Blockchain.info Paper Backup Stores Private Keys in the Browser History
The first step in using any Bitcoin wallet should be to create a backup and store it securely. A Blockchain.info Web wallet supports backups through its Paper Backup feature. Use of this feature was found to store an unencrypted copy of the wallet’s private keys in the browser history. This unencrypted backup survived browser and system restarts. The first disclosures of this behavior appear to have been made more than six months ago on Bitcointalk and the Bitcoin subreddit.
Other points include:
- Chrome supports synchronization of browser history between computers, raising the possibility of replicating the unencrypted backup across multiple devices. Fortunately, the backup link only appeared in the history of the computer that generated it.
- To access the browser history after shutting down Firefox, select the “Restore Previous Session” option.
- Both Firefox and Chrome showed the behavior on Windows, Linux, and Mac, as did Chrome on iOS 7. Other browsers either did not display the backup or did not store the backup in the browser history.
- Unless specific steps are taken, the browser history is stored unencrypted on the user’s hard drive and can be read by anyone with access to it.
- Blockchain.info support was contacted about this issue on September 10 and indicated that a fix would be considered.
If you’ve used the Blockchain.info paper backup feature, consider checking your browser’s history. Even if no copy of a paper backup appears, it may be a good idea to create a clean wallet and transfer your funds there.
Update Sept. 19: Blanked certain account details in video.