Filippo Valsorda, the engineer that developed the program that checks to see if your network or browser is vulnerable to the Heartbleed virus, today released a tool designed to hunt down wallets that poorly secure transactions and in effect that leak private keys.
Mr. Valsorda who works for CloudFlare demonstrated how known flaws in some wallets have allowed thieves to steal Bitcoins due to insecure clients or flaws identified in unpatched browsers.
Mr. Valsorda stated, “I found two really big security holes where someone probably made an error while writing their client that generated hundreds and hundreds of vulnerable transactions. I was able to identify one attacker who stole something like 59 Bitcoins … targeted the users’ browsers that were likely not providing the right random numbers.”
The 59 Bitcoin hack happened in August 2013 and Google was wrongly blamed for the loss. Valsorda also found indications that other hackers were scanning the blockchain for this deficiency and were raiding wallets, but the results were not conclusive.
Mr. Valsorda studied the blockchain during his research looking for mistakes and concluded that we would be better protected if we create systems that by default protect transactions when the security design fails.
A known flaw in the Elliptic Curve Digital Signature Algorithm (ECDSA) that showed up in insecure clients or unpatched browsers is to blame for the issue. While Bitcoin clients Multibit and Electrum received gold stars for the correct use of ECDSA, blockchain.info did not. However Mr. Valsorda stressed this was not a vulnerability in blockchain.info, but rather in the reliance on what could be an unpatched or outdated browser.
Valsorda’s found no remaining wallets vulnerable to attack and pointed out that attackers could target exposed wallets without his script. Valsorda concluded, “whoever is developing software has [a] responsibility to users who do not know enough to protect themselves.”