Blockchain.info wallet - ku przestrodze.

TL;DR - Jest podejrzenie, że klucze (prawdopodobnie na blockchain.info wallecie, lub w którymś miejscu pomiędzy) nie są generowane randomowo i że ktoś, zna formułę generowania.

Ciekawe info do poduszki - ktokolwiek ma tam wallet, warto podjąć kroki bezpieczeństwa.

Komentarze i dyskusja tutaj.

YouTube · Postautor: **rav3n_pl** » piątek, 1 grudnia 2017, 01:13

Po prostu swój wallet z samodzielnie wygenerowanym seedem...

B4rtosz pisze:Blockchain.info wallet - ku przestrodze.

To z Blockchain.info to tylko czyjaś hipoteza.

Odpowiedź Blockchain.info:

Recently we were contacted by a researcher regarding a potential address generation issue that resulted in private keys being discoverable as well as the funds associated with those addresses. Through his research he identified 128 addresses that were potentially vulnerable including one that he linked to a Blockchain wallet.
Security and the safety of user funds is a top priority at Blockchain. We have a variety of internal mechanisms in place to prevent against malicious attacks and work diligently to educate our users on security best practices. We also investigate all security reports that we receive. For this particular issue, here’s what we discovered:
After an extensive code review across all of our platforms by our lead engineers and security engineering staff, we did not find any patterns in the logic that would cause the same address generation issue this researcher discovered.
Our QA and security team also tried to reproduce the issue and were unable to generate any similar addresses or reproduce this issue.
We then analyzed the transactions characteristics of the 128 impacted addresses reported to us and were able to definitively rule out 94 addresses as not associated with a Blockchain Wallet.
Of the remaining 34 addresses, while we could not rule them out immediately because of our data and privacy constraints, we have strong data to believe they are not connected to a Blockchain Wallet. It is highly unlikely that they were generated by our software.
We scanned the entire block chain during the company’s duration (2011 to present) for similarly generated addresses and discovered six additional addresses, previously undiscovered by the researcher, that were generated in the same manner. We were also able to rule these addresses out as associated with a Blockchain Wallet.
There is only one address we have be able to definitively identify as associated with a Blockchain Wallet. However, this address was imported into the user’s Blockchain Wallet. We’re collaborating with this user to continue to investigate what happened in this specific instance. In other words, the one impacted address that is associated with a Blockchain wallet was imported into that wallet and was not generated by our software.
After extensive investigation and failure to reproduce in our wallet software the kinds of addresses observed by the researcher, we are confident that the address generation issue he discovered did not originate from our Blockchain Wallet software.
We welcome security inquiries and actively support our bug bounty program. If you would like to review our code it’s available on Github here.

Tak się zastanawiam, czy w przypadku coinów, które używają adresy typu stealth (Monero, Zcash), taka problematyczna sytuacja byłaby niemożliwa do zaistnienia... Tam nie portfeli deterministycznych (główny klucz wydający jest stały).