Topic: Wallet Hack on 4/25 - page 4. (Read 11212 times)

Yeah, can I change it after the fact?  Realized that after I did it and it's definitely misleading.  Nothing wrong with the protocol or bitcoin in general - more apropot would be wallet hack.

Agree.  Already had cold storage so was trying to be diligent, just hadn't moved since withdrawing from BTC-e.  Definitely have learned a lesson.  Keep hot balances low and only access bitcoin-qt from clean/sandboxed computer that I don't do my daily surfing on to avoid any type of java/javascript exploits.  Recommend the same for others.

I am collecting all the information I can, still not clear of the exact root cause. There are a number a blockchain.info wallets compromised in this transaction but i'm not sure it is exclusively blockchain wallets, some of the input addresses look like wallets from other clients (i.e. they use change addresses and transactions are not shown as being relayed by blockchain). More data points are needed.


I think it is possible to rule out an android problem, several users have stated they do not use an android app.

Brute forcing is a possibility but I remain sceptical about the feasibility of brute forcing 10 character passwords. A 10 character password, 10 rounds of pbkdF2 with 36 possible characters at 5 million guesses per second would take 80,000 days to search the entire key space. I'm not sure it even possible to achieve 5 million guesses per second http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ estimates rates significantly lower speeds (if  pbkdF2 can be considered close to bcrypt speed). That is for one wallet as well, this seems to be multiple wallets in parallel. All wallets have a unique salt so precomputed dictionary attack shouldn't be possible. Also I have setup several wallets with deliberately weak passwords that are unemptied.

All users affected so far have had JAVA enabled possibly this is the result of some malware spread through a java applet. I can't find the post now but there was a report of a malicious Java applet designed to collect wallet data.

Other possibilities are XSS or a leak of passwords from another site although there is is no direct evidence of this.

I see, thanks. I'd entirely overlooked that, but in retrospect it's always been a feature that one can prove identity via ownership of an address.

OP, might make sense for a thread like this to be called "blockchain.info hack" instead of "bitcoin hack". The latter is somewhat misleading.

Is it possible someone found a way to download all wallets from blockchain.info and just started bruting 'em? Maybe someone found a list of identifiers and is just pulling them as they have time. They did have those security issues recently...

o_O people still have Java installed? After the latest problems I ditched that sh!t and haven't looked back. How many zero-days is it responsible for now? 105% of them?

I'm not sure that it's possible in blockchain.info, but in the QT client, there's a button that says "sign message" or something like that.

How does one even do that?

noscript, if properly used disables all javascript and all other functionality other than plain html. Has been that way since I've been using it... which is for a couple years now.

Are you confusing Java for Javascript? Or does noscript disable Java now too?

I am not convinced this has anything to do with Android. I've seen some chatter about brute-forcing attacks against blockchain.info wallets. Is it possible some older wallets have passwords that aren't strong enough? The b.i KDF is SHA1 repeated only a handful of times, iirc, because JavaScript is slow.

hmmzzz armory?

For 0.78 BTC you just got a very inexpensive lesson in security.  Don't let those coins be spent for naught.

I see you're point. Trying to make bitcoin owners traceable would also have similar problems. They only way would be to be able to secure a wallet with something more tougher to crack than a password. Same with emails, passwords are the weak link to their security.

It wouldn't be hard, but part of Bitcoins being Bitcoins is that they are fungible.  We'd be in for a whole huge mess if people started attempting to determine whether coins were stolen.  What authority do you go by?  If one person says funds are stolen, and another person says they were legitimately acquired, who do you believe?  What if you do not have services available to check the stolen-ness of coins prior to accepting them?  Not to mention, a proper criminal could simply send the coins to a mixing service, and then the taint would be spread across many different people and addresses.

This has been discussed many times before, and always ends up that no one wants to uphold any kind of taint on Bitcoin coins.  It just wouldn't work, and would largely kill Bitcoin.

It's too bad that stolen bitcoins cannot be redflagged so they can't be spent or sold on exchanges. If every bitcoins previous chain of owners can be verified it shouldn't be too hard.

I didn't press "accept", so I hope I'm safe. But I can't log into Blockchain now without it popping up... Maybe I should uninstall Java.

That shouldn't happen, you were infected by Java, most likely. But how did Java exploit end up on Blockchain.info?

I was asked to run Java last time I logged in to Blockchain.info. Is this supposed to happen? Think I'll transfer my Bitcoins to a paperwallet to be on the safe side...