OzCoin, one of the larger Bitcoin mining pools, has reported that an unknown attacker managed to hack into their server, defacing their website and database and stealing 923 BTC ($135,000) from their Bitcoin wallet. However, in less than a day over half of the money was seized as it was passing through the web wallet StrongCoin, and promptly returned to Ozcoin. 354.06 BTC are still missing, and will likely never be found, but this nevertheless leaves OzCoin with a much softer blow than what anyone expected.

Although most people agree with StrongCoin’s actions, this is nevertheless a very worrying sign for the security and privacy of StrongCoin, and other web wallets by extension. StrongCoin is what is often called a hybrid web wallet, accessible as a website on the internet but doing all of the transaction signing and address management in Javascript on the client side. Essentially, the client is downloading a fresh version of the wallet software from StrongCoin each time, and from that point, in theory, the software becomes just as secure as any other client-side program. The user’s wallet data, including the private keys needed to sign transactions, is backed up on StrongCoin’s servers, but it is encrypted and decrypted client-side using the user’s password so, once again in theory, there should be no way for StrongCoin themselves to get hold of the user’s private keys. StrongCoin heavily advertises this feature; on the website’s front page, they write: “Therefore our servers only hold encrypted private keys and neither we nor anyone else can spend your Bitcoins. Only you.” Except they just did.

Inspections of StrongCoin’s client-side code have confirmed that StrongCoin is in fact operating exactly as a client-side web wallet should. This leaves only one possibility: StrongCoin essentially hacked their own service. By injecting code that would automatically send all of a user’s funds to themselves as soon as the user entered their password, a web wallet provider can easily steal from any of their users provided that they log in with enough frequency. Attacks like these are the reason why security analysts have generally come out against Javascript cryptography; this and other arguments are well-explained in Matasano’s article “Javascript Cryptography Considered Harmful“. This time, StrongCoin used this vulnerability to do good, but at the same time they have critically undermined the trustworthiness of their service; people use hybrid web wallets over centralized services like Coinbase precisely because they do not trust central service providers to always do the right thing.

It should be noted that the other major hybrid web wallet provider, Blockchain.info, has taken steps to protect their users against such an attack. Their web wallet is also offered in the form of a Chrome and Firefox extension, which is essentially equivalent to any other piece of desktop software with the sole difference being that it relies on the user’s browser to interpret its source code. Safari users also have a Wallet Verifier plugin, although its scope is much weaker.

The other issue is privacy. Explaining how they discovered that the thief was using their service, StrongCoin wrote that “Everytime you make a payment from StrongCoin the fee goes to 1STRonGxnFTeJiA7pgyneKknR29AwBM77 so any payments from strongcoin held accounts are easily traced back to the site.” Presumably, bitcoins from the theft were traced through the blockchain until one of the transactions made its way to StrongCoin, at that point establishing a direct link between the StrongCoin account and the thief. This actually marks the first time that a significant amount of money was successfully recovered using the help of blockchain analysis. Although blockchain analyses made by various researchers have been able to draw intricate graphs mapping Bitcoin transactions to a few high-profile users, until now the public transaction log in the Bitcoin blockchain had not managed to track down or stop a single large-scale theft – casting doubt on claims that Bitcoin is not anonymous. This incident does not imply that Bitcoin now has no privacy at all; StrongCoin’s counter-hack was only possible because the transaction came very soon after the original theft and the thief had not yet made any strong attempt at obfuscation, and StrongCoin’s wallet in particular is weak in terms of privacy because add transaction fees are sent to one particular address (1STRonGxnFTeJiA7pgyneKknR29AwBM77). However, it is still a worthy incident to point to when confronted with concerns that Bitcoin facilitates untraceable theft.

Those using StrongCoin should decide for themselves whether staying with StrongCoin is worth it. Those who enjoy StrongCoin for the user interface features should probably stay; StrongCoin has been in the Bitcoin community for a long time, and if users are willing to outright entrust their funds to exchanges it is not a leap to trust StrongCoin to do the right thing as well. Those who like the cryptographic client-side security aspect, on the other hand, should consider switching to Blockchain.info – or, better yet, a client-side wallet like Electrum. As for StrongCoin themselves, if they wish to maintain their status as a secure hybrid web wallet, they should quickly get to work on catching up with Blockchain.info and implement a Firefox and Chrome extension.