Crypto flaws in Blockchain Android app sent bitcoins to the wrong address

Crypto flaws in Blockchain Android app sent bitcoins to the wrong address
A comedy of programming errors could prove catastrophic for affected users.
http://arstechnica.com/security/2015/05/crypto-flaws-in-blockchain-android-app-sent-bitcoins-to-the-wrong-address/:

The most serious of the flaws is the use of the unencrypted HTTP connections when the app’s cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.

According to this entry in the Bitcoin ledger, the owner of the lucky 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address appears to have received almost 34 bitcoins since the January

Ok, they used a website via an unencrypted http connection to generate random numbers because the RNG of android is unusable. After the RNG website switched to https, the http call returned “301 Moved Permanently” instead of the expected 256bit number and than this was used as the “random” value to generate keys… LOL!?

This is the funniest fuckup in cryptocoin history I have seen so far. Just unbelievable.

I don’t know why a service would use an external service to generate a number, its pretty easy to do it your self in a line of code.

Who ever owns that bitcoin address will be one happy person lol

1 Like

BrownSlaughter The reason could be an old security issue with androids random number generator: https://bitcoin.org/en/alert/2013-08-11-android
But apart from that, relying upon an external unencrypted resource for such a critical part of the application still seems very very idiotic