From proff Sun May 19 03:25:37 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id DAA02156; Sun, 19 May 1996 03:25:36 +1000 Date: Sun, 19 May 1996 03:25:36 +1000 From: Julian Assange Message-Id: <199605181725.DAA02156@suburbia.net> To: account, balances, best-of-security@suburbia.net, ecash, revealed Ian Goldberg wrote: A couple of problems here. (Cc'd to ecash-feedbak@digicash.com; maybe it's good enough for a "security flaw" award...). Background: Every user of ecash has an ecash mint account. This account has an Account ID ("eshop@c2.org", for example), and an Account Number (0000001234, for example). Problem 1: Given an Account Number, it's trivial to determine the account balance (even if it's not yours). This is done simply by sending a deposit of 0 coins to the account. The bank will happily accept the deposit and return the balance. Problem 2: iven an Account ID, you can use the fact that Account Numbers are approximately 4-digit numbers to determine the Account Number (but it may cost you $0.01). Generate a payment of $0.01 to "foo@bar.com". Try depositing it to each Account Number. Only one of them will be accept it and not return an error message. This is the one. In fact, I haven't checked this, but it's probably the case that the "coin already spent" error is different from the "wrong userid" error. In that case, after generating the payment of $0.01, cancel it (so you get the money back), and then try to deposit it into each Account Number. Most will return "wrong userid", but one will return "coin already spent". Thus, for $0.01 (or maybe $0.00), you can determine any user's Account Number, and thus his balance. So, I haven't heard anything about this since I posted it a while back... To motivate interest, here's a histogram of account balances. I've left off the Account Numbers to retain some semblance of privacy. The columns are number of users, and ecash mint balance. 176 $ 0.00 4 $ 0.01 1 $ 0.05 2 $ 0.06 1 $ 0.07 2 $ 0.10 1 $ 0.44 2 $ 0.52 1 $ 0.53 1 $ 0.96 1 $ 1.00 1 $ 1.12 1 $ 1.20 1 $ 1.25 1 $ 3.00 1 $ 3.69 1 $ 4.25 1 $ 4.86 1 $ 5.00 1 $ 5.59 1 $ 5.85 1 $ 7.01 2 $ 9.48 7 $ 10.00 1 $ 10.16 1 $ 11.11 1 $ 12.14 1 $ 12.27 1 $ 12.88 1 $ 12.99 1 $ 13.84 1 $ 14.00 1 $ 14.40 1 $ 15.17 1 $ 17.54 1 $ 18.10 1 $ 18.24 1 $ 18.58 2 $ 19.00 1 $ 19.12 1 $ 19.60 1 $ 19.96 7 $ 20.00 1 $ 23.90 1 $ 25.00 1 $ 25.75 1 $ 27.57 2 $ 29.00 1 $ 30.08 1 $ 30.12 1 $ 34.00 1 $ 35.00 1 $ 35.95 1 $ 36.03 1 $ 37.00 1 $ 37.50 6 $ 39.00 1 $ 39.74 7 $ 40.00 1 $ 40.51 1 $ 41.00 1 $ 45.00 4 $ 50.00 1 $ 50.12 1 $ 53.90 1 $ 54.00 1 $ 54.99 1 $ 56.57 4 $ 59.00 3 $ 65.00 1 $ 65.04 1 $ 69.00 1 $ 69.50 3 $ 70.00 1 $ 70.01 1 $ 74.00 1 $ 78.30 3 $ 79.00 1 $ 79.01 1 $ 80.00 1 $ 80.88 1 $ 81.50 1 $ 85.00 19 $ 89.00 3 $ 90.00 1 $ 90.10 1 $ 94.12 1 $ 96.49 1 $ 98.00 1 $ 99.63 12 $ 100.00 1 $ 100.50 1 $ 104.00 1 $ 109.14 1 $ 109.90 1 $ 114.00 1 $ 114.47 1 $ 115.00 1 $ 120.51 1 $ 134.62 1 $ 142.40 1 $ 148.51 1 $ 150.00 1 $ 150.12 1 $ 157.73 1 $ 159.00 1 $ 169.00 1 $ 170.00 1 $ 187.00 2 $ 189.00 1 $ 190.30 1 $ 201.28 1 $ 239.00 1 $ 259.00 1 $ 279.00 2 $ 289.00 1 $ 315.00 1 $ 365.08 1 $ 400.01 1 $ 440.94 1 $ 500.00 1 $ 723.01 1 $ 800.00 (I note there are only 376 ecash users?! Maybe I missed some somewhere... and 176 of them have $0.00 balance...)