Recently Discovered Bitcoin Vulnerability Is Even Worse Than Previously Thought

Siamak Masnavi

On Monday (17 September 2018), a vulnerability (known as CVE-2018-17144) in Bitcoin Core (Bitcoin's reference implementation), which had existed since version 0.14.0 of Bitcoin Core (released on 8 March 2017), was reported to developers working on Bitcoin Core as well as some projects supporting other cryptocurrencies that use this code (such as "Bitcoin ABC" and "Bitcoin Unlimited", the two leading full node implementations of the Bitcoin Cash protocol). This vulnerability was reported anonymously as a "Denial of Service" (DoS) bug. 

As covered by CryptoGlobe, Bitcoin Core developers came up with a fix for this bug the next day (18 September 2018), and released it as part of Bitcoin Core versions 0.16.3 and 0.17.0rc4. They urged anyone running vulnerable versions of Bitcoin Core (i.e. 0.14.0 up to and including 0.16.2) to upgrade to version 0.16.3 as soon as possible.

However, shortly after fixing the vulnerability, the Bitcoin Core developers discovered that the bug in the code causing the DoS problem was even more serious than previously thought because it also created a second problem: the same vulnerability could be exploited to inflate the Bitcoin supply (i.e. create new bitcoins, beyond the 21 million limit placed by Satoshi, which would have the effect of devaluing existing bitcoins). 

This meant that the code fix for the DoS bug would also take care of the supply inflation bug. But, probably in order not to cause panic, and to encourage quick upgrades, the developers decided to only disclose the DoS bug.

On September 20th, after a post in a public forum revealed the full impact of the vulnerability, the Bitcoin Core Developers decide to come clean and publish a full disclosure report for CVE-2018-17144.

Over half of the Bitcoin hashrate has upgraded to patched nodes (running version 0.16.3). The developers say that although they are "unaware of any attempts to exploit this vulnerability", it is still critical that "affected users upgrade and apply the latest patches to ensure no possibility of large reorganizations, mining of invalid blocks, or acceptance of invalid transactions occurs."

Featured Image Credit: Photo via "Crypto360" via Flickr.com; licensed via "CC BY 2.0"

Bitcoin Ransomware Attack: Google Disables Baltimore Officials’ Gmail Accounts

The Baltimore City government has been under siege since May 7, as it was hit with a ransomware attack that saw hackers demand $100,000 in bitcoin and officials refuse to pay the ransom. In a new development, Google disabled officials’ Gmail accounts being used as a turnaround.

According to The Baltimore Sun, the Baltimore City government created Gmail accounts to work during the ransomware attack, as the city’s servers have been disrupted to the point their baltimorecity.gov emails aren’t working.

Recently, however, emails sent to several of the newly created Gmail addresses returned messages claiming the “email account that you tried to reach is disabled.” It was found that Google has considered these business accounts that need to be paid, instead of free individual Gmail accounts.

James Bentley, a spokesperson for Mayor Bernard C. “Jack” Young, noted Baltimore planned to purchase a business plan from Google so the accounts could be restored. The news outlet quoted him as saying:

They disabled them because they deemed them to be business accounts. Their position is these accounts are circumventing their paid service

City Council President Brandon Scott added that meanwhile his staff was appealing the suspension with Google, although he hadn’t been briefed on the problem. A spokeswoman for Baltimore’s health department claimed she was able to see received old emails, but not send or receive new ones.

Per her words, there as no notice on why the account was disabled. On its website, Google claims it’ll suspend accounts used for sending spam, distribute malware, abuse children, violate copyright, or for other illicit purposes.

As CryptoGlobe covered, Baltimore was hit with a ransomware attack earlier this month that brought its real estate industry to a halt and crippled some of its essential systems. So much so the city’s collection and transfer of property taxes and water bills have been affected.

The hackers attacked the city’s servers with a new type of ransomware known as “Robbinhood,” and are demand a 13 BTC ($102,900) ransom to stop the whole attack. They also gave the city the option to pay 3 BTC ($23,700) to decrypt a specific system.