Pando

Bitcoin wallet Blockchain.info accidentally introduced a software vulnerability last night

By Michael Carney , written on December 8, 2014

From The News Desk

Blockchain.info, the popular online Bitcoin wallet, has inadvertently introduced a vulnerability into its software platform overnight. The company released a disclosure earlier this morning that reads, in part:

When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.

The issue was present for a brief period of time between the hours of 12:00am and 2:30am GMT on December the 8th 2014. The issue was detected quickly and immediately resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses. [Emphasis theirs.] Given the troubling history of security breaches and lost consumer deposits among bitcoin wallets and exchanges -- including but not limited to Mt. Gox -- there's reason for concern when reports of less than reliable security emerge. Blockchain was also delisted from bitcoin.org last week after the company’s security procedures were found to be lacking.

Indeed, Reddit’s r/Bitcoin forum is full of questions and uncertainties around the trustworthiness of the Blockchain.info wallet. Users first reported “JavaScript verifier discrepencies,” with another user suggesting – erroneously, it seems – that “At least hundreds of coins were stolen from Blockchain.info users last night, it's blockchain.info's fault, and no one is talking about it.” Blockchain representatives began responding to these concerns in-line, almost immediately.

The timing couldn’t be worse for Blockchain’s investors, as the company just completed a massive $30.6 million Series A round in early October. The list of investors includes Future Perfect Ventures, Prudence Holdings, Wicklow Capital, Lightspeed Venture Partners, Virgin founder Richard Branson, Charles River Ventures' partner Rafael Corrales, Braintree COO Amit Jhawar, and An Engineering Guild founder Nat Brown.

Blockchain has reached out to affected users and is requesting that anybody who created a wallet, generated a new web-wallet address, or sent bitcoin from their wallet during the affected time period should contact the company.

[Update: Shortly after publishing, Blockchain CEO Nicolas Cary provided Pando the following statement:

I felt it might be relevant to point out what security steps we have taken recently. The bitcoin.org issue is in flux and bringing an important dialogue into focus regarding web and security standards. Right now, it's not clear at all what they 'endorse' or don't. The reality is, we're one of the few companies that can do the right thing in tough situations.

https://github.com/bitcoin/bitcoin.org/pull/663#issuecomment-65656828

The fact remains, we're one of the few bitcoins companies with an EVSSL Cert, truly open source software, and in the case of our most recent security incident, albeit regrettable, actively involved in security innovation and the discourse of improving user privacy:

We know we have to get better and we will. At the moment, we're actively reviewing claims and will be reimbursing those users who lost funds.] Read the full statement from Blockchain Outreach & Communications Manager Alyson Margaret:

Blockchain.info Security Disclosure

December 8, 2014

When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.

The issue was present for a brief period of time between the hours of 12:00am and 2:30am GMT on December the 8th 2014. The issue was detected quickly and immediately resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses.

We have sent an alert to all users who have potentially vulnerable addresses in their wallets, for which we have an email on file. We are committed to working with any affected users to assess and rectify any issues.

If you created a wallet, generated a new address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at [email protected] or simply create a new wallet.

Addresses, wallets and transactions created via the Blockchain.info iOS and Android apps, and the Chrome extension are not affected.

If you have any questions or concerns, please do not hesitate to contact us.

Blockchain.info Development Team