blockchain.info vulnerability allows attackers to steal bitcoin wallet backups

Blockchain.info is a bitcoin cryptocurrency wallet and block explorer service. Started in August 2011, the service presents information on new transactions, mined blocks in the bitcoin Blockchain charts on the bitcoin economy, and statistics and resources for developers.

Security researcher (Shashank) has discovered a critical vulnerability in blockchain.info, he was able to steal anyone’s bitcoin wallet backup of their account with negligible user interaction.

The researcher said that the backup feature creates a JSON file which is the backup of your account allow you to download, Email it to yourself , or store it quickly on your Google Drive and Dropbox accounts. The main issue is that if anyone else gets your JSON file, he can easily import it at blockchain.info and steal all your bitcoins from your account.

According to the researcher:
“I noticed once you click on Dropbox or Gdrive button you will be asked to login with your google or dropbox account and once its authorised blockchain will automatically store the backup file in the your dropbox or Gdrive using your access token.”

If someone makes a Google drive authentication, The URL will be like this without any csrf token:
“https://blockchain.info/wallet/gdrive-update?code={YourGdriveToken}”

Now, if an attacker wants to steal anyone’s bitcoin wallet backup, he will do the following:
1- authenticate with Google Drive at blockchain.info.
2- Catch the Google Drive token
3- Send the following link to the victim.
https://blockchain.info/wallet/gdrive-update?code={GoogledriveToken}
4- Once the link is clicked, the bitcoin wallet backup will be stored in the attacker’s Google Drive account