Bitcoin robbers pocket $5,800 through Android wallet app glitch
Password cracking; Stolen credentials; User accounts compromised; Software vulnerability
Crooks have figured out how to steal the virtual currency by exploiting major vulnerabilities in Google’s mobile operating system, members of a user forum report.
“According to an online community of Bitcoin users, who spoke out on a Bitcointalk.org forum over the weekend, cyber thieves have made off with at least 55 Bitcoins, which amounts to about $5,800, given Bitcoin's current exchange value.”
Mike Hearn, a Bitcoin developer, reported the bugs to Google, and blogged about the security issue on August 11. The problem is the secure random numbers that Android generates to confirm the identity of bitcoin owners are weak, and therefore the codes can be cracked and virtual cash stolen.
“A Bitcoin address is a bit like an email address, except that it's linked to a ‘private key' which is a bit like the password for the money sent to the address," Hearn told SCMagazine. "Except you don't get to pick the password, the phone/tablet/computer does, on the assumption that it's better at picking unpredictable codes than you are..."
Several wallet apps in Google Play were affected by the vulnerabilities.
Bitcoins can be transferred anonymously from person to person online, without going through a government-backed bank. Some online merchants accept the currency, which can be traded for actual dollars at online exchanges.
In an August 12 blog post, security researcher Graham Cluley explained how serious the flaws are to Bitcoin users. “If someone else can work out the private key to your Bitcoin wallet, that's rather like knowing the PIN code for your bank account,” he wrote.
Financial Services; Web Services
August 12, 2013
Link to report
location of breach
location of perpetrators
date breach occurred
date breach detected