BitGo Bug Reveals Bitstamp Deposit and Withdrawal Information

Bitcoin API provider Blocktrail has discovered a bug in BitGo’s security platform that causes Bitstamp‘s transaction data to be identifiable on the blockchain. The bug reveals information that traders could potentially abuse if they have access to it.
The heart of the problem is that BitGo does not randomly generate the order of change addresses in the output section of transactions, but instead generates the change address as the last output of each transaction. By identifying certain addresses as change addresses – specifically, addresses belonging to Bitstamp – it is possible to identify more Bitstamp addresses, as they are used in the same transactions. The addresses can then be linked to each other, creating a cluster that makes it easy to analyze how many bitcoins are transferred into and out of Bitstamp’s accounts.
Blocktrail CTO Ruben de Vries discovered the bug and subsequently wrote a fix for the problem, which hesubmitted to BitGo’s GitHub repository on Saturday. However, BitGo has not yet accepted the fix.
After the submission, Blocktrail CEO Boaz Bechar published a blog post about the issue on Blocktrail’s blog. Describing the core of the problem, Bechar wrote:

This post was published at Coin Telegraph on 2015-05-04.