IOTA is vulnerable to replay attacks but has no intention of fixing the flaw

Fledgling blockchain startup IOTA has ran into yet another technical issue. Researcher Joseph Rebstock has detailed a vulnerability in its network which makes users susceptible to replay attacks – a common exploit vector in which valid data is erroneously repeated in order to steal cryptocurrency from users.

The issue stems from a function related to IOTA’s choice to use one-time signatures when processing transactions on the Tangle – the company’s self-proclaimed “next-generation” blockchain technology which promises more efficient transactions and scalability.

“ Reattaching is often required to get a transaction through and bundles can only be safely signed a single time,” the research explains. “Therefore the user is allowed to simply reattach any bundle of transactions they want without any proof of ownership. This should not be a problem because every bundle has a unique hash.”

But as it turns out, the function does not work as intended.

“ The expected behaviour should be that only one use of the same bundle hash should be allowed inside a consistent transaction history (subtangle),” Rebstock writes. But instead, “[t]he coordinator will repeatedly approve the same bundle hash over and over.”

“This means that while you may have signed a transaction to send 500 Miota it can be attached to the network 10 times draining the account of 5,000 Miota,” he insists.

The researcher has provided several examples to prove the validity of the attack vector:

In all fairness, the attack vector described in the report hinges on reusing wallet addresses – a malpractice the company has repeatedly warned against.

Still, it is worth noting that, while the vulnerability is similar to the signature issue previously disclosed by Neha Narula from the MIT Digital Currency Initiative (DCI), this is a newly discovered flaw.

“ Fortunately, since IOTA discourages the reuse of addresses it is uncommon for there to be any funds left on the address,” the researcher clarifies. “The replay attack is only applicable where addresses has [sic] been reused.”

“ However it should not be confused with the signature reuse issue, which is only a theoretical concern for a single reuse,” Rebstock continues. “The replay attack applies with only one reuse and is easy to implement.”

The good thing, the author highlights, is that the glitch is relatively easy to eliminate.

IOTA developer Lewis Freiberg has since confirmed the issue is indeed authentic in a statement on Reddit. Still, the developer downplayed the severity of the vulnerability, adding that the company has no intention of tweaking the core architecture of the network to “accommodate this edge case.”

“ If the user in the example scenario above had [refrained from reusing their wallet address,] then all of the IOTA from that address would have been sent else where,” Freiberg says. “Thus the attack would’ve never worked.”

In any case, the decision not to patch the exploit is odd – especially because both Rebstock and Freiberg agree it is a pretty “simple fix.”

(Clarification: Following the publication of this piece, Freiberg has pointed out that his response on Reddit does not suggest whether the vulnerability detailed by Rebstock is indeed a “simple fix.” It merely clarifies that IOTA has no immediate plans of patching it.)

One important outtake the researcher emphasizes is that missing to provide a solution to “ such an obvious problem should give everyone involved with IOTA [a] pause and hopefully a bit more humility.”

Rebstock also remarks that the current setup of IOTA requires every transaction approval to go through the network’s coordinator – an implementation that many have argued ultimately renders the Tangle a centralized system .

While the IOTA team has conceded this is currently the case, it has promised to get rid of the coordinator in the future. However, the company has yet to lay out its plan for phasing out the coordinator.

Meanwhile, the cryptocurrency startup has remained focused on raising awareness of its technology and expanding its network of collaborators.

The company recently announced its Ecosystem platform which aims to offer developers, startups, and hobbyists with a powerful set of tools to build for IOTA. In addition to this, IOTA signed a memorandum of understanding with Taipei to make the city smarter and secured a substantiative investment from Robert Bosch Venture Capital.

These developments follow the launch of the IOTA Data Marketplace in collaboration with high-profile brands like Accenture, Fujitsu, and Bosch. The announcement attracted fair amount of controversy when it later became clear that Microsoft – which was purportedly in “partnership” with IOTA – is not an official partner , but merely a technology provider.

IOTA later argued the miscommunication came about as a result of an inaccurate statement (provided by Microsoft) in its Data Marketplace announcement.

The vulnerability marks another time IOTA has received criticism over the design of its network architecture. The company previously came under scrutiny for “ rolling its own ” hash function – a cardinal offence in the world of cryptography.

While some other cryptocurrencies like ZCash have engaged in similar practices, what made IOTA’s hash function problematic is that it purportedly did not undergo rigorous testing.

IOTA eventually addressed these issues in a four-segment response published on its blog – though many known figures in the blockchain and cryptocurrency space ultimately disagreed with IOTA’s line of defence.

In the meantime, those interested can peruse Rebstock’s full report on GitHub here .

We reached out to IOTA co-founders Dominik Schiener and David Sønstebø for a comment on the vulnerability. Schiener has since responded to TNW with the following statement:

“ There is no vulnerability. Make that the headline.”

Update: Moments after this piece went up, Sønstebø contacted TNW to second Schiener’s words.

Baidu’s new blockchain stock photo platform has no whitepaper

Baidu, the Chinese internet giant, has launched a blockchain-based stock photo service, to fight copyright infringements in China.

According to Coindesk, the service — called Totem — went live on Wednesday, April 11. Totem allows photographers to create their profile and claim copyrights over their pictures. The picture along with the associated details is to be stored on a distributed public ledger.

The service, christened Totem , allows photographers to create their profile and claim copyrights over their pictures. The picture along with the associated details is to be stored on a distributed public ledger.

Baidu claims that this will help curb intellectual property rights infringement, as this data can be matched against the images floating around on the internet, and copyright infringements can be easily claimed.As it’s described on Totem’s website:

For such fancy words, it is surprising that Baidu has chosen not to publish any detailed information about the technology involved or the product on its website. There’s currently no white paper or other information on the website and it remains unclear what type of blockchain Baidu is planning to use.

Baidu has announced partnership with 1TUom, View Stock, and gaopin among others for the service, and already lists several photographers that have purportedly signed-up for the service.

This isn’t the first time that Baidu has come up with a blockchain-based product — they have been experimenting with the tech for a while. The company had introduced a blockchain-as-a-service platform at the beginning of this year, to be followed by the launch of a CryptoKitties knock-off .

Baidu is not the only company to be exploring blockchain in the photography sector either. Kodak had also announced plans to issue its own cryptocurrency for photographers to determine rights ownership. The plans have however not materialized till date.

Trendy cryptocurrency startup pulls an exit scam after raising $375K in ICO [Update]

It seems yet another fledgling cryptocurrency startup has pulled a Houdini . Distressed traders are flocking to Reddit to warn fellow cryptoenthusiasts that up-and-coming startup Confido, which recently raised $374,477 in an ICO, has vanished out of thin air.

The company, which promised to bring a new decentralized trustless payment solution for online shopping, has suddenly taken down its website . Coincidentally, yesterday Confido suffered a 90-percent drop in value after informing investors a legal issue will halt development of the project indefinitely.

In addition to this, the shady startup has also wiped its social media fingerprints from the web, closing down its Twitter , Facebook , Reddit and Medium accounts. For what is worth, you can still access archived pages to browse through its Twitter , Reddit and Medium . The same goes for its website .

The only account Confido has somehow missed to close down is its YouTube profile .

In fact, its channel still shows Confido’s original promo video – the same clip use to promote its ICO. Here’s the full video, which the company took down after our coverage:

The company had listed four members of its team, including founder and CEO Joost van Doorn, but as many Reddit sleuths have since pointed out, their social media profiles appear to be fake; and nobody has since been able to verify the identities provided are indeed authentic.

As you could expect, van Doorn has since purged his personal Facebook profile.

This is hardly the only cryptocurrency company to disappear over the past few weeks. In another dodgy development, popular Bitcoin lending investment platform, BitPetite, suddenly went dark at the end of October, leaving thousands of investors empty-handed.

The most disturbing part is that it is unlikely Confido and BitPetite will be the last startups to give the cryptocurrency community a bad name.

Watch who you trust your money with: all that glitters is not gold .

Update: Following our coverage, Confido wiped its YouTube account, along with the promo video we had attached in this piece. We have since updated the post with a re-uploaded version of the same clip.