Crypto flaws in Blockchain Android app sent bitcoins to the wrong address
A comedy of programming errors could prove catastrophic for affected users.
The most serious of the flaws is the use of the unencrypted HTTP connections when the app’s cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.
According to this entry in the Bitcoin ledger, the owner of the lucky 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address appears to have received almost 34 bitcoins since the January
Ok, they used a website via an unencrypted http connection to generate random numbers because the RNG of android is unusable. After the RNG website switched to https, the http call returned “301 Moved Permanently” instead of the expected 256bit number and than this was used as the “random” value to generate keys… LOL!?
This is the funniest fuckup in cryptocoin history I have seen so far. Just unbelievable.