Bitcoin wallet company Blockchain recently unearthed some really critical flaws in their Android wallets that were inappropriately sending money to one non-random user.
According to the available information, it was a serious cryptographic and programming error that ended up sending around $8,000 worth of Bitcoins to a wrong address. Blockchain’s advisory, that was published last Thursday, further explained the insights of this flaw. It said that their private key generating assistant, random.org, was lately returning a 310 Moved Permanently response when accessed through HTTP. Under normal circumstances, the same tool used to provide expected results when being accessed through a more secured HTTPS protocol.
“In rare circumstances, certain versions of Android operating system could fail to provide sufficient entropy, and when backup provisions also failed, multiple users could end up generating duplicate addresses,” Blockchain said in its latest blog. “To our knowledge, this bug resulted in one specific address being generated multiple times, leading to a loss of funds for a handful of users.”
As a result, one lucky user ended up receiving around 34 BTC (almost $8,000) just because one of the Blockchain’s tools was unable to mix its own random data with what that was provided byrandom.org. The app therefore simply used the 256-bit data it received from the latter, bringing overall security to a critical stage.
Patch Update Released
Soon after unearthing the aforementioned critical error, Blockchain released a patched version of its wallet app on Google Play Store. The company further urged users to move funds from the potentially impacted addresses to newly generated addresses. It further asked users to archive the affected addresses to avoid reuse.