A flaw in the Blockchain.info wallet allowed thieves to make off with 50 Bitcoins, and the site’s operators are offering refunds to users who had their money stolen as a result.
The bug was found in the site’s random number generator, which runs on JavaScript. The problem was first discovered August 19, when a user reported the theft of 1.8 Bitcoins.
A similar problem with a random number generator had been found in Android apps, which Google has since confirmed.
Blockchain.info is primarily a source for market data and a place where users can examine the blockchain’s ledger, but there is also a section on the site where users can create online wallets for Bitcoin transfers.
This vulnerability affected Blockchain.info’s browser client, its extensions for the Chrome and Firefox browsers, and its OSX app. The problem has since been patched.
Blockchain.info suggests users update the following software to specified version numbers: The Mac client to v0.11, the Firefox extension to v1.97 and the Chrome extension to v2.85.
The random number generator’s flaw only impacted transaction signings and not the creation of private keys. A Blockchain.info representative said simply updating the client will be sufficient to patch the bug.
Browsers who use the web wallet without any plugin should clear their browser cache, he said.
All of the stolen funds were sent to a single address: 1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj. If you think you might have had funds stolen in this attack, check to see whether any were transferred to that address.
At the time of writing, “only a couple of BTC have been refunded,” according to a Blockchain.info representative.
CoinDesk reports that some of the funds sent to that address also came from the Android hack, meaning that the same person could be responsible for both.
One CoinDesk commenter has said he/she had 1.8 BTC refunded and remarked “excellent customer service” on the part of Blockchain.info.