiculous. Why did they need to call random.org ? Does not an android phone provide enough entropy ? I think, if phone location (lat, long) is used along with phone number, then better entropy can be created.

Does anyone know how blockchain.info generates the random number for an address while we create it through browser ? Do they call random.org there as well ?
staff
Activity: 3458
Merit: 6793
Just writing some code
Obviously reputable is a matter of interepretation.  But for me, the fact that they're probably the longest running web-wallet service not to be completely hacked and lose everything says something.  Also (and again, this may be just due to their longevity), I think they're the go-to block explorer for most people.  Kinda like google, they may not be the "best" search engine, that's a matter of debate, but many people equate search with google.  I believe that many people equate looking something up on the blockchain with looking it up on blockchain.info.

So, I guess I don't know a lot about their fuckups, and I don't use a web-wallet anyway (for security purposes), but yah, I had thought they were reputable.  Presumably, I don't know the whole story.
I would not use their web wallet ever. They have had some fuck ups in the past. One I remember is an issue where they were using the same R or S (I don't remember which) values in the signatures of all transactions sent by them. This led to some user's Bitcoin's being stolen.
legendary
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
This would explain all of those threads about the 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address which people were claiming that their bitcoins were stolen.


Not just could, it does explain those threads.  @Cryddit, you're right, it's quite mind-boggling that a site as reputable as blockchain.info screwed this up so completely.

Reputable? In terms of their track record of fucking up?

Obviously reputable is a matter of interepretation.  But for me, the fact that they're probably the longest running web-wallet service not to be completely hacked and lose everything says something.  Also (and again, this may be just due to their longevity), I think they're the go-to block explorer for most people.  Kinda like google, they may not be the "best" search engine, that's a matter of debate, but many people equate search with google.  I believe that many people equate looking something up on the blockchain with looking it up on blockchain.info.

So, I guess I don't know a lot about their fuckups, and I don't use a web-wallet anyway (for security purposes), but yah, I had thought they were reputable.  Presumably, I don't know the whole story.
legendary
Activity: 1792
Merit: 1111
This would explain all of those threads about the 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address which people were claiming that their bitcoins were stolen.


Not just could, it does explain those threads.  @Cryddit, you're right, it's quite mind-boggling that a site as reputable as blockchain.info screwed this up so completely.

Reputable? In terms of their track record of fucking up?
legendary
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
This would explain all of those threads about the 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address which people were claiming that their bitcoins were stolen.


Not just could, it does explain those threads.  @Cryddit, you're right, it's quite mind-boggling that a site as reputable as blockchain.info screwed this up so completely.
legendary
Activity: 924
Merit: 1132
@OP: Could you please add '.info' after 'Blockchain' in the title?

Done.  I'm still boggling over this.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
I was in the middle of writing a breakdown of what went wrong, but you've beat me to it.

Basically, they have a LinuxSecureRandom class that's supposed to override the standard SecureRandom. This class reads from /dev/urandom and should provide cryptographically secure random values.

They also seed the generator using SecureRandom#setSeed with data pulled from random.org. With their custom SecureRandom, this is safe because it mixes the entropy using XOR, so even if the random.org data is dodgy it won't reduce security. It's just an added bonus.

BUT! On some devices under some circumstances, the LinuxSecureRandom class doesn't get registered. This is likely because /dev/urandom doesn't exist or can't be accessed for some reason. Instead of screaming bloody murder like any sensible implementation would, they just ignore that and fall back to using the standard SecureRandom.

If the above happens, there's a problem because the default implementation of SecureRandom#setSeed doesn't mix. If you set the seed, it replaces the entropy entirely. So now the entropy is coming solely from random.org.
And the final mistake: They were using HTTP instead of HTTPS to make the webservice call to random.org. On Jan 4, random.org started enforcing HTTPS and returning a 301 Permanently Moved error for HTTP - see https://www.random.org/news/. So since that date, the entropy has actually been the error message (turned into bytes) instead of the expected 256-bit number. Using that seed, SecureRandom will generate the private key for address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F 100% of the time. Ouch. This is around the time that address first appears, so the timeline matches.

I haven't had a thorough look at what they've replaced it with in the latest version, but initial impressions are that it's not ideal. Not disastrous, but not good.

Unfortunately, people still use this wallet after many careless mistakes from Blockchain.info.



@OP: Could you please add '.info' after 'Blockchain' in the title?
legendary
Activity: 1722
Merit: 1004
This required an UNBELIEVABLE level of ignorance or wilful stupidity to achieve. 
...
I'm just ...  I can't.... wow.  I didn't think that level of ... whatever it is .... was even possible.


Yeah. That was my reaction too. I code more defensively than that for free consumer web-apps that have nothing to do with money or sensitive data.

It's sad to see Blockchain blowing it like this. They raised $30M and have a team of 23. WTF have they been doing?!? Not only are they apparently 1) Not hiring the right people, 2) Not implementing any sort of code review over critical systems, 3) Not implementing any sort of reasonable testing procedures for a financial product...., but their overall product suite is essentially the same as it was >2 years ago when the entire company was basically just Ben.

I've been hugely disappointed in Blockchain over the past 1-2years.
staff
Activity: 3458
Merit: 6793
Just writing some code
This is really stupid of them. This is also why I don't trust third parties, they usually screw something up. I personally use Bitcoin Wallet for Android by schildbach and I rarely keep any coins there.

Also, has Blockchain.info fixed the problem with their app yet? If they haven't then a malicious user could try to generate that address and steal Bitcoins.
legendary
Activity: 924
Merit: 1132
This required an UNBELIEVABLE level of ignorance or wilful stupidity to achieve. 

I mean, hell, the minute I hear "Random numbers over http" the deal is already broken.  HTTP is not private and has no message integrity.  Middleware intercepts and rewrites HTTP all the damn time.  Your message could be tampered anywhere along the way!

The http service shut down in January.  Blockchain noticed in June.  Wouldn't you think that if your security depends on a web service staying up, you'd at least write a script that would tell you within, say, 24 hours, if it went away?

What does it take to not notice the difference between '200 OK' and '301 Service Permanently Removed' responses?  Seriously!  How could you possibly write an app that wouldn't notice that!!

"PRNG initialized from only two sources" -- another deal-breaker.

And then, when it tries to read one of those sources and fails, it fails SILENTLY?  What the HELL?

I'm just ...  I can't.... wow.  I didn't think that level of ... whatever it is .... was even possible.
staff
Activity: 3458
Merit: 6793
Just writing some code
This would explain all of those threads about the 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address which people were claiming that their bitcoins were stolen.
hero member
Activity: 672
Merit: 500
If these stories were true, Blockchain.info has really messed up this time. I have the wallet on android (not 4.1). This could easily happen to me. Lucky I have never created new addresses on android, only send and receive on mobile from addresses created on web.
legendary
Activity: 924
Merit: 1132
  http://www.theregister.co.uk/2015/06/01/blockchain_app_shows_how_not_to_code/
  http://arstechnica.com/security/2015/05/crypto-flaws-in-blockchain-android-app-sent-bitcoins-to-the-wrong-address/
  http://dillingers.com/blog/2015/06/09/ce-random-numbers-and-response-parsing/

Short version of the story:  They were getting "Random" numbers over HTTP (WRONG!) from a third-party (WRONG!) to initialize a PRNG and generate keys (WRONG!).  

The third party - random.org in this case - discontinued its HTTP service because, well, random numbers over HTTP is WRONG!

But the clients Blockchain.info had deployed for Android didn't parse the response to see whether it was an error message; they just read the "301 service permanently moved" error message and treated it as a "random" number.(WRONG!)

This left all those Android clients initializing their key generators with the same not-very-random number.   And for some of them, where the sole other source that they attempted to use failed, that was the ONLY initialization.  

The result was that all of those clients generated the private key corresponding to 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F and sent bitcoins to it.

And somebody who noticed a whole lot of coins accumulating at "his" address, spent them.  

" There are more ways to get security wrong, Horatio, than dreamt of in your philosophy. "
Pages:
Jump to: