​Bitcoin app busted

Blockchain Android Bitcoin wallet had a gaping security hole on older versions of Android.

You can argue until you're blue in the face about Bitcoin's "value." What you can't argue with is that investors in this crypto-currency have been ripped off by one security attack or blunder afer another. In the latest, Blockchain revealed that some of its Android Bitcoin wallet customers ended up sharing the same bitcoin wallet. This is not good.

Bitcoin
Blockchain claims to be the maker of the most popular Bitcoin wallet. Bitcoin wallets use private keys to access customer Bitcoins.

Relatively few Blockchain customers should have been vulnerable to this security hole. The company claims that only "bitcoin addresses generated by old versions of our wallet when run on Android 4.1 'Jelly Bean' or older were vulnerable".

If you're using the old Blockchain wallet on an older version of Android: Stop. Next take the following steps:

1. Move funds sitting in the old wallet to newly generated addresses. Addresses created with the latest Android app, the iOS app, or at www.blockchain.info will not be affected by the flaw.

2. Archive potentially impacted addresses to avoid accidental reuse.

If you believe you've lost coins, Blockchain urges you to contact its support team.

How did this happen? To understand that you need to understand that Bitcoin wallets are just the combination of randomly generating a public address and its private key. Unless both are truly random, it's possible to break the private key by using the public address.

To generate its private key, Blockchain used two sources of random numbers: Android's built-in random number generator and a random number from Random.org. These two numbers would then be combined to create, in theory, a truly random number.

The code was badly written though and on some Android devices, the wallet wouldn't pull a random number from Android's random number generator. You can already see where this is going can't you?

First, one element of the "random" was no longer random. Then, on 4 January, Random.org started requiring all non-secure web traffic to use its secure (HTTPS) web servers. In another example of sloppy programming, the Blockchain app couldn't handle Random.org's 301 webpage redirect. Instead, it picked up the always identical error code.

So starting in January, instead of a random number, this Blockchain app ended up using the same identical number for these accounts. Lovely.

Blockchain told the Guardian that "the issue we identified related to an extremely rare case where address entropy could create multiple duplicate addresses (meaning more than one wallet essentially was in custody of the address simultaneously)." It seems to me that the security failure would not have been rare at all.

So, if you'd been using Blockchain for your wallet with older Android devices, I'd urge you to move your Bitcoins as soon as possible. In addition, considering the "quality" of programming revealed in this episode, moving your Bitcoins to another vendor's wallet would be a wise move.

Related Stories:

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All