Bitcoin Forum>Economy>Marketplace>Service Discussion
Author

Topic: This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor (Read 881 times)

gbl08ma
sr. member
Activity: 306
Merit: 250
Donations: http://tny.im/nx
This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor
April 25, 2013, 12:53:02 PM
#4
Quote from: Aseras on April 24, 2013, 09:20:27 PM
Blockchains iPhone and android app store your main password in clear text in the db.
What, Blockchain.info's mobile apps offer an option for remembering the password? That's just plain stupid. If such an option doesn't exist when using the web browser version, why should it exist on the apps? It's equally unsafe.

If I had 160 BTC, I wouldn't be storing them on Blockchain.info but on a very well kept paper wallet.
Aseras
hero member
Activity: 658
Merit: 500
Re: This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor
April 24, 2013, 09:20:27 PM
#3
Blockchains iPhone and android app store your main password in clear text in the db. If you have that, you can simply login, go to export unencrypted and do whatever the hell you want with the private keys. 2 factor or not.

It's useless and it a huge hole that should be plugged.
proudhon
legendary
Activity: 2198
Merit: 1311
Re: This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor
April 24, 2013, 08:49:32 PM
#2
Quote from: coastermonger on April 24, 2013, 07:34:42 PM
The thread: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/

I was wondering if someone more versed in security could comment on it.  Some users seem to think that he mismanaged and the coins got sent to a "change" address still under his control, while the OP insists that this isn't the case here, and someone actually managed to bypass both his password protection and 2-factor security, possibly through an Android wallet App.   Needless to say, such news scares the shit out of us.

This underscores the fact that bitcoin isn't ready for mainstream, as the simplest and most secure way to store bitcoin wealth is still more trouble and more technical that what most people are prepared to implement  (i.e. offline, air-gapped private keys with encrypted and physical backups).

Right now, I wouldn't be pairing blockchain.info wallets with mobile devices.  I actually do pair a blockchain.info wallet with my iPhone, but that account only watches addresses associated with offline private keys.  I cannot spend from it, and neither could anyone else.
coastermonger
sr. member
Activity: 367
Merit: 250
Find me at Bitrated
Re: This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor
April 24, 2013, 07:34:42 PM
#1
The thread: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/

I was wondering if someone more versed in security could comment on it.  Some users seem to think that he mismanaged and the coins got sent to a "change" address still under his control, while the OP insists that this isn't the case here, and someone actually managed to bypass both his password protection and 2-factor security, possibly through an Android wallet App.   Needless to say, such news scares the shit out of us.
Bitcoin Forum>Economy>Marketplace>Service Discussion
Jump to: