WARNING : Some Exit TOR Nodes are compromised and seem to highjack SSL session to clearnet Bitcoin wallets and exchanges

Just a big warning to the people that use TOR + clearnet sites like Blockchain.info.

Some hackers found a way to highjack SSL sessions to very popular sites like Blockchain.info.

There are even reports now that only a loggin to the online wallet could initiate a transfer to the hacking address.

This is not a malware or a local hack, it rely on the TOR exit nodes when using these popular sites.

The list is not exhaustive and the flaw seems to be about SSL sessions.

I have personnaly lost a few Bitcoins with that in the last days.

Here what happened to me :

I transfered some Bitcoins to a Blockchain.info wallet, used the wallet through TOR, initiated a sharedcoin transfer and it bugged...when i relogged on the wallet it was emply and with a transaction outgoing to the address mentioned.

I have a report of another user that lost far more than me by just logging on his blockchain.info wallet through TOR.

And to finish with here is a thread about a Chinese user that experienced the same problem for 633 BTC.

https://bitcointalk.org/index.php?topic=821829.0[1]

The Bitcoin address that harvest the transactions from the hacked accounts is mentioned on the thread, the same that received my transfer...

I'm in contact with the Support of Blockchain.info for my problem since the start and it seems i was in the first one affected so we had a hard time to figure out the problem, it seems there is nothing they can do anyway as it is specifically related to the use of TOR.

Please relay the warning if you can for the users of TOR + online wallets like blockchain.info, it is a serious problem and it is still too fresh to be sure of the details...

Once again i insist on the fact that it is not a local hack involving a problem with the user computer but with TOR exit Nodes so please be very carefull!!!


Comments


[8 Points] s1kx:

http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/


[7 Points] sharpshooter789:

I don't see how its possible for hackers to "hijack" SSL/TLS connections unless they compromised the cert key which is unlikely. Its much more likely its a virus. Keep in mind that virus scanners are not very effective and are retroactive so the AV company has to identity the virus before its detected. Considering bitcoins transactions are not mainstream its likely AV companies are unaware of this virus.

That said, its is possible that hackers are injecting malicious JS code into non HTTP connections to infect users.

edit: I haven't looked through blockchain.info and don't know how it works, but one other possibility is a CSRF, but this is unlikely to have gone unnoticed.


[3 Points] asdfaf21:

Electrum is unaffected because it is a local client, correct?

Also, is coinbase affected?


[3 Points] Vendor_BBMC:

They weren't your bitcoins anyway.. you didn't have the public and private keys in a wallet app on your computer or phone.

for some reason, like everybody who loses bitcoin through crime, you let somebody you don't know on the internet administer them using a REAL bitcoin wallet. Not a web wallet.

There are no bitcoins. There is only THE BLOCKCHAIN, AND YOU.

Edit your address yourself over the internet, with a wallet. Dont ask another person, in York, UK, to do it for you.

Blockchain.info's server is more likely to have a key-stealing virus than your own computer. It doesn't matter how many computers your ip packets go through on the internet before getting to that server.

The wallet, containing the keys, is on blockchain.info's server, not on your computer, a TOR exit node, or any other computer or hop in between. If they let somebody else use the keys, they are totally culpable.

YOU don't have the keys to that blockchain address on your computer. nor does an exit node. how can it be your fault?


[3 Points] cflatminor:

Some hackers found a way to highjack SSL sessions to very popular sites like Blockchain.info. There are even reports now that only a loggin to the online wallet could initiate a transfer to the hacking address.

This does fit with the two recent losses reported here (SuWuu and nationalbud) but I would like to see some more information on this, especially since it might affect more than just blockchain wallets. Do you have any links to read up on it?


[3 Points] None:

[deleted]


[2 Points] silky_toss:

Is the Circle.com wallet one of those compromised too? Any substitutes to blockchain for small tumbling?


[2 Points] Texss:

Could it be related to this - https://au.news.yahoo.com/technology/a/25261272/google-discloses-vulnerability-in-ssl-web-encryption-technology/


[2 Points] None:

This is true, it happened to me. I don't know how but as soon as I clicked send for a 1400$ transaction it bugged out and then i logged out then logged back in and all my btc had been transferred to some random address.


[2 Points] everybodygetweird:

it's good to see you around gabralkhan, how have you been? other than the btc of course... sorry to hear about that. thank you for passing along the information though.

It's very scary that they were able to do this. I think its shit like this that is the biggest roadblock to mainstream bitcoin adoption amongst investors. It only takes a few stories like this to scare most of them away from bitcoin altogether. It sometimes makes me wonder if that is not the actual goal.

I'm very interested in how they chose you as a target. Any ideas, assuming your theory is correct?


[0 Points] uncertainID:

2FA