I never believed people who said technology disruption could be prone to attack, but while analysing the facts, I realized that it is true. To uncover the security vulnerability was like venom from a snake bite. In the rat race we often forget the basics and that leads to disaster. The views, expressed in this article, are mentioned to get the attention of the blockchain community, to build bullet-proof or ‘proof-of-concept’ technologies of the future.
“Don’t let fear or insecurity stop you from trying new things. Believe in yourself. Do what you love. And most importantly, be kind to others, even if you don´t like them.” – Stacy London
The Story Begins…
At 1.30 pm, Mark was playing with his laptop. The keyboard said, “little slower…”. He whispered: “Shut up…” waiting for a movement. „…I am working on something important “.
Once there was a wealthy princess named Bitcoin. She owned a Blockchain Kingdom. Miners worked day and night to mine the treasure called „Bitcoin “, a digital crypto- Currency. The power of the kingdom were the mining nodes, that were used as a powerful tool- the computation power. They were spread across the kingdom in a ‘decentralized’ fashion. The work was to mine Bitcoins and to man the security of the kingdom. They used an unbreakable secret known as Hash – a one-way function that is reversed to get the original text or value. Record keepers were muscular, tall and heavily built marshals who preserved the hash and verified the entry and exit of every hash. Integrity was checked and informed to secret agents who were updating the miners. Security was fully proofed, and no one was that powerful to break the system.
Suddenly there was an intruder. What? How did he get in? The Queen was annoyed. She cancelled the contract with the contractors and court marshalled the guards.
How could a fake entry be allowed to come in? How could security have been breached?
Here is where Mark came in…
He created the couple of random transactions and signed in, using a wrong private key (secret key). Then he posted the transaction on Blockchain.info (records all transactions on Blockchain). Et voilà! The access was granted. And in fact, the website committed and accepted the fake transaction.
The problem was due to ‘zero-confirmation-api (ZCA)’. The transaction included a script string – a cryptographic proof that authorizes you to spend cryptocurrency. Using the wrong key tends to list the transactions into a pool of unconfirmed transactions. The system could be tricked to believe that you have an intruder and funds are stolen or, the other way around, that you already have received the payment.
The transaction will never get confirmed, but bugs like this could be disastrous. Imagine someone confirming a transfer of 300 Bitcoins and the other party is also tricked to believe that this is true. The Cross-Site Scripting Error can be exploited by the hackers to gain access of your wallet and the root domain server of your domain. This was clear when a security researcher discovered this bug on Blockchain.info
The Systems needs to be patched, and the codes must be error free to stop attacks on Blockchain based projects and networks.
Blockchain technology has an enormous potential to bring a technology revolution and to change the way banking and transactions are happening across the globe, like data being stored, security being maintained, records being authenticated and much more. Blockchain reduces the transaction costs, increases privacy, efficiency and impounds the seal of trust. One must also keep in mind that a lot of re-engineering is happening in the background to disrupt this technology. We need a community of Blockchain enthusiasts, researchers, developers, security researchers, and an intelligent network to build an open culture for sharing threat intelligence. Uncovering security risk also means fixing it.
“The pool is more powerful than one.”
Photo Credit © Shutterstock