The Next Generation of 2D Roleplaying Games
http://forums.elysianshadows.com/
Lmao, never heard of that. That's a *gaping* security hole. It's so easy to proxy that request to MITM... Hopefully it wasn't used for anything important.bbguimaraes wrote:This reminds me of that software (can't remember which one) that, instead of generating a random number locally, made a http request to some website. And it was worse, because they didn't check for errors, so one day the website went down (or changed the api, or something) and now all clients had the same seed: the error message. I think that was the most shameful vulnerability I've ever head of. Does anyone remember what I was?
Just spent half an hour heavily searching my brain/the internet, here it is. I recommend reading the entire article. When they say "a comedy of programming errors", they really mean it:dandymcgee wrote:Lmao, never heard of that. That's a *gaping* security hole. It's so easy to proxy that request to MITM... Hopefully it wasn't used for anything important.
And that's what protected the bitcoin wallets of users.The most serious of the flaws is the use of the unencrypted HTTP connections when the app's cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.
Why did I know it was going to be random.org before you even posted this..? Rofl.bbguimaraes wrote:Just spent half an hour heavily searching my brain/the internet, here it is. I recommend reading the entire article. When they say "a comedy of programming errors", they really mean it:dandymcgee wrote:Lmao, never heard of that. That's a *gaping* security hole. It's so easy to proxy that request to MITM... Hopefully it wasn't used for anything important.
And that's what protected the bitcoin wallets of users.The most serious of the flaws is the use of the unencrypted HTTP connections when the app's cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.
