THELOGICALINDIAN - Ryan Castellucci a aegis researcher at agenda artifice close White Ops aggregate that there could be a artifice in which bitcoin passwords can be traced to abduct funds This ability be accessible through brainwallets wherein bitcoin passwords are stored in the anamnesis of the user through a continued chat or byword that interacts with the blockchain
In particular, the brainwallet countersign ability be traced to the clandestine key, again to the accessible key, and eventually to the bitcoin wallet address. Castellucci appear his allegation in the DEF CON 23 anniversary all-around hacker convention.
Brainwallet bitcoin passwords aim to add an added band of aegis to agenda wallets but Castellucci says that this could betrayal a analytical flaw. He acicular out that the final bitcoin abode is adored in the blockchain as a countersign assortment which helps in acceptance whether the chat or byword is actual back acclimated for website authentication. With that, it can be acclimated as a advertence by actionable entities back aggravating to assumption the bitcoin password. He added that application an offline advance can acquiesce abyss to bound acquisition out which passwords are valid.
To demonstrate, Castellucci apparent his brainwallet cracker alleged Brainflyer during the convention. This software can be able to assumption 130,000 passwords per additional and alike added back run on added able computers. It is estimated that Brainflyer can assumption 500 actor passphrases for aloof a dollar.
Fortunately, Castellucci is an ethical hacker who looks into abeyant loopholes that ability abort a accurate system, acceptance industry experts to acquisition a band-aid afore abyss accomplishment the flaw. However, Castellucci additionally said that some associates of the industry ability aloof accept to avoid his warnings until a alive affidavit of abstraction is passed.
“You can scream from the rooftops that article is anemic and vulnerable, but abounding bodies will aloof break in abnegation after a alive affidavit of concept. I anticipate that the abstraction of absolution bodies accept their own passwords and passphrases for aerial aegis applications is fundamentally flawed,” he said in an account with CoinDesk.