‘Heartbleed’ SSL vulnerability causing heartburn for Bitcoin web services

heartbleed-bitcoinA major security flaw recently discovered in a popular library for the SSL protocol—the cryptographic underpinning of a bulk of all web transactions—has been discovered that could affect a large number of bitcoin services. The two year old flaw, named “Heartbleed” affects versions of OpenSSL that could weaken the security of encrypted web traffic, which is used to protect sensitive information such as passwords, messages, e-commerce, and banking. As OpenSSL is the most popular library used to implement SSL the implications are rather broad.

Amidst these implications bitcoin-related websites have already been hit.

Bitcoin services respond to vulnerability

Due to its popularity as an SSL library, OpenSSL is widely used and the presentation of the Heartbleed security flaw makes bitcoin-related websites especially vulnerable due to the cryptographc savvy of attackers interested in getting their hands on virtual coin.

Amid the first services to discover they were vulnerable, BitStamp, a bitcoin exchange based in Solvenia, killed registration and currency withdrawal while waiting for a fix to be applied. A more recent tweet from the service said that operations is waiting for Bitstamp’s DDoS mitigation service to upgrade so that end-to-end SSL protection exists before services come back online.


Bitfinex, a bitcoin exchange, is asking customers to change their login credentials as soon as possible and has disabled withdrawals for 10 hours pending a fix for the Heartbleed bug.

LocalBitcoins posted a blog stating that the service is also affected, but now patched. Although an outfit such as LocalBitcoins might be less vulnerable than others because very few people keep BTC in the escrow wallet offered by the service and most exchanges are done person-to-person (or in person.)

Blockchain.info quickly made way to the web to publish a short statement that the service had patched against the bug recently and that it uses Cloudflare (who patched a week ago.)

Coinbase has not yet reported in; but tests of the website show that it is not immediately vulnerable.

BTCJam investigates reports of bitcoin thefts

In the midst of the reveal that the Heartbleed bug could allow sensitive information to leak out of OpenSSL connections, BTCjam customers began to notice coins being drained from their accounts. BTCjam is a bitcoin peer-to-peer microloan platform that enables people to lend and borrow.

SiliconANGLE founding editor Mark ‘Rizzn’ Hopkins contacted BTCjam about the apparent loss and received a message stating,

If you guys believe your accounts were hacked, please send me an email at alexis@btcjam.com. We are currently looking into this, and I am comprising a list of claims. Thank you, and please stand by for an official statement later on today.

The website was finally taken offline after the heist reportedly reached 42 BTC.

The address to which funds appear to have been siphoned is identified as 1JBBbQkwR6qVmxyPq22VsfygeLdFYgqhmP and shortly after writing this the coins were swept out again.

Twitter user qwertyoruiop appears to have gotten swept up in the BTCjam theft and is right now investigating the addresses in question.



According to the tweet history, it appears as if qwertyoruiop knows the person involved, but is not involved themselves in the theft. The number of stolen coins has been verified as a total of 42 and qwertyoruiop has stated that once they have gained control of the coins the property will be returned to BTCjam.

Detecting and fixing the problem

News of the Heartbleed vulnerability and its widespread impact has been apparently known about since 2011, but it did not become widely exploited or known until extremely recently. To facilitate a swift move to patch and fix potentially vulnerable systems, Italian security researcher Filippo Valsorda built a web-based test that should reveal if a particular web site is vulnerable.

News of the bug was released widely by Finnish IT security company Codenomicon via the Heartbleed bug website. The website reveals that the most commonly affected web servers running OpenSSL, potentially vulnerable, would be Apache and nginx, which together make up around 66% of all web sites. Also e-mail servers, chat, and VPNs all use SSL and TLS which could be vulnerable.

In short, lots of operations teams have some quick work to do in order to clean up this bug before someone tries to exploit it.

The bug’s name, Heartbleed, comes from the part of OpenSSL the bug affects: “the implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).” The exploit causes the extension to leak memory from the secured message to the attacker, thus “bleeding” during “heartbeat.”

The bug was discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security.