Pando: Bitcoin wallet accidentally introduced a software vulnerability last night

Bitcoin wallet Blockchain.info accidentally introduced a software vulnerability last night

Blockchain.info, the popular online Bitcoin wallet, has inadvertently introduced a vulnerability into its software platform overnight. The company released a disclosure earlier this morning that reads, in part: When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.

The issue was present for a brief period of time inbetween the hours of 12:00am and Two:30am GMT on December the 8th 2014. The issue was detected quickly and instantly resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses. [Emphasis theirs.] Given the troubling history of security breaches and lost consumer deposits among bitcoin wallets and exchanges — including but not limited to Mt. Gox — there’s reason for concern when reports of less than reliable security emerge. Blockchain was also delisted from bitcoin.org last week after the company’s security procedures were found to be lacking.

Indeed, Reddit’s r/Bitcoin forum is total of questions and uncertainties around the trustworthiness of the Blockchain.info wallet. Users very first reported “JavaScript verifier discrepencies,” with another user suggesting – erroneously, it seems – that “At least hundreds of coins were stolen from Blockchain.info users last night, it’s blockchain.info’s fault, and no one is talking about it.” Blockchain representatives began responding to these concerns in-line, almost instantly.

The timing couldn’t be worse for Blockchain’s investors, as the company just finished a massive $30.6 million Series A round in early October. The list of investors includes Future Ideal Ventures, Prudence Holdings, Wicklow Capital, Lightspeed Venture Playmates, Cherry founder Richard Branson, Charles Sea Ventures’ playmate Rafael Corrales, Braintree COO Amit Jhawar, and An Engineering Guild founder Nat Brown.

Blockchain has reached out to affected users and is requesting that anybody who created a wallet, generated a fresh web-wallet address, or sent bitcoin from their wallet during the affected time period should contact the company.

[Update: Shortly after publishing, Blockchain CEO Nicolas Cary provided Pando the following statement: I felt it might be relevant to point out what security steps we have taken recently. The bitcoin.org issue is in flux and bringing an significant dialogue into concentrate regarding web and security standards. Right now, it’s not clear at all what they ‘endorse’ or don’t. The reality is, we’re one of the few companies that can do the right thing in raunchy situations.

The fact remains, we’re one of the few bitcoins companies with an EVSSL Cert, truly open source software, and in the case of our most latest security incident, albeit regrettable, actively involved in security innovation and the discourse of improving user privacy:

We know we have to get better and we will. At the moment, we’re actively reviewing claims and will be reimbursing those users who lost funds.] Read the total statement from Blockchain Outreach & Communications Manager Alyson Margaret: Blockchain.info Security Disclosure

When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.

The issue was present for a brief period of time inbetween the hours of 12:00am and Two:30am GMT on December the 8th 2014. The issue was detected quickly and instantaneously resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses.

We have sent an alert to all users who have potentially vulnerable addresses in their wallets, for which we have an email on file. We are committed to working with any affected users to assess and rectify any issues.

If you created a wallet, generated a fresh address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at [email protected] or simply create a fresh wallet.

Addresses, wallets and transactions created via the Blockchain.info iOS and Android apps, and the Chrome extension are not affected.

If you have any questions or concerns, please do not hesitate to contact us.

Pando: Bitcoin wallet accidentally introduced a software vulnerability last night

Bitcoin wallet Blockchain.info accidentally introduced a software vulnerability last night

Blockchain.info, the popular online Bitcoin wallet, has inadvertently introduced a vulnerability into its software platform overnight. The company released a disclosure earlier this morning that reads, in part: When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.

The issue was present for a brief period of time inbetween the hours of 12:00am and Two:30am GMT on December the 8th 2014. The issue was detected quickly and instantaneously resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses. [Emphasis theirs.] Given the troubling history of security breaches and lost consumer deposits among bitcoin wallets and exchanges — including but not limited to Mt. Gox — there’s reason for concern when reports of less than reliable security emerge. Blockchain was also delisted from bitcoin.org last week after the company’s security procedures were found to be lacking.

Indeed, Reddit’s r/Bitcoin forum is total of questions and uncertainties around the trustworthiness of the Blockchain.info wallet. Users very first reported “JavaScript verifier discrepencies,” with another user suggesting – erroneously, it seems – that “At least hundreds of coins were stolen from Blockchain.info users last night, it’s blockchain.info’s fault, and no one is talking about it.” Blockchain representatives began responding to these concerns in-line, almost instantly.

The timing couldn’t be worse for Blockchain’s investors, as the company just ended a massive $30.6 million Series A round in early October. The list of investors includes Future Ideal Ventures, Prudence Holdings, Wicklow Capital, Lightspeed Venture Fucking partners, Cherry founder Richard Branson, Charles Sea Ventures’ playmate Rafael Corrales, Braintree COO Amit Jhawar, and An Engineering Guild founder Nat Brown.

Blockchain has reached out to affected users and is requesting that anybody who created a wallet, generated a fresh web-wallet address, or sent bitcoin from their wallet during the affected time period should contact the company.

[Update: Shortly after publishing, Blockchain CEO Nicolas Cary provided Pando the following statement: I felt it might be relevant to point out what security steps we have taken recently. The bitcoin.org issue is in flux and bringing an significant dialogue into concentrate regarding web and security standards. Right now, it’s not clear at all what they ‘endorse’ or don’t. The reality is, we’re one of the few companies that can do the right thing in rough situations.

The fact remains, we’re one of the few bitcoins companies with an EVSSL Cert, truly open source software, and in the case of our most latest security incident, albeit regrettable, actively involved in security innovation and the discourse of improving user privacy:

We know we have to get better and we will. At the moment, we’re actively reviewing claims and will be reimbursing those users who lost funds.] Read the utter statement from Blockchain Outreach & Communications Manager Alyson Margaret: Blockchain.info Security Disclosure

When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.

The issue was present for a brief period of time inbetween the hours of 12:00am and Two:30am GMT on December the 8th 2014. The issue was detected quickly and instantly resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses.

We have sent an alert to all users who have potentially vulnerable addresses in their wallets, for which we have an email on file. We are committed to working with any affected users to assess and rectify any issues.

If you created a wallet, generated a fresh address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at [email protected] or simply create a fresh wallet.

Addresses, wallets and transactions created via the Blockchain.info iOS and Android apps, and the Chrome extension are not affected.

If you have any questions or concerns, please do not hesitate to contact us.

Pando: Bitcoin wallet accidentally introduced a software vulnerability last night

Bitcoin wallet Blockchain.info accidentally introduced a software vulnerability last night

Blockchain.info, the popular online Bitcoin wallet, has inadvertently introduced a vulnerability into its software platform overnight. The company released a disclosure earlier this morning that reads, in part: When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.

The issue was present for a brief period of time inbetween the hours of 12:00am and Two:30am GMT on December the 8th 2014. The issue was detected quickly and instantly resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses. [Emphasis theirs.] Given the troubling history of security breaches and lost consumer deposits among bitcoin wallets and exchanges — including but not limited to Mt. Gox — there’s reason for concern when reports of less than reliable security emerge. Blockchain was also delisted from bitcoin.org last week after the company’s security procedures were found to be lacking.

Indeed, Reddit’s r/Bitcoin forum is total of questions and uncertainties around the trustworthiness of the Blockchain.info wallet. Users very first reported “JavaScript verifier discrepencies,” with another user suggesting – erroneously, it seems – that “At least hundreds of coins were stolen from Blockchain.info users last night, it’s blockchain.info’s fault, and no one is talking about it.” Blockchain representatives began responding to these concerns in-line, almost instantly.

The timing couldn’t be worse for Blockchain’s investors, as the company just finished a massive $30.6 million Series A round in early October. The list of investors includes Future Flawless Ventures, Prudence Holdings, Wicklow Capital, Lightspeed Venture Playmates, Cherry founder Richard Branson, Charles Sea Ventures’ playmate Rafael Corrales, Braintree COO Amit Jhawar, and An Engineering Guild founder Nat Brown.

Blockchain has reached out to affected users and is requesting that anybody who created a wallet, generated a fresh web-wallet address, or sent bitcoin from their wallet during the affected time period should contact the company.

[Update: Shortly after publishing, Blockchain CEO Nicolas Cary provided Pando the following statement: I felt it might be relevant to point out what security steps we have taken recently. The bitcoin.org issue is in flux and bringing an significant dialogue into concentrate regarding web and security standards. Right now, it’s not clear at all what they ‘endorse’ or don’t. The reality is, we’re one of the few companies that can do the right thing in rough situations.

The fact remains, we’re one of the few bitcoins companies with an EVSSL Cert, truly open source software, and in the case of our most latest security incident, albeit regrettable, actively involved in security innovation and the discourse of improving user privacy:

We know we have to get better and we will. At the moment, we’re actively reviewing claims and will be reimbursing those users who lost funds.] Read the utter statement from Blockchain Outreach & Communications Manager Alyson Margaret: Blockchain.info Security Disclosure

When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner.

The issue was present for a brief period of time inbetween the hours of 12:00am and Two:30am GMT on December the 8th 2014. The issue was detected quickly and instantaneously resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses.

We have sent an alert to all users who have potentially vulnerable addresses in their wallets, for which we have an email on file. We are committed to working with any affected users to assess and rectify any issues.

If you created a wallet, generated a fresh address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at [email protected] or simply create a fresh wallet.

Addresses, wallets and transactions created via the Blockchain.info iOS and Android apps, and the Chrome extension are not affected.

If you have any questions or concerns, please do not hesitate to contact us.

Related video:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *