Recent weeks will certainly not be remembered fondly by the owners of Blockchain.info which offers among others blockchain explorer and online wallet services. It turns out that the company has very serious problems with the security system of its accounts. As a result, hundreds of users of the service have already lost their bitcoins which were stolen from their wallets. The company has received an avalanche of criticism from Internet users. It all started with an exchange of words on the Reddit forum between developers of Blockchain.info and another popular service offering wallet services and bitcoin payments - Coinbase. One of Coinbase developers at the time pointed out to the company deficiencies in the service's security system, as a result of which a considerable amount of cryptocurrency fell prey to thieves. Then Blockchain.info wallet was removed from the list of recommended wallets of the main Bitcoin project website - Bitcoin.org. The arguments for this, according to the administrators of the site, were to be too blatant violations regarding the security mechanisms of the site. Among them were problems with the security of backup copies of wallets and passwords protecting access to them, as well as the lack of implementation by Blockchain.info of security elements which are slowly becoming a standard in other wallets, including: deterministic mechanisms (BIP32), random passwords, system of generating backup copy during creating wallet, address rotation or default 2-factor verification (2FA) security. Additional criticism from Bitcoin.org has focused on the company's lack of transparency. Blockchain.info and Bitcoin.org have reached an agreement that includes a 60-day period to fix all of the most glaring deficiencies related to the site's security issues. If that happens, Blockchain will wow Bitcoin.org after that time. In the meantime, there have also been reported incidents of lost funds by users of the service who connected to it through the anonymous Tor virtual network. However, the service was fairly quick to respond to the problem - first by blocking access to accounts via Tor, and then by activating SSL access to the .onion domain via Tor. However, another issue turned out to be much more serious. Without going into unnecessary details, it turned out that private keys of Blockchain.info wallets were generated with too low entropy level. To put it simply - the random values that should be used to create this kind of keys turned out not to be completely random. And for subsequent keys, the already used numerical strings were often used. Based on this, a skilled hacker was able to use public addresses to calculate the values of corresponding private keys. Hundreds of accounts of Blockchain.info wallets users were deprived of funds due to this vulnerability. Blockchain agreed to compensate all the losses incurred by its customers, however, the wave of negative comments from Internet users directed at the company did not diminish. Many commentators accused the owners of the company of, among other things, improper work on its development and numerous problems with its management. Recall that the company has recently raised over $ 30 million for its development from external investors. So far, however, it does not bring tangible results at least in terms of security of the service. Despite assurances of improvement, the owners of Blockchain.info, including its CEO, have tried to defend themselves against the allegations, trying to outline their point of view on the matter: Nicolas Cary, CEO of Blockchain.info: I don't think it's fair to say that everything we're dealing with on Reddit is real criticism. I think there are a few overly open members of the community, representing brands that are also exposed to these kinds of dangers, that are behind some of these kinds of accusations. We're listening to them as well. We know that we need to try harder. We have a very strong team of developers." We have created a really substantial amount of software so far. We follow proper quality and security standards. The real message we want to give to the community is to make sure we intend to get better. We know we need to do a better job. But at the same time, we humbly do the right thing to take care of our customers when problems arise." The black of bitterness and, I guess we can already use this word, embarrassment for Blockchain.info consisting of the events of recent weeks, however, was completed by the "feat" of one of the more "advanced" users of the BitcoinTalk.org forum, appearing there under the pseudonym johoe. He managed to withdraw a total of 255 BTC from Blockchain.info accounts. However, it turned out that this person did it only in order to expose the most serious vulnerabilities in the security of those wallets. All the funds were recently returned to the address of Blockchain's Chief Technology Officer, Ben Reeves. In mi
No comments:
Post a Comment