14 DAY TRIAL // A new version of the Android Bitcoin Wallet for Blockchain has been released, following a recent disclosure of a vulnerability that permitted the creation of duplicate bitcoin addresses.
The glitch did not occur frequently, according to the company, but it caused financial losses to several users that sent the digital currency to other wallets than intended, without receiving a notification about it.
Unencrypted connection to random.org at fault
In an advisory released on Thursday, Blockchain says that the vulnerability affects users using the app on Android 4.1 (Jelly Bean) or earlier.
“In rare circumstances, certain versions of Android operating system could fail to provide sufficient entropy, and when backup provisions also failed, multiple users could end up generating duplicate addresses,” the security advisory says.
The problem lies in the method used to generate new wallet addresses, which relies on the service from Random.org.
It appears that the service moved to an encrypted connection, causing the same address to be generated if the connection was made via regular HTTP, as Blockchain's wallet app for Android did.
One wallet collected 34 bitcoins
Redditors tracked the duplicate wallet address as being 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, which, according to the transaction ledger, received a total of 34 bitcoins ($8,000 / €7,300) since January 2.
“If someone is eager to experiment: just feed the first 32bytes into the RNG and see what key it generates... it should be the one for 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F,” someone posting under the alias “umbawumpa” said on Friday.
One of the users posted on Reddit that he lost 6 bitcoins ($1,400 / €1,300) because of this bug. However, Blockchain covered the loss in less than two days.
Blockchain recommends users that have generated potentially impacted addresses to send the funds to a new address created with the latest version of the Android app, the iOS variant or straight from the website.