Blockchain.info has had to issue an important update for its Android Bitcoin wallet app after a bug in the system allowed a small amount of affected users to unwittingly share an address in the Bitcoin wallet, in turn creating duplicate funds that have now had to be forfeited (under duress) by those users,
‘[The failure]resulted in one specific address being generated multiple times, leading to a loss of funds for a handful of users.’
The bug, which is being labelled a ‘critical failure’ by digital security experts, affected users of the Bitcoin wallet app running on Android 4.1 (Jelly Bean) or older, and anyone who believes they could have been affected is being urged to move their funds into new addresses.
All users of the Android Blockchain.info’s app are also warned to update to the new version of the Bitcoin wallet, and are strongly advised to update their devices to the latest version of Android OS software. Blockchain.info developers also warned that ‘potentially impacted addresses should be archived to avoid accidental reuse’.
The flaw was caused by a series of development errors that combined in a critical manner. Bitcoin Wallets are created with a unique public address and a related, two part, private key. Unfortunately an error in the Android Blockchain.info app allowed for duplicates of one address to be created.
Usually the app uses Android’s built in random number generator to create half of the key, and then the online service Random.org to create the second part of the key. On some Android phones (the only named suspect so far is the Sony Xperia range) the process failed when the phone failed to report Android’s randomly generated part of the code back to Blockchain.info – a failure which normally would not have cause an issue.
Sadly for those people affected, an update to security features on Random.org that occurred on January the 4th, and which required all visits to the site to be made via an encrypted connection, caused the second and devastating break down in the system.
The reason? The Android Blockchain.info app continued to access Random.org via an unencrypted connection, and mistakenly utilized the error code (alerting the Android device that the site had moved) as the second part of the random number.
Commenting on the failure, a Blockchain.info representative said that,
‘The issue we identified related to an extremely rare case where address entropy could create multiple duplicate addresses (meaning more than one wallet essentially was in custody of the address simultaneously). We immediately disclosed the issue and released a fix.’
Insistent that it was not a critical breakdown in the app, and instead only a one time failure, the statement continued,
‘Only a very small number of users were affected; we’ve counted just three users who have reached out related to the address in question, which is an extremely minor amount compared to the 3.5 million wallets we have.’
Although only three users have been identified as victims so far, the nature of the failure makes it seems at least possible that a few more will surface. Although Blockchain.info is doing its best to keep this from reaching scandalous proportions, many security professionals have gone on record with their disbelief and shock, due to the nature of the two part failure, the severity of the issue, and the loss of funds that it has caused. One reddit user (abadidea) commented,
‘We’re all kinda sitting around gawking at it in sheer disbelief that someone would seed for Bitcoin from random.org (problematic), over plaintext (deal breaker), and then not even trap results other than 200 OK (mind blower). An incredible cascade of bad decisions.’
Unsurprisingly the price of a Bitcoin suffered a slight glitch, going from about $239 per XBT on Friday (when the problem first hit the media,) to $222 dollars on Monday. However, the price of a Bitcoin now appears to be in the process of recovering, having retraced to its current position at $226 per XBT. Unsurprising, because after all, market sentiment is one of the main reasons for bullish or bearish market developments in any currency, and is one of the main indicators that traders use to decide which way a currency’s value is going to go.
This is also not the first time that the Blockchain.info app has had problems. In December of last year hundreds of coins were stolen during an overnight scheduled, update to the system. In much the same way as on this occasion, this caused a breakdown of the key code system that makes addresses in the Bitcoin wallet secure and individual. As Blockchain.info noted at the time,
‘When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner. The issue was present for a brief period of time between the hours of 12:00am and 2:30am GMT on December the 8th 2014. The issue was detected quickly and immediately resolved. In total, this issue affected less than 0.0002 per cent of our user base and was limited to a few hundred addresses.’
Although refunds were issued to users that lost funds on that occasion, it is unclear at this time if losses suffered due to this recent episode will be refunded.