Author

Topic: WTF? 1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh [bc.i] (Read 1502 times)

staff
Activity: 4284
Merit: 8808
December 10, 2014, 06:39:16 PM
#2
::Sigh:: Again?  https://people.xiph.org/~greg/21mbtc.png

Really the limitations of the security model for that kind of wallet only start with the JS substitution/injection attacks. The fact that even if the software is perfect it depends on honest data from the server... You can rob someone just as well by making them think they've been paid when they haven't been as you can by stealing their private keys.
legendary
Activity: 1260
Merit: 1019
Look to https://blockchain.info/address/1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh

Do you see outgoing transactions from this address?
They are unconfirmed and can not be confirmed by other nodes
Because 1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh - is a hash of hex ( "00" )

You can see that scriptSigs do not contain public key, but only OP_FALSE instead of it
In fact this is not OP_FALSE command but OP_PUSH ( 00 )

So, these transactions are invalid. But the attacker can "send" coins from this address to other users of bc.i
And this can create a long chain of never confirmed transactions, because bc.i service allows to spend unconfirmed coins

Does bc.i verify signatures at all?
Jump to: