Pages:
Author

Topic: Reused R values again - page 4. (Read 121295 times)

newbie
Activity: 10
Merit: 0
December 25, 2014, 06:27:07 AM
You should ask them for a proper bounty and if they refuse or dont respond report the vulnerability in public. I dont think it will count as blackmail, youre not sure they are competent enough to handle it so you posted here where others can check and suggest fixes.

Full disclosure gets the job done but it doesn't pay my bills.

Responsible disclosure pays my bills, if it's anybody other than blockchain.info.
hero member
Activity: 584
Merit: 500
December 25, 2014, 06:25:50 AM
johoe says he got a reasonable reward.

You should report any vulnerability here, it will at least get you known and may get you contract with other firms.

I have to say, I already got a reasonable reward from bc.i.
hero member
Activity: 584
Merit: 500
December 25, 2014, 06:21:31 AM
You should not stop looking for vulnerability, youre doing a good service to Bitcoin and the general user who is unaware of Blockchain.info's incompetence.

Responsibly reporting even ridiculously critical bugs isn't financially sensible for me with this company.

You should ask them for a proper bounty and if they refuse or dont respond report the vulnerability in public. I dont think it will count as blackmail, youre not sure they are competent enough to handle it so you posted here where others can check and suggest fixes.

Once it happens, Blockchain wont be so careless again, but then they were about to lose 1000BTC so if they have not become wiser now they will never be.
newbie
Activity: 10
Merit: 0
December 25, 2014, 06:11:00 AM
Next time you should exploit a vulnerability, remove the coins and make it public. It will let you collect a good bounty, increase your profile and get hired as a consultant by some company and expose blockchain which will keep the public warned about using it.

That would be gray hat. I am white hat.

I had the opportunity to take all of the money johoe did significantly before he even realized it was an issue. It wasn't my place to go saving anybodies coins, it was if anybodies it was blockchain.info's. I don't know the legality of what joehoe did, as far as I could justify in my head at the time even though it was a "good" act, it would still be breaking my countries law. During the event I asked blockchain.info for permission to sweep the money and return it to the company, but they didn't respond in time.

You should not stop looking for vulnerability, youre doing a good service to Bitcoin and the general user who is unaware of Blockchain.info's incompetence.

Responsibly reporting even ridiculously critical bugs isn't financially sensible for me with this company.



How many people lost coins in this? Weren't they refunded? Even if they weren't , look how many people lost BTC and how much in fresh thefts like MintPal. By any criteria BC.i is very small, far away from #1 place.

You would do well to look at potential for disaster. Blockchain.info likely holds high double digit percentages of all Bitcoin in existence. It's possible they own some of the most valuable servers in the world as unlike an exchange they can't use a cold/hot storage system. It's all hot, all internet connected, all the time.
hero member
Activity: 584
Merit: 500
December 25, 2014, 06:04:14 AM
Have they offered to hire you as a consultant or on a bounty to keep checking for bugs?

No. Their response to responsible disclosure is deeply belittling.



a bounty to keep checking for bugs?



• You have to nag them to even pay out. Some of the reports I have made could have been leveraged to steal millions of dollars worth of Bitcoin directly from their users, such as a plaintext websocket fallback in the wallet communication, SSL not being enforced at all, HSTS not being enforced, and a logical bypass for their Tor exit node blocking which amplified MITM attacks. The bounty for these bugs was lumped together at 1.9 BTC total, which I found to be astonishing low given their profile and the probable impact.

• Their security "team" does not know how to use GPG properly, when reporting an insanely critical bug that could still result in the thefts of Bitcoin they responded to a GPG encrypted email in plaintext acknowledging and quoting the security sensitive information.

• High risk bugs that affect the integrity of their service are told to be in scope, partially fixed, encouragement given and then all further reports are ignored for weeks. As it currently stands, the statement that if you use their browser extension or application you are safe from remote attack is completely false.

It is for these reasons I will not be attempting to responsibly disclose bugs to blockchain.info in the future, and I do not suggest other researchers attempt it either.

Next time you should exploit a vulnerability, remove the coins and make it public. It will let you collect a good bounty, increase your profile and get hired as a consultant by some company and expose blockchain which will keep the public warned about using it.

You should not stop looking for vulnerability, youre doing a good service to Bitcoin and the general user who is unaware of Blockchain.info's incompetence.
newbie
Activity: 10
Merit: 0
December 25, 2014, 05:55:56 AM
Have they offered to hire you as a consultant or on a bounty to keep checking for bugs?

No. Their response to responsible disclosure is deeply belittling.

https://i.imgur.com/z8mW9DJ.png

a bounty to keep checking for bugs?



• You have to nag them to even pay out. Some of the reports I have made could have been leveraged to steal millions of dollars worth of Bitcoin directly from their users, such as a plaintext websocket fallback in the wallet communication, SSL not being enforced at all, HSTS not being enforced, and a logical bypass for their Tor exit node blocking which amplified MITM attacks. The bounty for these bugs was lumped together at 1.9 BTC total, which I found to be astonishing low given their profile and the probable impact.

• Their security "team" does not know how to use GPG properly, when reporting an insanely critical bug that could still result in the thefts of Bitcoin they responded to a GPG encrypted email in plaintext acknowledging and quoting the security sensitive information.

• High risk bugs that affect the integrity of their service are told to be in scope, partially fixed, encouragement given and then all further reports are ignored for weeks. As it currently stands, the statement that if you use their browser extension or application you are safe from remote attack is completely false.

It is for these reasons I will not be attempting to responsibly disclose bugs to blockchain.info in the future, and I do not suggest other researchers attempt it either.
hero member
Activity: 584
Merit: 500
December 25, 2014, 04:40:47 AM
They were lucky johoe saved them.

Not only johoe actually.

I'm the security researched who "caused" all of this by reporting a related bug to blockchain.info, which is why they were touching this critical code in the first place. The broken changes (there were multiple, only one is public knowledge) was pushed into production at midnight on Sunday in the UK. I caught the change and was able to get an emergency message to them in order to get them to pull the plug. Had I not had a script watching for changes like this on their site (previous experience has shown they love pushing broken code and then hiding it in git), it might have been a full 8 hours of sleep later that they could have taken down the website. Unsung hero and all that, but people would have lost a lot more money had it not been for that.

Their RNG was broken at least 4 times before this incident as well, it just didn't get any publicity.

So don't go go patting them on the back for their upstanding security, there's still piles of broken shit I've responsibly reported they haven't patched yet.

Thank you too.

Have they offered to hire you as a consultant or on a bounty to keep checking for bugs?
legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
December 25, 2014, 04:00:30 AM
Of all thefts and errors that have occurred with Bitcoin, bc.i holds the #1 spot in theft related issues.

Theft under BTC 1000 doesn't get you into the first 30:
https://bitcointalksearch.org/topic/list-of-major-bitcoin-heists-thefts-hacks-scams-and-losses-old-83794

BC.i is still to small to make it to the list.
This wasn't about number of bitcoins lost, but number of people who lost coins one way or another.

How many people lost coins in this? Weren't they refunded? Even if they weren't , look how many people lost BTC and how much in fresh thefts like MintPal. By any criteria BC.i is very small, far away from #1 place.
newbie
Activity: 10
Merit: 0
December 25, 2014, 03:14:09 AM
They were lucky johoe saved them.

Not only johoe actually.

I'm the security researched who "caused" all of this by reporting a related bug to blockchain.info, which is why they were touching this critical code in the first place. The broken changes (there were multiple, only one is public knowledge) was pushed into production at midnight on Sunday in the UK. I caught the change and was able to get an emergency message to them in order to get them to pull the plug. Had I not had a script watching for changes like this on their site (previous experience has shown they love pushing broken code and then hiding it in git), it might have been a full 8 hours of sleep later that they could have taken down the website. Unsung hero and all that, but people would have lost a lot more money had it not been for that.

Their RNG was broken at least 4 times before this incident as well, it just didn't get any publicity.

So don't go go patting them on the back for their upstanding security, there's still piles of broken shit I've responsibly reported they haven't patched yet.
legendary
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
December 25, 2014, 02:36:55 AM
Of all thefts and errors that have occurred with Bitcoin, bc.i holds the #1 spot in theft related issues.

Uh no there are at least a handful of bigger thefts that occurred far before this.  Roll Eyes
legendary
Activity: 1258
Merit: 1027
December 24, 2014, 08:23:14 PM
Of all thefts and errors that have occurred with Bitcoin, bc.i holds the #1 spot in theft related issues.

Theft under BTC 1000 doesn't get you into the first 30:
https://bitcointalksearch.org/topic/list-of-major-bitcoin-heists-thefts-hacks-scams-and-losses-old-83794

BC.i is still to small to make it to the list.
This wasn't about number of bitcoins lost, but number of people who lost coins one way or another.

Other then Bc.i who lost coins? I believe they were all returned..
hero member
Activity: 584
Merit: 500
December 24, 2014, 07:54:17 PM
Of all thefts and errors that have occurred with Bitcoin, bc.i holds the #1 spot in theft related issues.

Theft under BTC 1000 doesn't get you into the first 30:
https://bitcointalksearch.org/topic/list-of-major-bitcoin-heists-thefts-hacks-scams-and-losses-old-83794

BC.i is still to small to make it to the list.

They were lucky johoe saved them. It wouldve been over 1000BTC if he was not here to sweep.
Technically, the number lost temporarily is above 1000BTC, so it should get in.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
December 24, 2014, 07:33:30 PM
Of all thefts and errors that have occurred with Bitcoin, bc.i holds the #1 spot in theft related issues.

Theft under BTC 1000 doesn't get you into the first 30:
https://bitcointalksearch.org/topic/list-of-major-bitcoin-heists-thefts-hacks-scams-and-losses-old-83794

BC.i is still to small to make it to the list.
This wasn't about number of bitcoins lost, but number of people who lost coins one way or another.
legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
December 24, 2014, 06:56:35 PM
Of all thefts and errors that have occurred with Bitcoin, bc.i holds the #1 spot in theft related issues.

Theft under BTC 1000 doesn't get you into the first 30:
https://bitcointalksearch.org/topic/list-of-major-bitcoin-heists-thefts-hacks-scams-and-losses-old-83794

BC.i is still to small to make it to the list.
legendary
Activity: 1258
Merit: 1027
December 24, 2014, 06:01:57 PM
Of all thefts and errors that have occurred with Bitcoin, bc.i holds the #1 spot in theft related issues.

Not by a long shot, Mt. Gox is certainly #1....

And at least bc.i is doing what they can to make it right. It was a mistake, and they are fixing it.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
December 24, 2014, 05:41:00 PM
Of all thefts and errors that have occurred with Bitcoin, bc.i holds the #1 spot in theft related issues.
full member
Activity: 128
Merit: 101
December 24, 2014, 01:15:21 PM
Oh no, scapegoat is found. This poor guy gonna be lynched. Tongue
newbie
Activity: 8
Merit: 0
December 23, 2014, 12:31:25 PM
Has BCI given any explanation about what went wrong with the humanware?  Did the programmer violate any internal protocols by updating the patch without checking it? What are they doing to prevent similar problems in the future?

There's a single developer, no controls, no testing.

Single developer ? How do you know ? They are running a million dollar business !!!

More than one according to: https://blockchain.info/about

No, Ben Reeves is the only person who regularly commits any code and looks to be doing it with no peer review. There's no way you can pretend the change that caused this was done with any oversight by anybody. It can't be attributed to mismanagement because well, he is management. He's the guy who started the website, and miraculously the one who caused the 900 BTC loss here as well.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
December 23, 2014, 10:29:37 AM
Has BCI given any explanation about what went wrong with the humanware?  Did the programmer violate any internal protocols by updating the patch without checking it? What are they doing to prevent similar problems in the future?

There's a single developer, no controls, no testing.

Single developer ? How do you know ? They are running a million dollar business !!!

More than one according to: https://blockchain.info/about
sr. member
Activity: 431
Merit: 261
December 23, 2014, 10:28:42 AM
I think the btc address is in his signature :
Thanks for pointing out what I had overlooked! Not much there yet. Hopefully Blockchain.info tipped him well!
Pages:
Jump to: