Bitcoin wallet service to issue refunds after users’ funds stolen

A widely used Bitcoin wallet service plans to issue refunds to people who saw their bitcoins stolen as a result of a weakness in its application.

Blockchain.info, which has a Web-based service called My Wallet, has also upgraded its application after finding a vulnerability similar to one discovered earlier this month in some Bitcoin wallet programs running on the Android mobile OS.

“Likely if you have been affected by this problem your coins will have been taken already,” a Blockchain.info official wrote on the Bitcointalk.org forum. “All affected users will be refunded in full.”

The number of affected users is small, said Roger Ver, who is an investor in Blockchain.info, via email. Blockchain.info expects to refund around 50 BTC or US$5,000, he said.

Interest in Bitcoin has surged since its debut just four years ago. The system offers a low-cost way to transmit virtual currency over the Internet, and many companies and entrepreneurs are working to solve concerns around how to safeguard bitcoins from hackers.

Blockchain.info’s My Wallet uses a browser extension that encrypts a person’s Bitcoin wallet on their computer before it is sent and stored on its servers.

On Tuesday, Blockchain.info upgraded its browser extensions for Chrome and Firefox and its Mac OSX client after it was found a random number generator wasn’t working securely in some cases, potentially exposing people’s bitcoin stashes to theft.

Random numbers are used to sign transactions performed over Bitcoin’s peer-to-peer network as part of its public key cryptography system. If duplicate random number values are used to sign more than one transaction, it may be possible for an attacker to figure out a person’s private signing key and sweep their bitcoins away.

The issue came to light after one user reported on Bitcointalk.org that 1.8 bitcoins — worth around US$218 as of Wednesday morning according to Mt. Gox’s market price — were stolen.

The user speculated that Blockchain.info or Firefox had a weakness in code that generates random numbers, similar to the problem found in Android Bitcoin clients earlier this month.

Several Bitcoin clients that used a random number generator component within Android were patched after it was found it occasionally repeated random numbers. Google also issued a patch.

A Blockchain.info official wrote on the forum that My Wallet users on Firefox could be particularly vulnerable. Users should upgrade their My Wallet browser extension to the latest versions, which for Chrome is v2.85, for Firefox is version 1.97 and for Mac clients is version 0.11.

The official also advised that people who only use Blockchain.info’s web interface “should clear their browsers cache before next login.”

Bitcoin addresses — which are used by people to send and receive bitcoins — that may be affected have been listed on Bitcointalk.org.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk