Sparecoins Chrome Extension Compromised?

[bitcoinwallet]

I have a sparecoins extension to my google chrome, however, the extension abruptly sent all my of my bitcoins to the address 1F1vTnyvuvYioZ6jT1F9EXk1EfQoapTsMn. I did not send at all, and I am curious if there is some issue with sparecoins to have cause it to do that.

[sidazhang]

Hi @bitcoinwallet ,

I am sorry to hear this. Although, I really doubt that sparecoins has been compromised. The last update to sparecoins (chrome store) was December 20, 2013.

Could you give more details around this, when did you download sparecoins, how much did you load into it, and can you also post a list of all your addresses in your sparecoins wallet?

I know a few of us are still using sparecoins with no issues.

[bitcoinwallet]

Thank you sidazhang for responding. I downloaded Sparecoins around December of last year (2013). I loaded a total of 4.2468 bitcoins and used current and past Sparecoin wallet addresses to send the coins. About an hour ago, as I was making withdrawals from my old bitcoins from exchanges, I checked my sparecoins only to find out this: Sparecoins image: http://postimg.org/image/n0n0lla9j/ I clicked on the address that it was sent to and it was: https://blockchain.info/address/1F1vTnyvuvYioZ6jT1F9EXk1EfQoapTsMn When I clicked "You" to see where it was sent from, this is what I got: https://blockchain.info/address/1F1vTnyvuvYioZ6jT1F9EXk1EfQoapTsMn

Here are all the address I have in my sparecoins wallet: 1QGpBzSTtDUUnLAbDhgNha8hCtVcWeiY5b

1MH2JYGgWfHG9rXUcZH9y5LS4d553hsa3w

1weSMyRDi4255atWyKrHJvZQzuUhafWfv

1J6bsxUBY2RcMYpC2swD3cP8a31XKv55B4

1P4VGg3YzdrRcMNKL1vYf5s7VMBC5Mg1UG

17PPA36MX5ExoQ1QrerzvSLNoCT6XHSgu7

14oj9bHZLaK4M63hnA799sG3mVYZAKByfU

1BUPF4NtNCRhC1bZyoPEzC8u7uzmJDciY

17uYPozW2y67XyQVQDJrTPakhSrpn4jEBv

1LVsD5N7G1P6wdDGeDtCjki6oZysDFKB1z

18yDnVFrAZDdF3UYnpCQ9kmx7WFLcssYZM

1DXdBz4Mmsko77Rd4L8hrwQiujwbYsae95

18Gn8sr1JNy2rehGe5ewSTH8Y75m1Nfb6H

15hZd6U5Wivss4a6J7wsNUttjyEzMiHtSP

14fEHVmpXYD8rrFYo8yUkKGiVdVfP3VbUx

1AeLs8s1VktUNqxvkk9MiZRLPy4JvGYa1P

1G5gxBAAYr4jpMtAJTdcybAHsDRxzj9cvk

1DKhTiyGBe5S734cZETQ9jtBp1ACQm5b2B

13nWkuSw2LFQaWSL3fXwHRxTTqbmp8T7rc

1LDzcHXPFC8LeBUVnkxJm5QwNpESb4MSAU

1FA7WSwS4UFh56SVTZpsXovWyGQ8xFaSxH

1LL9JbyNpckT6gMbEDHBqKnbgueTBnb95X

1WQy484fKTe6YyFA4E1DPZHxbcSWtvuYk

1ANkJn8fnCKDsoSCyZf4sofkphBqDAUQZN

18xNghULArkaUzjhN9o9SjoqfVC1osgbzz

1Gk1KyManriy2641RghmpzF9PZC8eUih5d

1BPMN2pAEji9ForcTNQoufspMghVE3fuj3

1Ep5Fxj23ALG6xWvgdq18eTrkWPVChdkWv

1KAcHYDzXAsUfX9BKLHbFZBpjGmfndVP5b

1LigNv1xAQ4UbNiKpBrYp9j2aSbJZWgg1z

1CrvfVZaHXVrvyxBAjYuHxMtJB47BFzGZr

1HMhe2gwhnHcmEddBCmQnNa1zYiwS23ZPW

0

1GgeDFUrNoyMUTqDxf9EcP2PfCBkiQTWC3

1FPx6m9hd3fvrqp3h8qrTdd1Lj6qp7ipBQ

1NCbnxEJE5RP1ZgjZRHwiXNd5Y49SK5ZdF

12vNZtNFqHrUGEdhPCtJ5fyQmTHZ3VwaqB

12GaQLgpAtfVivEjsCSJCQFsipVrUCvEGu

14JXma29BXT6Rysw439muohQSG5ZDvygZT

19YEMEM3D95jFw4k891esFjf3NNdv9ZcoZ

16BUkNSF3UQFviwaQpGCLK66HZx7eFEDhu

1GE7cMXBNbHFdtv5Fzo66Qk8HDjJwBTDfn

19fkQVLABMbCyvMaYcB9p37LhXdZY1TxMe

183Hm3hDu2BubpCoWG3yuXPxAEUFgf68gm

12yxNuJ7bRfbW15bKtAcn9NBdWSFjv8zL6

1JvEMpectJB1FfJ1nPQUTeA8YuXW4Zq4WY

1LRdkFPs7v6TBD4G7ozVYVNiRKytLtF2fM

1gCMthUx1oSsCJgfd56J2Farr7GJVBHwp

1LJtdDRoe6hTTg3u2EwsuGoTDMEtnND5q3

1LsYqjaxq5nMjNA2nEaKHThospyqJ1rUw8 18PoVdp7Z2MgtBZRiKT9ahX86KuQ5nkeEg 1GHZ6cdNZ4Z9uWVtLNgTeK2LpDej52WmF4

1LfomAK6eBisnXLBuMixNAqAWuhN6UjoQt

14M5mucxQmerZHFsQvSfrKi2CLC13MJ2vQ

17XUuhAqNVCJurhdKtJxYxfKtrVEM6Vo3H

15yZfruVG2bs7J4Zd8dEcWNqN4PvxmpKRT

1DYH3nqFicFpTgXhroDTbUc5K62WW8Mbxq

[bitcoinwallet]

Just for clarity, here are the txids for the 4.2468 bitcoins (my entire Sparecoin balance) that were sent without my knowledge: https://blockchain.info/tx/bf034f46ec80781672f537b362198f40b4dee2debf19e9e0781325f9c4c3a714 https://blockchain.info/tx/09ebfee4c2a76ec1e53579841755aff61b233352b0c87d64559b0b01048a6b6a

https://blockchain.info/address/1F1vTnyvuvYioZ6jT1F9EXk1EfQoapTsMn

[bitcoinwallet]

Please help me. This is devastating for me.

[sidazhang]

It has been 10 months since I touched this code base. So I am refreshing my memory.

Here are some preliminary thoughts:

1. All the private keys are stored encrypted in the local chrome storage.
2. The encryption key is your password
3. You can export encrypted keys

I am struggling to imagine how the keys could be compromised, but here are a few scenarios where this is possible:

1. Chrome Store (/ or our chrome store account) is compromised, a new update with malicious code was published. But this is unlikely because the page says chrome extension has not been updated since December
2. Keys were exported and decrypted
3. Someone got access to the laptop and sent it out manually

From your screenshot (http://postimg.org/image/n0n0lla9j/), it seems like the attacker sent the entire balance in one transaction.

The offending transaction (https://blockchain.info/tx/bf034f46ec80781672f537b362198f40b4dee2debf19e9e0781325f9c4c3a714) has two outputs, and from your screenshot it seems neither of the output address belongs to you. Since sparecoins is not capable of doing multi-address-send (it only sends to one output and a change address).

It seems to me that it is unlikely someone got onto your laptop and sent it using sparecoins.

So somehow the keys were compromised and the attacker sent it himself.

There are 2 ways the keys can be compromised

1. The keys are exported
2. Someone somehow manage to access your chrome storage

Have you exported keys in the past?

[bitcoinwallet]

I clicked the "backup wallet" button and it downloaded a .csv file. I do not know what to do with it as it is just a spreadsheet of weird letters and numbers line by line.

I went to block chain and about 8-9 hours ago and put one line of the csv into the import private keys at blockchain.info wallet. But nothing happened. How do I export keys?

[sidazhang]

Eventually all the funds went into this address https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

[sidazhang]

backup wallet is export keys. The CSV file that was exported are the encrypted private keys. Decryption key is the hash of your password

Is there any possibilities that someone could have access to the CSV file? If you have a weak password, it is possible to brute force it

[bitcoinwallet]

It is highly unlikely as I was in front of my computer for the past 12 hours and no one touched except myself was on the computer. I still have the downloaded csv file. Do I just copy and past the whole thing to the blockchain wallet import/export ?

[sidazhang]

No, since these are encrypted keys you can't actually import them into blockchain.info. You would first have to decrypt the keys before the import. We used to have a utility to decrypt keys but I can't find it anymore. If there is no funds left in those keys, there is no use decrypting them.

Although my guess is somehow the attacker got access to your CSV (maybe a compromised laptop) and brute forced the encrypted keys and took the money out

[bitcoinwallet]

there goes my life savings. i have uninstalled the sparecoins and will have to do my best to recover financially.

[sidazhang]

@bitcoinwallet I am sorry to hear this.

We have all been using the chrome extension wallet for months and there has been no code compromise. Although I would encourage you to clean the computer just in case there is any malware. Since the compromise happened after an export, I can only imagine an attacker got a hold of the backup. I can't think of another explanation although I am still trying to trace it together

[CoinDev]

Could someone log into your chrome account and access chrome storage that way or use a chrome browser you logged into but never logged out of? Those would be my own top two concerns. Brute forcing the decryption then would just be a matter of time.

[sidazhang]

@CoinDev I am pretty certain that this is not possible

SpareCoins does not use the sync storage, it only uses local chrome storage. So the keys never leave the browser on the specific laptop

[Ray11111]

i need to decrypt my files