Google Admits Bitcoin Thieves Exploited Android Crypto PRNG Flaw

rjmarvin writes "The theft of 55 Bitcoins, or about $5,720, through Android wallet apps last week was made possible because of flaws in Android's Java and OpenSSL crypto PRNG, Google revealed in a blog post. In the wake of a Bitcoin security advisory and a Symantec vulnerability report, the Android Developers Blog admitted the reason the thieves were able to pilfer their wallet apps. The flaws are already, or in the process of being repaired."

Re:Already or in the process of being repaired

[gstoddart]

This is what you get for playing with bit coin. When are you going to learn?

You know, it's not even bitcoin.

Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected

The entire crypto on the platform is vulnerable from the looks of it.

So, I would assume if there were other digital wallet type things on Android, they would be subject to the exact same vulnerability.

Re:How does this get fixed?

[Baloroth]

The flaw can be fixed at the application level by manually initializing the PRNG with entropy from /dev/random or /dev/urandom (the built-in tool wasn't doing that properly unless explicitly told to, hence the vulnerability). Some apps will already be immune, and the rest can be patched to fix the problem. An update to Android proper is not required, unless the app isn't updated for some reason (in which case, find a new wallet).