4/23 - urgent counterwallet.co security notice

General Counterparty
1


[size=12pt]4/23 - URGENT SECURITY NOTICE[/size]


With our focus on maximizing the security of Counterwallet, we now have two experts (a bitcoinjslib expert, and a web application security expert) in the process of reviewing the codebase.


What Happened
Due in part to this process, we have been notified of a security bug in bitcoinjs-lib (the bitcoin javascript library counterwallet uses) that was internally disclosed to us by the bitcoinjs-lib team yesterday evening. We worked with them on applying a fix, which was made live late last night and this security notice was drafted pending confirmation from the team. However it appears the bug has already been exploited in the wild to take BTC.


A list of these addresses is available here: https://blockchain.info/tx/474cce51a9c4b265d4da0257acb21a554563fd41200970996e2b8914dc6f1d68
(if you were a counterwallet user that was affected whose address is NOT on this list, please let us know)


Who is affected?
This bug affected The new counterwallet.co wallet (the old.counterwallet.co seems to be unaffected, and counterpartyd users / BootleXCP users are NOT affected). Also, the bug only affects addresses that have made two or more transactions from a given address, and then, will only affect that address. At this point, it appears only BTC was taken with a subset of counterwallet users.


What do I do?


[color=red]To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:[/color]


1. Log into your existing wallet account
2. Retrieve any copy down the private key for each address in your wallet (for each address, click on Address Actions, then Show Private Key, and copy that down)
3. Log out of the site, and then click Create New Wallet, and then log in with that new passphrase
4. Utilize the Import Funds feature to move the assets over.


Alternatively (if having problems with sweep), one can create the new wallet, then log into the old wallet and manually send the funds over. Please send over ALL funds, including XCP and other Counterparty assets.


I lost BTC. Can I get it back?
The Counterparty team is preparing a reimbursement program for people impacted by this bug. More details will be posted shortly.

EDIT: After creating your new wallet and transferring the funds over, send an email to dev@counterparty.co  including:
[list]
[li]a new address to which to send the reimbursed BTC funds[/li]
[li]the passphrase of the compromised wallet (i.e. the one with the address from which the funds were stolen). Please only send this passphrase after you have moved all of the funds out of this wallet. Unfortunately, we need this passphrase to prove that you are the actual owner of the address in this situation, as signing a message from the compromised address is not enough here, as the hacker could do that, as well.
Please keep in mind that the Counterparty team will never ask for the passphrase of a wallet which holds funds[/li]
[/list]Thanks guys for working with us to get counterwallet (and bitcoinjs-lib) through their paces. We remain committed to security of the web wallet, and will be continuing to make improvements on this front and work with our partners to do so.

2

Good to know! Thanks for being on top of this.


Not a big deal, but our chat handles don’t transfer.

3

hmm … I wouldn’t mind this but you need to make the fees more obvious. I don’t think I’ve seen them detailed clearly anywhere.


So, there’s a helpful message at sweep "We’re not able to sweep all of the assets you selected. Please send 0.0010914 BTC transactions to address …"

I do exactly that and get then a message
"We’re not able to sweep all of the assets you selected. Please send 0.0002 BTC transactions to address …"

I haven’t time to deal with atm and I expect that amount it too small to send exactly.
If I send more BTC that required, will that sweep to the new address?

4

So, I sent more than was required in BTC to the old address, in order to check this process and in the hope of sweeping that cleanly. Most BTC and XCP are now in the new wallet.

The BTC balance in the old wallet suggests 0.0 BTC and yet Blockchain suggests the result is dust= 0.1086 mBTC. Which is unfortunate though not important, it would be nice if sweep did leave accounts clean.

I wonder that the wallets would do better talking in mBTC not BTC, perhaps that’s why the dust shows as zero in the old account?

5

[quote author=davidpbrown link=topic=289.msg2066#msg2066 date=1398341629]
So, I sent more than was required in BTC to the old address, in order to check this process and in the hope of sweeping that cleanly. Most BTC and XCP are now in the new wallet.

The BTC balance in the old wallet suggests 0.0 BTC and yet Blockchain suggests the result is dust= 0.1086 mBTC. Which is unfortunate though not important, it would be nice if sweep did leave accounts clean.

I wonder that the wallets would do better talking in mBTC not BTC, perhaps that’s why the dust shows as zero in the old account?
[/quote]


we have some sweeping enhancements slated for being put into production today or tomorrow (as 1.1.4). If, after that you are still getting these kinds of issues, feel free to reach out to dev@counterparty.co, as ouziel is working through these kinds of things.

6

Firefox 24.4.4 here, and I can no longer access the site. Is it possible to give the “Your browser is not supported with Counterwallet” popup an X button? As an aside, the links to Firefox and Chrome browsers are 404ing.

[quote]Counterwallet’s security features require a newer browser than what you are using. We recommend Chrome for the best user experience. Also, note that Microsoft Internet Explorer is not supported due to it’s lack of full support for Content-Security-Policy restrictions.[/quote]

Is this really the end for Firefox 24? What are the risks?

7

Interesting to see there is ESR Extended Support Release for Firefox=24. Perhaps there a simple check against latest version=28 not recognising that.

8

[quote author=TeamAmerica link=topic=289.msg2071#msg2071 date=1398389509]
Firefox 24.4.4 here, and I can no longer access the site. Is it possible to give the “Your browser is not supported with Counterwallet” popup an X button? As an aside, the links to Firefox and Chrome browsers are 404ing.

[quote]Counterwallet’s security features require a newer browser than what you are using. We recommend Chrome for the best user experience. Also, note that Microsoft Internet Explorer is not supported due to it’s lack of full support for Content-Security-Policy restrictions.[/quote]

Is this really the end for Firefox 24? What are the risks?
[/quote]


Is that for the tor browser? Firefox 24 doesn’t support the new Content Security policy headers…however, as the tor browser still seems to be on v24, I may apply a fix for that.


Thanks for the heads up on the 404s, I think I fixed the broken links…will be pushed out in next update.

9

[quote author=xnova link=topic=289.msg2059#msg2059 date=1398258853]


I lost BTC. Can I get it back?
The Counterparty team is preparing a reimbursement program for people impacted by this bug. More details will be posted shortly.

EDIT: After creating your new wallet and transferring the funds over, send an email to dev@counterparty.co  including:
[list]
[li]a new address to which to send the reimbursed BTC funds[/li]
[/list][/quote]


I had 30 XCP and 0.1 BTC* plus some additional XCPs from the other site (Adam Levine’s) but now the both wallets (old and new) are empty. Is there a way for me to recover these?


*
https://forums.counterparty.co/index.php/topic,184.msg1702.html#msg1702 and https://forums.counterparty.co/index.php/topic,184.msg1702.html#msg1704

10

Hello XNova,


I have one counterwallet.co created very soon, i think was the first day you guys released on production (non test), on the 4/7. I moved my xcp from poloniex and just left it there as investment/support of the project until yesterday i just logged in.


The address where i sent the money is not on my counterparty wallet and i can still see the XCP if i create a watch only address.


XCP
47.59250001
14NCxmQPm93sQ7a9Y7PJR54PS1aavv6aCR
2014-04-07 12:45:04
COMPLETE: 38d580fd88e174e411c691e854189b45a1bd8b0fd5377d13be8bc823bb742141


This is the transaction


http://www.blockscan.com/assetbyaddress.aspx?q=14NCxmQPm93sQ7a9Y7PJR54PS1aavv6aCR


http://www.blockscan.com/address.aspx?q=14NCxmQPm93sQ7a9Y7PJR54PS1aavv6aCR




As i have been reading the recent notes on the counterwallet page i tried adding "old "+ 12 words but not there and i have been reading all the technical support thread backwards on time on https://forums.counterparty.co/index.php/topic,188.255.html


I tried with the Counterwallethelper aswell (from one of the posts in the thread going backwards)


python CounterWalletHelper.py wallet --pass-phrase ‘my 12 words here …’ --search-depth 10000 --old | grep '14NC’


but nothing.


Somebody (Porqupine) on the thread suggested the following:


---------------------------------------------------------------------
Re: Counterwallet: Bug report & technical support thread
« Reply #262 on: Today at 04:43:44 pm »


4/7 would make it prior to https://forums.counterparty.co/index.php?topic=289.0 
Which was 4/23, when a security exploit in bitcoin-js lib got fixed. My guess is that you want the old, old wallet - which I actually don’t have a copy of, but I think xnova or jah power bit should be able to help you.
---------------------------------------------------------------------




Is there anything that can be done to find those funds?


Thanks in advance,