Uncovering Blockchain.info’s random number generator issues those resulted in loss of funds for users.
“incredible cascade of bad decisions”
Mandrik was the first employee of Blockchain.info (he left because of the SegWit2x drama.) To verify his claims I found the GitHub commits posted on Reddit. Unfortunately Blockchain.info did succeed to take those commits down, but the url tells that the commits were made into the Android-Wallet-2 app. And indeed the developer of that app was William Hill, also known as SamouraiDev.
The Bugs Explained
Although Blockchain.info deleted the commits this Reddit explains the code clearly.
SamouraiDev used a custom LinuxSecureRandom implementation that is being seeded from random.org . However when this wasn’t available, “instead of screaming bloody murder like any sensible implementation would” he fell back to the standard SecureRandom class. Seeding this class does not add additional entropy, but replaces it entirely. This resulted in users generating wallets from seeding solely with random.org .
The next mistake was that he was “using HTTP instead of HTTPS to make the webservice call to random.org.”
But on January 2015, random.org started enforcing HTTPS. However SamouraiDev made a mistake even here: instead of acknowledging the error, as any reasonable person would do, he silently ignored it and “since that date, the entropy has actually been the error message.”
Furthermore, in his “fix” he was still using random.org.
Incompetence
Randomness is the holy grail of Bitcoin development. What would you do if you wake up for your bitcoin wallet emptied? You could even use a cold storage, you are damned if someone generates the same keys as you.
Committing a chain of bugs to the most important part of any Bitcoin wallet where even a single bug would be disastrous in itself and then introducing another bug during the “fix” is not good. Furthermore according to the original Reddit poster this wasn’t even the first occasion: “It was their BUGS on PRNG again!”.
This has found its way to infosec Twitter and we’re all kinda sitting around gawking at it in sheer disbelief that someone would seed for Bitcoin from random.org (problematic), over plaintext (deal breaker), and then not even trap results other than 200 OK (mind blower). An incredible cascade of bad decisions. — /u/abadidea
“deal breaker” here starts at the thought of using
random.orgfor generating private keys. — /u/alithediamondsSince they’re not using HTTPS, they don’t even need to MTM it, just tap it. — /u/ex_ample
