Wednesday, May 18, 2011

Security of Bitcoin websites

Bitcoins are a (relatively) new digital currency. Their closest real-world analogue is to cash, since there is no central authority that manages them. Transaction fees within the system are also very very small, less than 0.1% if even that much.

I'm not an expert, but here's a quick primer: you can send coins in your wallet to a valid address, and this transaction is validated by a peer-to-peer network. Addresses can be created at will. Coins are validated via their history, so you can see the addresses of previous transactions involving those coins. For example, I just made up the address 15NhuaukwoUoHWRJijfdrb4iiz6D61mCds; you can see the history of that address here, which is blank right now. (If you give me bitcoins at that address, there is a "receipt" right there. See, bitcoins makes begging on-line seem cool again, just like it was ten years ago.)

Bitcoin's online use also makes a brand-new target for thieves. Instead of breaking into your computer to try and sniff your passwords or selling you off to a zombie net, hackers could directly steal value stored there.

This also applies to websites that handle bitcoins. There is no central body so there is no such thing as PCI Compliance. But websites that allow bitcoins to be transferred to other addresses need to take security very seriously, as if they were handling credit card information or actual cash like a bank.

(Websites that receive payments via Bitcoin do not need to worry as much, but they still should use best practices.)

One example is Mt Gox, a site that facilitates the exchange of different currencies, including US Dollars and Bitcoins. EvilPacket demonstrated a XSS and CSRF attack against the site, which has since been fixed.

One of the more popular source of coins these days are "mining pools," in which lots of people work together to help the peer-to-peer network validate transactions, and are occasionally rewarded with new bitcoins. All these sites have web interfaces. I gave a peek to see if they were vulnerable to some simple attacks.

BTCMine, slush's pool, and MtRed were all safe. (MtRed claims to have fixed a CSRF problem, but if so then it was definitely before I looked, and it seems like it was built right into their framework automatically.)

I incorrectly thought that DeepBit was vulnerable, but the admin pointed out that he already had defenses in place, and when I checked my notes, it turns out he was right all along. Good show there (plus they require email confirmation for changing their destination address).

Bitcoin Pool was vulnerable when I checked. I could change my receiving address blindly, which means it was ripe for a CSRF attack. I dropped an admin a private message in their forum, and didn't get a response. But they seem to have taken action anyway. If you go to now, it fails unless you are using a referrer from their own domain.


As users, the big piece of advice: log out of any website that lets you transmit bitcoins. Log in to those sites only one at a time, and with a separate browser (or even a browser within a VM if you have sufficient amounts of money in play).

As website developers, you need to build secure sites. That's a whole different article.

As a network... well, that's interesting. If one were to perform a widespread theft like this, actions could still be taken against the thieves.

Although you may hear people describe bitcoins as anonymous, the better word is pseudonymous. You can make arbitrary account numbers and receive payment at them, but their use can still be tracked. A theft of a sufficient number of coins would attract the attention of the FBI or similar organization.

At some point, just like with US Dollars, the holders of stolen Bitcoins will want to redeem them for goods or services. Even if they bounce the stolen Bitcoins through thousands of addresses, those can be tracked, since the entire nature of the network is that it is transparent. Eventually a vendor of something physical will acquire some of these coins and be able to provide authorities with some kind of address for the crooks.

Fencing stolen coins is still possible, but actually harder than it would be with, say, a briefcase full of greenbacks.


Blogger british assignment help said...

This is such an informative blog that anyone can likes to read who have interest in latest technology trends. Bit coins are getting fame day by day and their security is also a concern but you have rightly mentioned mitigation plans in the blog. thanks for sharing it

10:33 AM  
Blogger Bit_Community said...

I would like to thank you for the efforts
you have put in writing this blog. I’m hoping the same high-grade web site
post from you in the future also. Actually your creative writing abilities
has encouraged me to get my own web site(online bitcoin miner) going now.Really blogging is
spreading its wings and growing fast. Your write up is a great example.

11:14 PM  
Blogger Lou Pacheco said...

You always can publish
academized review something absorbing that does not waste minutes of your life like what you see on countless other sites. This is very interesting and I will be back for more. Thanks for sharing

4:27 AM  
Blogger Christopher Kennedy said...

I am very enjoyed for this blog. Its an informative topic. It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy. I think it may be help all of you. Thanks a lot for enjoying
this beauty blog with me. I am appreciating it very much! Looking forward to another great blog. Good luck to the author! all the best!

1:57 PM  

Post a Comment

<< Home