Pages:
Author

Topic: StrongCoin key leak. (Read 4662 times)

hero member
Activity: 616
Merit: 500
August 22, 2013, 09:06:47 AM
#34
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Here's the most valuable question in this thread: Who's the babe in your profile pic??
sr. member
Activity: 423
Merit: 250
May 16, 2013, 05:32:40 AM
#33
I changed my password after this happened and it stated around 4 years to break it. Today I looked at my account and there is a transaction that cleared out my whole account (5.48134 BTC) 4 days ago.
Needless to say I'm not happy about it.

I've looked at my strongcoin and also on bitchain, not sure why but it shows a different address it went to or am I reading that wrong?

According to Strongcoin
From 1JE5dWuwo7z67VAAgzrfRUiNpvHsenhW5U
To    1PKSK8TyvQrCGjQbsbNVQNoo4ftcEiBUSk
   - 5.48 134

On Blockchain it shows
1GKVf2b4QTV3TzBUWFzT5FQbmhKBPU861m 5.48134135 BTC

Not sure if it is due to the same problem or there is a new problem. I've changed passwords again but now have nothing.


gjk
newbie
Activity: 1
Merit: 0
April 07, 2013, 05:44:25 AM
#32
...I tried to send my money to other BTC-adresses, but everytime a warning namend "undefinded" occured. What's wrong?  Huh

I also asked via mail, but I didnt get an answer yet (one week ago).  Undecided
newbie
Activity: 57
Merit: 0
April 04, 2013, 04:48:54 PM
#31
And it doesn't charge a 1% fee.

Ok, so how do I get my money out without paying the 1% fee? I go to Blockchain.info -> import/export -> import -> import private key ? Will that transfer my wallet to blockchain and leave the wallet I already have in the same account alone?

Just checking because I don´t want to overwrite any current balance I have.

I guess my password was strong enough because I still have all of my bitcoins that I hold at strongcoin. But due to the increased price of bitcoin I should definitely diversify into more wallets.
newbie
Activity: 6
Merit: 0
April 03, 2013, 02:34:59 PM
#30
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

Agree, laziness and ego got in the way I think!
hero member
Activity: 756
Merit: 522
April 03, 2013, 02:30:06 PM
#29
There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P

Quote
19. Do you use Google Analytics ?
No. Making a BTC financials website and then slapping GA on it is really akin to going to a cancer survivor's survival party and bringing them chemo drugs as a gift. Yes, it's that insulting/thoughtless. Really. Yes, it does show that level of outright contempt for the user. Really.

Also GA does break Tor in many cases.

Will people read FAQs? Will people implement the better solutions as demonstrated? Etc.
full member
Activity: 202
Merit: 100
April 03, 2013, 10:40:15 AM
#28
Thank you for explaining.
So, I guess that your web app has full access to all tables of your DB?

What do you think about creating a separate DB user for each wallet account. This way there will be no way a user could see other users' tables. Certainly, this will kill DB performance. But who cares about performance when money is at stake?
sr. member
Activity: 262
Merit: 250
April 03, 2013, 10:25:32 AM
#27
sr. member
Activity: 262
Merit: 250
April 03, 2013, 10:20:42 AM
#26
Quote
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?

I mean a bitcoin private key encrypted in AES 256. The AES 256 encryption is performed on the client side (javascript) using a password the user supplies. I never see that password.

So basically in StrongCoin when a private key is created, it is create in the browser. The user supplies a password to the Javascript and then Javascript AES encrypts the private key before sending it to the server.

So we only have AES encrypted private keys and a clue field. The user could supply a clue to help them remember the password. Some users may have given too much information in the clue field.

The AES encrypted key (still protected) was leaked along with the clue field.

The clue field has now been removed from Strongcoin and a warning added to encourage users to create more secure passwords.
hero member
Activity: 658
Merit: 502
Doesn't use these forums that often.
April 03, 2013, 10:17:49 AM
#25
For the record: blockchain.info/wallet stores your wallet locally and on their servers, encrypted at both places and only ever decrypted on your computer. Looks like StrongCoin was a bit late to the party.  Tongue
And it doesn't charge a 1% fee.
And you can do 'off-site backups' by email, Dropbox and Google Drive - yes, you can keep your wallet.
Blockchain.info wins!
(and it doesn't leak keys  Undecided)
full member
Activity: 202
Merit: 100
April 03, 2013, 10:13:02 AM
#24
Quote
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?
sr. member
Activity: 262
Merit: 250
April 03, 2013, 09:37:11 AM
#23
Quote
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.


They could see the key, but it was still AES 256 encrypted. So they would see something like

U2FsdGVkX19ZvPGX+4T98zGnTjwKs1CmkzXpm8fEJjzuubAY/3wg1JoC6BcqiqR6
mKhdlqyLTeRHc59VfW9ebfwWOfOKnK9qqN8TXXSL4Nw=

So the issue here is that if a user had a low quality password and had given extra info in the clue field then there is a chance they have lost coins.
jp
member
Activity: 69
Merit: 10
April 03, 2013, 09:31:10 AM
#22
Quote
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.
newbie
Activity: 8
Merit: 0
April 03, 2013, 09:04:28 AM
#21
There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P
newbie
Activity: 14
Merit: 0
April 03, 2013, 08:57:19 AM
#20
It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.
Already happened!
Any more information?
hero member
Activity: 560
Merit: 500
I am the one who knocks
April 03, 2013, 08:55:46 AM
#19
It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.
Already happened!
Sauce?
hero member
Activity: 826
Merit: 500
April 03, 2013, 08:48:42 AM
#18
It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.
Already happened!
legendary
Activity: 1806
Merit: 1003
April 03, 2013, 08:46:45 AM
#17
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!

+1
Jan
legendary
Activity: 1043
Merit: 1002
April 03, 2013, 08:26:42 AM
#16
It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.
hero member
Activity: 756
Merit: 522
April 03, 2013, 08:19:56 AM
#15
1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

You're an idiot however, and that's not fixable. Who codes like that?!
Pages:
Jump to: