blockchain.info vulnerability allows attackers to steal bitcoin wallet backups

  • 331
  •  
  •  
  • 1
  •  
  •  
  •  
    332
    Shares

Blockchain.info is a bitcoin cryptocurrency wallet and block explorer service. Started in August 2011, the service presents information on new transactions, mined blocks in the bitcoin Blockchain charts on the bitcoin economy, and statistics and resources for developers.

Security researcher (Shashank) has discovered a critical vulnerability in blockchain.info, he was able to steal anyone’s bitcoin wallet backup of their account with negligible user interaction.

The researcher said that the backup feature creates a JSON file which is the backup of your account allow you to download, Email it to yourself , or store it quickly on your Google Drive and Dropbox accounts. The main issue is that if anyone else gets your JSON file, he can easily import it at blockchain.info and steal all your bitcoins from your account.

According to the researcher:
“I noticed once you click on Dropbox or Gdrive button you will be asked to login with your google or dropbox account and once its authorised blockchain will automatically store the backup file in the your dropbox or Gdrive using your access token.”

If someone makes a Google drive authentication, The URL will be like this without any csrf token:
“https://blockchain.info/wallet/gdrive-update?code={YourGdriveToken}”

Now, if an attacker wants to steal anyone’s bitcoin wallet backup, he will do the following:
1- authenticate with Google Drive at blockchain.info.
2- Catch the Google Drive token
3- Send the following link to the victim.
https://blockchain.info/wallet/gdrive-update?code={GoogledriveToken}
4- Once the link is clicked, the bitcoin wallet backup will be stored in the attacker’s Google Drive account

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!