‘Heartbleed’ SSL vulnerability causing heartburn for Bitcoin web services
A major security flaw recently discovered in a popular library for the SSL protocol—the cryptographic underpinning of a bulk of all web transactions—has been discovered that could affect a large number of bitcoin services. The two year old flaw, named “Heartbleed” affects versions of OpenSSL that could weaken the security of encrypted web traffic, which is used to protect sensitive information such as passwords, messages, e-commerce, and banking. As OpenSSL is the most popular library used to implement SSL the implications are rather broad.
Amidst these implications bitcoin-related websites have already been hit.
Bitcoin services respond to vulnerability
Due to its popularity as an SSL library, OpenSSL is widely used and the presentation of the Heartbleed security flaw makes bitcoin-related websites especially vulnerable due to the cryptographc savvy of attackers interested in getting their hands on virtual coin.
#Bitstamp turns off its accregistration, login & all virtual currency withdrawal functions as a precaution following recent OpenSSL news.
— Bitstamp (@Bitstamp) April 8, 2014
Amid the first services to discover they were vulnerable, BitStamp, a bitcoin exchange based in Solvenia, killed registration and currency withdrawal while waiting for a fix to be applied. A more recent tweet from the service said that operations is waiting for Bitstamp’s DDoS mitigation service to upgrade so that end-to-end SSL protection exists before services come back online.
Withdrawals will be disabled for 10 hours. Please change your Bitfinex credentials as soon as possible.
— Bitfinex.com (@bitfinex) April 8, 2014
Bitfinex, a bitcoin exchange, is asking customers to change their login credentials as soon as possible and has disabled withdrawals for 10 hours pending a fix for the Heartbleed bug.
LocalBitcoins posted a blog stating that the service is also affected, but now patched. Although an outfit such as LocalBitcoins might be less vulnerable than others because very few people keep BTC in the escrow wallet offered by the service and most exchanges are done person-to-person (or in person.)
Blockchain.info quickly made way to the web to publish a short statement that the service had patched against the bug recently and that it uses Cloudflare (who patched a week ago.)
Coinbase has not yet reported in; but tests of the website show that it is not immediately vulnerable.
BTCJam investigates reports of bitcoin thefts
In the midst of the reveal that the Heartbleed bug could allow sensitive information to leak out of OpenSSL connections, BTCjam customers began to notice coins being drained from their accounts. BTCjam is a bitcoin peer-to-peer microloan platform that enables people to lend and borrow.
SiliconANGLE founding editor Mark ‘Rizzn’ Hopkins contacted BTCjam about the apparent loss and received a message stating,
If you guys believe your accounts were hacked, please send me an email at alexis@btcjam.com. We are currently looking into this, and I am comprising a list of claims. Thank you, and please stand by for an official statement later on today.
The website was finally taken offline after the heist reportedly reached 42 BTC.
The address to which funds appear to have been siphoned is identified as 1JBBbQkwR6qVmxyPq22VsfygeLdFYgqhmP and shortly after writing this the coins were swept out again.
Twitter user qwertyoruiop appears to have gotten swept up in the BTCjam theft and is right now investigating the addresses in question.
@bitxbitxbitcoin @btcjam I started an investigation to find out wether my servers have been involved with this.
— qwertyoruiop (@qwertyoruiop) April 8, 2014
Some people are accusing me of stealing coins. I started an investigation to find wether my servers have been involved.
— qwertyoruiop (@qwertyoruiop) April 8, 2014
I’m trying to see if the guy left the private keys of the addresses involved with the theft to return coins to parties involved.
— qwertyoruiop (@qwertyoruiop) April 8, 2014
According to the tweet history, it appears as if qwertyoruiop knows the person involved, but is not involved themselves in the theft. The number of stolen coins has been verified as a total of 42 and qwertyoruiop has stated that once they have gained control of the coins the property will be returned to BTCjam.
Detecting and fixing the problem
News of the Heartbleed vulnerability and its widespread impact has been apparently known about since 2011, but it did not become widely exploited or known until extremely recently. To facilitate a swift move to patch and fix potentially vulnerable systems, Italian security researcher Filippo Valsorda built a web-based test that should reveal if a particular web site is vulnerable.
News of the bug was released widely by Finnish IT security company Codenomicon via the Heartbleed bug website. The website reveals that the most commonly affected web servers running OpenSSL, potentially vulnerable, would be Apache and nginx, which together make up around 66% of all web sites. Also e-mail servers, chat, and VPNs all use SSL and TLS which could be vulnerable.
In short, lots of operations teams have some quick work to do in order to clean up this bug before someone tries to exploit it.
The bug’s name, Heartbleed, comes from the part of OpenSSL the bug affects: “the implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).” The exploit causes the extension to leak memory from the secured message to the attacker, thus “bleeding” during “heartbeat.”
The bug was discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security.
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU