Remote third parties are able to create accounts in your wallet file #6431

issue breymoz opened this issue on July 14, 2015
  1. breymoz commented at 7:42 AM on July 14, 2015: none

    By typing listaccounts in the console i found an account called "Refund from Bitpay.com", i received a refund from Bitpay.com and the transaction somehow was able to write an account to my wallet file.

    I found that it was very invasive and not compliant with privacy considering you can't even delete accounts.

    Version 0.10.0

  2. laanwj commented at 7:46 PM on July 17, 2015: member

    That is a label interpreted as account name. The GUI doesn't use accounts, but uses the same database fields for labels. You cannot use both the GUI and accounts in bitcoind interchangably safely.. Note that accounts are deprecated and will be removed in a future release (#3816).

    I do not see how this affects privacy. Both labels and and accounts are not exposed to the outside world.

    (if you don't like the label you can probably change it under "receiving addresses" in the GUI)

  3. laanwj closed this on Jul 17, 2015
  4. zebra21 commented at 5:00 AM on July 18, 2015: none

    It does not even show the label in the GUI, but it is shown in the console.

    It is actually exposed to the outside world at the moment they have physical or RPC access to your machine and a password will not even be required in the first hypothesis. Just a simple example, imagine one's wife type listaccounts in husband's wallet and read "Refund from backpage.com"

    I think this is a real issue and should be reopened if it is not possible to delete those labels.

  5. laanwj reopened this on Jul 21, 2015
  6. laanwj commented at 11:10 AM on July 21, 2015: member

    Fair enough, but then the issue is not that 'a third party creates a label' but that the information is hidden and uneditable in the GUI. Labeling the refund is useful in practice.

    Also:

    • if you use payment requests, the payment request itself will also be added to your wallet
    • deleted/edited information may still be salvageable from unallicated blocks in the database

    There is no expectation right now of privacy against people that can directly examine your wallet file.

    Just a simple example, imagine one's wife type listaccounts in husband's wallet and read "Refund from backpage.com"

    In that case the way to hide it would be to use a second wallet, say, on an encrypted USB stick.

  7. luke-jr commented at 11:25 AM on July 21, 2015: member

    @breymoz Note that Bitpay did not generate the account or address themselves; that is just something built-in to the process of sending them a payment. Whenever you pay via BitPay (or anyone else using the payment protocol), you give them a refund address upfront in case they wish to return the funds.

  8. laanwj added the label GUI on Jul 28, 2015
  9. meshcollider commented at 6:07 PM on March 7, 2018: contributor

    I don't think this needs to remain open considering the comments above

  10. meshcollider closed this on Mar 7, 2018
  11. MarcoFalke locked this on Sep 8, 2021
Contributors
breymozlaanwjzebra21luke-jrmeshcollider
Labels
GUI
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me