TheSeven



Offline



Activity: 504

Merit: 500





FPGA Mining LLC







Hero MemberActivity: 504Merit: 500FPGA Mining LLC

Re: StrongCoin key leak. April 03, 2013, 11:57:49 AM #11 Quote from: dogisland on April 03, 2013, 11:31:36 AM Quote from: anfedorov on April 03, 2013, 10:35:59 AM Quote from: dogisland on April 03, 2013, 07:46:02 AM Quote from: no-reply@strongcoin.com Over the easter weekend due to a bug in the strongcoin interface hackers were able to access all encrypted private keys held on the Strongcoin server. This means for people who had weak passwords on their keys or people who had a lot of information in their clue field the BTC may have already been stolen.



This is a thread to answer questions on the StrongCoin key and clue field leak.

This is a thread to answer questions on the StrongCoin key and clue field leak.

1) what was the bug? what do you mean by "interface"?

2) what are you doing to prevent such bugs from occurring again?

3) do you know of anyone's coins being stolen?

1) what was the bug? what do you mean by "interface"?2) what are you doing to prevent such bugs from occurring again?3) do you know of anyone's coins being stolen?

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.

2. I'm posting a notice on the site to advise people to use longer passwords. There was already a widget to give the user feedback as to how strong there password was.

3. Yes.

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.2. I'm posting a notice on the site to advise people to use longer passwords. There was already a widget to give the user feedback as to how strong there password was.3. Yes.

This sounds like the whole source code of the site should undergo a very tight review and penetration testing ASAP. This sounds like the whole source code of the site should undergo a very tight review and penetration testing ASAP.