StrongCoin key leak. | Bitcointalksearch.org

vesperwillow

hero member

Activity: 616

Merit: 500

Quote from: MPOE-PR on April 03, 2013, 09:19:56 AM

Quote from: dogisland on April 03, 2013, 07:31:36 AM

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Here's the most valuable question in this thread: Who's the babe in your profile pic??

aussie_striker

sr. member

Activity: 423

Merit: 250

I changed my password after this happened and it stated around 4 years to break it. Today I looked at my account and there is a transaction that cleared out my whole account (5.48134 BTC) 4 days ago.
Needless to say I'm not happy about it.

I've looked at my strongcoin and also on bitchain, not sure why but it shows a different address it went to or am I reading that wrong?

According to Strongcoin
From 1JE5dWuwo7z67VAAgzrfRUiNpvHsenhW5U
To 1PKSK8TyvQrCGjQbsbNVQNoo4ftcEiBUSk
- 5.48 134

On Blockchain it shows
1GKVf2b4QTV3TzBUWFzT5FQbmhKBPU861m 5.48134135 BTC

Not sure if it is due to the same problem or there is a new problem. I've changed passwords again but now have nothing.

gjk

newbie

Activity: 1

Merit: 0

...I tried to send my money to other BTC-adresses, but everytime a warning namend "undefinded" occured. What's wrong? Huh

I also asked via mail, but I didnt get an answer yet (one week ago). Undecided

jonitas

newbie

Activity: 57

Merit: 0

Quote from: whiskers75 on April 03, 2013, 11:17:49 AM

And it doesn't charge a 1% fee.

Ok, so how do I get my money out without paying the 1% fee? I go to Blockchain.info -> import/export -> import -> import private key ? Will that transfer my wallet to blockchain and leave the wallet I already have in the same account alone?

Just checking because I don´t want to overwrite any current balance I have.

I guess my password was strong enough because I still have all of my bitcoins that I hold at strongcoin. But due to the increased price of bitcoin I should definitely diversify into more wallets.

springy

newbie

Activity: 6

Merit: 0

Quote from: MPOE-PR on April 03, 2013, 09:19:56 AM

Quote from: dogisland on April 03, 2013, 07:31:36 AM

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Agree, laziness and ego got in the way I think!

MPOE-PR

hero member

Activity: 756

Merit: 522

Quote from: pelleb on April 03, 2013, 10:04:28 AM

There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P

Quote

19. Do you use Google Analytics ?
No. Making a BTC financials website and then slapping GA on it is really akin to going to a cancer survivor's survival party and bringing them chemo drugs as a gift. Yes, it's that insulting/thoughtless. Really. Yes, it does show that level of outright contempt for the user. Really.

Also GA does break Tor in many cases.

Will people read FAQs? Will people implement the better solutions as demonstrated? Etc.

dansmith

full member

Activity: 202

Merit: 100

Thank you for explaining.
So, I guess that your web app has full access to all tables of your DB?

What do you think about creating a separate DB user for each wallet account. This way there will be no way a user could see other users' tables. Certainly, this will kill DB performance. But who cares about performance when money is at stake?

dogisland

sr. member

Activity: 262

Merit: 250

Quote from: whiskers75 on April 03, 2013, 11:17:49 AM

Looks like StrongCoin was a bit late to the party.

We were around before Blockchain.info i.e. 2011 https://bitcointalksearch.org/topic/the-kindle-bitcoin-and-client-side-address-generation-strongcoin-36169

dogisland

sr. member

Activity: 262

Merit: 250

Quote from: dansmith on April 03, 2013, 11:13:02 AM

Quote

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?

I mean a bitcoin private key encrypted in AES 256. The AES 256 encryption is performed on the client side (javascript) using a password the user supplies. I never see that password.

So basically in StrongCoin when a private key is created, it is create in the browser. The user supplies a password to the Javascript and then Javascript AES encrypts the private key before sending it to the server.

So we only have AES encrypted private keys and a clue field. The user could supply a clue to help them remember the password. Some users may have given too much information in the clue field.

The AES encrypted key (still protected) was leaked along with the clue field.

The clue field has now been removed from Strongcoin and a warning added to encourage users to create more secure passwords.

whiskers75

hero member

Activity: 658

Merit: 502

Doesn't use these forums that often.

For the record: blockchain.info/wallet stores your wallet locally and on their servers, encrypted at both places and only ever decrypted on your computer. Looks like StrongCoin was a bit late to the party. Tongue

And it doesn't charge a 1% fee.
And you can do 'off-site backups' by email, Dropbox and Google Drive - yes, you can keep your wallet.
Blockchain.info wins!
(and it doesn't leak keys Undecided

)

dansmith

full member

Activity: 202

Merit: 100

Quote

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?

dogisland

sr. member

Activity: 262

Merit: 250

Quote from: jp on April 03, 2013, 10:31:10 AM

Quote

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.

They could see the key, but it was still AES 256 encrypted. So they would see something like

U2FsdGVkX19ZvPGX+4T98zGnTjwKs1CmkzXpm8fEJjzuubAY/3wg1JoC6BcqiqR6
mKhdlqyLTeRHc59VfW9ebfwWOfOKnK9qqN8TXXSL4Nw=

So the issue here is that if a user had a low quality password and had given extra info in the clue field then there is a chance they have lost coins.

jp

member

Activity: 69

Merit: 10

Quote

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.

pelleb

newbie

Activity: 8

Merit: 0

There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P

Cryptoc

newbie

Activity: 14

Merit: 0

Quote from: hamdi on April 03, 2013, 09:48:42 AM

Quote from: Jan on April 03, 2013, 09:26:42 AM

It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.

Already happened!

Any more information?

ErebusBat

hero member

Activity: 560

Merit: 500

I am the one who knocks

Quote from: hamdi on April 03, 2013, 09:48:42 AM

Quote from: Jan on April 03, 2013, 09:26:42 AM

It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.

Already happened!

Sauce?

hamdi

hero member

Activity: 826

Merit: 500

Quote from: Jan on April 03, 2013, 09:26:42 AM

It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.

Already happened!

kokojie

legendary

Activity: 1806

Merit: 1003

Quote from: MPOE-PR on April 03, 2013, 09:19:56 AM

Quote from: dogisland on April 03, 2013, 07:31:36 AM

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

+1

Jan

legendary

Activity: 1043

Merit: 1002

It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.

MPOE-PR

hero member

Activity: 756

Merit: 522

Quote from: dogisland on April 03, 2013, 07:31:36 AM

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Topic: StrongCoin key leak. (Read 4658 times)