Ninjastic
PostEdited versionsQuotes to this post
Next scheduled rescrape ... never
Version 1
Last scraped
Scraped on 17/08/2025, 07:26:42 UTC
Quote from: Quantum_Resolve7987V on August 15, 2025, 07:05:56 AM
Quote from: nc50lc
If they're following what they claim: only your encrypted "wallet.aes.json" file is saved in their server.
Decryption is done client-side in your browser so as the seed contained in the wallet once decrypted.
That’s the real issue — even if the underlying storage is encrypted on their servers, the way it’s implemented effectively means your seed is “hot” and ready to hand over to anyone in your session. It defeats the purpose of client-side encryption if the server happily feeds the encrypted blob to anyone logged in and the client auto-decrypts it on demand.
You get it.
It seems like the main purpose of it is to set a convincing "non-custodial" claim (better term: "self-custodial") rather than security purposes.
Still needs the password though if it's on a different machine/device.
This is why most people do not recommend their web wallet aside from their historical mess-up in the past few years.
This is why most people do not recommend their web wallet aside from their historical mess-up in the past and current issues in the present.

Quote from: Quantum_Resolve7987V on August 15, 2025, 07:05:56 AM
Quote from: nc50lc
-snip-That theory is disturbingly plausible.  
That theory is disturbingly plausible. 
-snip-
My opinion: Blockchain.com’s support processes are the biggest vulnerability here — not my password strength, not phishing, not some exotic exploit. Once you can social-engineer their support, the rest of their “layers of security” are just decoration.
It still needs some investigation though.
But it's definitely NOT your password or anything that can't get into the wallet's setting page while 2FA is enabled.
Original archived Re: Warning: Blockchain.com 2FA Disabled Without Permission + Reuse of 2FA Secret —
Scraped on 17/08/2025, 07:22:07 UTC
Quote from: Quantum_Resolve7987V on August 15, 2025, 07:05:56 AM
Quote from: nc50lc
If they're following what they claim: only your encrypted "wallet.aes.json" file is saved in their server.
Decryption is done client-side in your browser so as the seed contained in the wallet once decrypted.
That’s the real issue — even if the underlying storage is encrypted on their servers, the way it’s implemented effectively means your seed is “hot” and ready to hand over to anyone in your session. It defeats the purpose of client-side encryption if the server happily feeds the encrypted blob to anyone logged in and the client auto-decrypts it on demand.
You get it.
It seems like the main purpose of it is to set a convincing "non-custodial" claim (better term: "self-custodial") rather than security purposes.

This is why most people do not recommend their web wallet aside from their historical mess-up in the past few years.

Quote from: Quantum_Resolve7987V on August 15, 2025, 07:05:56 AM
Quote from: nc50lc
-snip-
That theory is disturbingly plausible. 
-snip-
My opinion: Blockchain.com’s support processes are the biggest vulnerability here — not my password strength, not phishing, not some exotic exploit. Once you can social-engineer their support, the rest of their “layers of security” are just decoration.
It still needs some investigation though.
But it's definitely NOT your password or anything that can't get into the wallet's setting page.