Crypto flaws in Blockchain Android app sent bitcoins to the wrong address

Blockchain, one of the Internet's most widely used Bitcoin wallets, has rushed out an update for its Android app after discovering critical cryptographic and programming flaws that can cause users to send digital coins to the wrong people with no warning.

The vulnerabilities affect a subset of people who run Blockchain for Android on versions 4.1 or older of the mobile OS, according to an advisory published Thursday. The most serious of the flaws is the use of the unencrypted HTTP connections when the app's cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.

"To our knowledge, this bug resulted in one specific address being generated multiple times, leading to a loss of funds for a handful of users," Thursday's advisory stated.

Read 9 remaining paragraphs | Comments