How a Rogue Tor node hijacked Blockchain.info accounts

Blockchain.info security concerns

You may have noticed recent reports about people having their bitcoins stolen from Blockchain.info. Many report that their accounts have been hacked into and their coins withdrawn. What caused the recent spike in account breaches at blockchain.info?

According to the blockchain PR account blockchainwallet on reddit, the top 3 issues concerning their security are:

• Malicious Tor exit nodes
• Weak password management
• Sophisticated phishing attacks

Securing your coins

Having a strong password with many different characters is a no brainer and I hope most of you are using different passwords for different accounts. Phishing attacks can be avoided by accessing blockchain.info by typing it’s address in the url bar in your browser. We reported previously about a phishing site for blockchain.info which appeared at the top of the front page on google because of a google adword campaign. That attack wasn’t very successfull because redditors brought it to google’s attention prompty and the phishing site got taken down.

Tor nodes perform MITM attack

Lastly, the most recent security issue which caused massive btc losses for customer funds was due to malicious Tor nodes. The attack was a simple and archaic MITM (man in the middle) attack. In simple terms the exit node does not know where the traffic originates from (the TOR user) but it can intercept the traffic if it is not encrypted. So, when someone accessed blockchain.info the rogue exit node would record the data being send and extract a victims wallet ID and the password. The catch here is that blockchain and many other sites that have the user send sensitive account information encrypt their traffic using SSL. So even if somebody was looking at the packets exchanged the information would be encrypted and the attacker would not be able to get the password.

Well, the rogue exit node was able to strip the SSL from blockchain.info. Those who noticed in the upper left corner would see that they are connecting to a http:// version of the site. When not using https:// protocol the information is not encrypted and thus you can fall victim to a MITM attack.

 Blockchain.info Onion Mirror: http://blockchatvqztbll.onion

Now, if you try to connect to blockchain.info using tor you will get the above message. Blockchain has made a .onion mirror which ensure the integrity and encryption of traffic. Furthermore, it looks like they fixed a bug where you could connect to a SSL stripped version of the site, which is yet another preventative measure to a MITM vulnerability.

Blockchain.info uses something that is called HSTS. What it does is force all your request to go through https if you ever accessed the site with https before. Now, when somebody accesses blockchain by typing http:// then the HSTS header is not sent to force those https connections, and the tor browser bundle by default will not save the HSTS header either. That leaves rogue exit nodes free to start doing redirects. What blockchain could do is set a static page for any incoming http connection and tell the user to reconnect using https that way the HSTS header would be set and the user would end up accessing the site over a secure, encrypted connection.

Overall blockchain.info is a reliable and competent wallet service which was able to identify and solve a problem it had no obligation to solve. I recommend this wallet service to anyone new to bitcoin. Their mobile app is extremely slick and responsive and makes it simple to send and receive coins.

Follow us on twitter @themerklenews for the latest bitcoin related news which include bitcoin market analysis with market price prediction.