Skip to content ↓ | Skip to navigation ↓

Trustwave’s security researchers Daniel Chechik and Ben Hayak put on an interesting briefing at Black Hat 2014, demonstrating how bitcoin transaction malleability works in practice. More specifically, they explained that the bitcoin attack against Mount Gox was successful because transaction messages are identified by a hash and verified by a signature.

The signature however is limited to ‘sensitive’ information, while the hash is of the entire transaction message. By changing a non-sensitive portion of the message, the hash changes but the signature does not. An attacker could then withdraw funds from Mt. Gox, tamper the transaction message and flood this message back into the bitcoin network.

At this point, it is a race condition and if the attacker succeeds in getting the bitcoin network to accept the modified transaction, the original or legitimate transaction will be rejected, making Mt. Gox think the customer did not get their funds when in fact they did.

Mt. Gox would then send a new transaction delivering the funds to the attacker’s wallet, again. Rinse and repeat and Mt. Gox found itself missing massive quantities of bitcoins. While Mt. Gox initially blamed this as a flaw in the bitcoin protocol, the problem was in fact, in Mt. Gox (and others’) implementations.

Transactions generally have a  one byte length specifier for transaction metadata. However, sometimes the metadata can exceed a one byte length specifier, which is why bitcoin allows for a special opcode to indicate longer length specifiers.

Using this approach, an attacker can take a message with 0x20 (32 bytes) of metadata and change it to have 0x0020 (32 bytes) specified. Now, although the metadata is exactly the same, the message has changed and therefore, the hash has changed. The affected bitcoin dispensaries failed to recognize when this header tampering was performed, which led to the multiple repeated coin transfers.

Ignoring for a second the questions that surround the true value of a bitcoin, the take home message from this talk is that signatures are a great way to authenticate transactional messages, but only when all important data is signed rather than the portions considered ‘sensitive.’

You can check out the slide deck for the presentation here (PDF).




picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Header image courtesy of Shutterstock.