Trustwave’s security researchers Daniel Chechik and Ben Hayak put on an interesting briefing at Black Hat 2014, demonstrating how bitcoin transaction malleability works in practice. More specifically, they explained that the bitcoin attack against Mount Gox was successful because transaction messages are identified by a hash and verified by a signature.
The signature however is limited to ‘sensitive’ information, while the hash is of the entire transaction message. By changing a non-sensitive portion of the message, the hash changes but the signature does not. An attacker could then withdraw funds from Mt. Gox, tamper the transaction message and flood this message back into the bitcoin network.
At this point, it is a race condition and if the attacker succeeds in getting the bitcoin network to accept the modified transaction, the original or legitimate transaction will be rejected, making Mt. Gox think the customer did not get their funds when in fact they did.
Mt. Gox would then send a new transaction delivering the funds to the attacker’s wallet, again. Rinse and repeat and Mt. Gox found itself missing massive quantities of bitcoins. While Mt. Gox initially blamed this as a flaw in the bitcoin protocol, the problem was in fact, in Mt. Gox (and others’) implementations.
Transactions generally have a one byte length specifier for transaction metadata. However, sometimes the metadata can exceed a one byte length specifier, which is why bitcoin allows for a special opcode to indicate longer length specifiers.
Using this approach, an attacker can take a message with 0×20 (32 bytes) of metadata and change it to have 0×0020 (32 bytes) specified. Now, although the metadata is exactly the same, the message has changed and therefore, the hash has changed. The affected bitcoin dispensaries failed to recognize when this header tampering was performed, which led to the multiple repeated coin transfers.
Ignoring for a second the questions that surround the true value of a bitcoin, the take home message from this talk is that signatures are a great way to authenticate transactional messages, but only when all important data is signed rather than the portions considered ‘sensitive.’
You can check out the slide deck for the presentation here (PDF).
- Black Hat 2014: Nest Hack or Hardware Fail?
- Pineapple Abduction: How Android/SSL Implementation Flaws Could Jeopardize Your Personal Safety
- Why You Should Care About the Apple Backdoor
- Gamer Alert: Watch Dogs Torrent Installs Bitcoin-Mining Malware
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Header image courtesy of Shutterstock.