Bitzuma

Blockchain.info Paper Backup Stores Private Keys in the Browser History

Updated

The first step in using any Bitcoin wallet should be to create a backup and store it securely. Unfortunately, older Blockchain Web wallets stored an unencrypted copy of this backup in the browser history. This finding applies to older Web wallets, but may not apply to newer Web wallets.

This unencrypted backup survived browser and system restarts. The first disclosures of this behavior appear to have been made more than six months ago on Bitcointalk and the Bitcoin subreddit. Other points include:

  • Chrome supports synchronization of browser history between computers, raising the possibility of replicating the unencrypted backup across multiple devices. Fortunately, the backup link only appeared in the history of the computer that generated it.
  • To access the browser history after shutting down Firefox, select the “Restore Previous Session” option.
  • Both Firefox and Chrome showed the behavior on Windows, Linux, and Mac, as did Chrome on iOS 7. Other browsers either did not display the backup or did not store the backup in the browser history.
  • Unless specific steps are taken, the browser history is stored unencrypted on the user’s hard drive and can be read by anyone with access to it.
  • Blockchain.info support was contacted about this issue on September 10 and indicated that a fix would be considered.

If you’ve used the Blockchain.info paper backup feature, consider checking your browser’s history. Even if no copy of a paper backup appears, it may be a good idea to create a clean wallet and transfer your funds there.

End Mark