Blockchain.info Bug Took One Month To Fix

Journalist:
August 20, 2014
Blockchain.info has been offering Bitcoin wallet and block explorer services since 2011.

Reddit user 1a5f9842524 posted on /r/bitcoin detailing Blockchain.info‘s response to what was stated by the user as a “critical vulnerability.” The user specifically called outAndreas Antonopoulos, who has been viewed as a consistently positive figure in the Bitcoin community and a figure-head of sorts, though the user chose to paint this development as an antithesis to that persona. The post contains screenshots of a ticket submitted to Blockchain.info support in late July and following responses. The exact details of the venerability which affects the “wallet, API and shared coin services” have been blanked out for obvious reasons. Blockchain has gone on record as stating the bug was of a medium level, while 1a5f9842524 maintains that it was critical. Either way, the bug is supposedly fixed now.

[divider]CCN[/divider]

User 1a5f9842524 is seemingly a white hat hacker of sorts and wanted to report the vulnerability that in his mind needed intermediate attention. Blockchain.info support responded with repetitively that the issue will be resolved eventually while the thread is bumped by 1a5f9842524 over the course of a month in an attempt to resolve the issue.

Andreas Antonopoulos has already responded under his Reddit handle of andreasma:

We encourage responsible security disclosure through a program with Crowdcurity:

https://www.crowdcurity.com/blockchain-info

I will look into this ticket right away and see what is going on. It had not come to my attention, possibly was being handled directly by the development team.

This was followed up by a response from 1a5f9842524:

There’s no link to that page from the blockchain.info website, so saying you are “encouraging” it a complete lie.
https://google.com/search?q=site:blockchain.info%20https://www.crowdcurity.com/blockchain-info
At no point did your support team tell me this exists either.

What followed was a back and forth between the two which contains apologies from Andreas, but he goes on to express disappointment over the reddit post which reads as a personal attack. 1a5f9842524 blames Andreas for the revealed shortcomings in Blockchain.info’s security, given the fact that Andreas is Blockchain.info’s listed Chief Security Officer. Andreas revealed that he had not heard of the specific bug report yet, but the Blockchain.info dev team had a fix already that just needed to be rolled out. Of course, that is just a summary, and I would urge you to read the conversation in full.

Blockchain.info implemented the patch for the bug in a 2 hour maintenance hiatus earlier this morning.

Andreas Antonopoulos

Andreas Antonopoulos is an incredibly prominent figure in Bitcoin since its very early days. He has been consistently popular with the community for his public image and entrepreneurial qualities his personal website, antonopoulos.com, reads:

As a bitcoin entrepreneur, Andreas has founded three bitcoin businesses and launched several community open-source projects. He often writes articles and blog posts on bitcoin, is a permanent host on Let’s Talk Bitcoin and prolific public speaker at technology events. Andreas is also writing a bitcoin book for developers, for O’Reilly Media.

Andreas serves on the advisory boards of several bitcoin startups and serves as the Chief Security Officer of Blockchain. He is available for limited-scope strategic consulting projects.

Does this change your opinion on Andreas Antonopoulos? What are your experiences reporting bugs to Bitcoin services? Let us know in the comments.

Last modified (UTC): August 21, 2014 00:27

Samuel Barnes @gravysam

Computer Science Student. Excited for the future of cryptocurrencies.