Bitcoin service StrongCoin hacks their users to recover stolen funds

The following was imported from my old blog.

Earlier this week, Ozcoin, a popular Bitcoin pool, had their payout script hacked, leaving them in the negatives of ~900 Bitcoins (~$132,000 USD). Today, the operator of StrongCoin, a online Bitcoin wallet, notified the Bitcoin community that he had intercepted the pool's coins from the attacker using their service, and sent them back to Graet [1].

Public Disclosure.

On Saturday afternoon I was notified that Strongcoin was holding 568 BTC believed to be from the Ozcoin theft. Everytime you make a payment from StrongCoin the fee goes to 1STRonGxnFTeJiA7pgyneKknR29AwBM77 so any payments from strongcoin held accounts are easily traced back to the site

I was asked by 2 separate people on this forum if I could hold the funds (Sorry to the people I didn't reply to). The evidence that these funds came from the heist seemed plausible to me.

At 8am yesterday morning the funds were intercepted when the user made a payment. 

https://blockchain.info/address/1DsFCAZaxhJ9YGw5X8NCW9VkSMDZMyXzMF

I've spoken to the user in question over email. The user says he sold a car for BTC but can't reveal who to due to an NDA agreement. 

Graeme and I had a conversation over the phone and some evidence came to light, that to me, made it very likely the user I have contact with was connected to the heist. I'm not going to reveal any details of the user accept to legal authorities if asked. I believe we should abide by due process.

I have sent a link to this post to the user so he/she can comment. Otherwise in the next few hours I will return the funds to Graeme, he can then decide what happens to those funds.

While this may appear to be a seemingly nice gesture, there are all sorts of wrong in this in incident. Lets look a bit closer on what StrongCoin is.

The WTF

StrongCoin boasts that their service "only hold encrypted private keys", and that "neither [they] nor anyone else can spend your Bitcoins". Not only that, they also claim that Bitcoin private keys are "encrypted in your browser before it reaches [their] servers". How were they able to intercept the coins?

This leads to two inconvenient possibilites, neither which make StrongCoin appealing.
  1. Private keys were not actually encrypted on the client side, and were actually stored plain-text on their servers.
  2. They served malicious Javascript on the attacker's session, and stole the attacker's wallet's respective private keys.
They served malicious Javascript on the attacker's session, and stole the attacker's wallet's respective private keys.

Whether it be one or the other, neither make StrongCoin's decision right. They hacked their service to steal from a user, and probably for personal gain too. They have shown that they could, and would steal from their users at their discretion. None of their advertised security features protected anyone in this case. They lied to all current and potential customers.

Even if the operator of StrongCoin has a heart for the Bitcoin community, who is to say that the owner of StrongCoin would not take advantage of his position in a personal emergency? Or if StrongCoin decided to serve "justice" to one who has been wrongly tagged by the community? It's apparent that StrongCoin really should not have been involved in this incident, or let it any of their customer's transactions be any of their business. They voluntarily revealed that their service is just as useless as a shared wallet.

MyWallet, also an online wallet, by Blockchain.info also had similar case in 2012. In late last year, Roger Ver abused his "admin" privileges at MyWallet to expose personal information of a customer he had a dispute against from his business, which was completely unassociated with Blockchain.info. He gained these admin privileges initially from Ben Reeves, Blockchain.info's owner, to provide additional customer support to MyWallet's users, however, he used his abilities not what they were intended for. Roger Ver was able to look up accounts according to the addresses associated with them. From there, more information could be gathered looking up individual accounts.

Unlike StrongCoin, little damage was done in the aftermath. Ben Reeves decided that it was best he did not intervene with a dispute that was none of his business, and unlike StrongCoin's realm of wrong decisions, he also revoked Ver's administrative privileges. Better yet, MyWallet no longer has the ability to directly link addresses to accounts. There was no indication that Blockchain.info was even remotely interested in playing Bitcoin judge, like StrongCoin did in this incident.

It seems StrongCoin has better interests in playing world cop in the Bitcoin community than providing a secure service to the best of their abilities. Use StrongCoin at your own peril.

The bigger problem

Of these two incidents, there's a bigger problem that comes from the use of web wallets: they require arbitrary code to be executed from a potentially untrusted source. From a typical end user, there's no telling what, or how the wallet "encrypting" your private keys.

This is also the argument against web applications implementing client-side Javascript encryption. While it may appear client-side encrypted data negates the requirement to trust the provider with your data, it's important to note that the code to provide this added data security is also provided by the same source. Malicious Javascript can be served through hackings or forced government intervention, rendering the extra security useless.

An interesting way Blockchain.info mitigates the risk is by providing browser extensions which verify the code being served against their open-source GitHub repository which houses MyWallet's core client code. Attackers don't have access to the repository, providing a line of security. Another alternative provided is the full-featured Chrome application. The app's client code can't update without the user manually taking action. This is all great, that is, if you trust the people behind Blockchain.info.

This incident, while grave, also serves as a beneficial lesson to the community. Bitcoin, by design, removes the requirement of trust. When you do trust, and rely on someone for convenience or whatever reason, incidents such as this can and will happen.

Thanks to gmaxwell for digging up the following quote:
Then strong encryption became available to the masses, and trust was no longer required. Data could be secured in a way that was physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter what.

- Satoshi

[1]: Ozcoin's pool operator