Bitcoin Forum

OH HAI GUISE!

so, i've stumbled upon some "lame" vulnerabilities in mybitcoin.com that affect mainly normal users.

I've tried to contact the owners without success so basically this thread serves as a warning to all mybitcoin users that in a week's time i'll disclose the vulnerability details if they don't get fixed.

my advice is to have few coins in the mybitcoin wallet...they can easily be stolen by other users without you noticing...(well, you'll notice when the balance is 0).

Cheers,
hybriz_

(EDIT) PS: if you guys are in the mood for a donation... 1H3EUkytqu8Mdzbhd33CaTBTsQgJSo5spj :-)

A week is too short for lower traffic sites.

Have you tried #bitcoin-otc on freenode?

Otherwise, stop trolling :)

it's been like 4 or 5 days now since I tried contacting them... on IRC, via message in their service.

apparently no one knows who are the owners and they are rumored to be missing.

just because of this warning, i bet many people will try and find the easy vulnerabilities... maybe by Wednesday i'll disclose them :-)

in the mean time, PROTIP: don't keep much money there unless you're willing to loose it.

Cheers,
hybriz_

Thanks for telling us about it and giving us a chance to save our btc from mybitcoin.

 :)

It's not a high traffic site compared to mtgox. So good luck taking much out. Also it's Memorial Day weekend. People will be out til Monday night.

You mean the fact that the captcha always uses the same background, same font, same number of characters, same 3 colours on characters, same purple colour on the 2 brush strokes over the characters every time?

Whoever runs mybitcoin has been missing for far longer than four or five days.

A service like that is needed: Are there any similar fully developed sites*?
*MT. Gox merchant API is supposed to be better in the new version coming soon, any others?

I'm not surprised. MyBitcoin is still accepting payments with only 1 confirmation, which would allow some of the larger pools to steal BTC right now.

Is there another more secure web wallet that we can use?

Mtgox or maybe instawallet for short term.

Confirmations are low in OTC as well. Perhaps it just needs to be updated.

System is now down for maintenance.

are you the mybitcoin dev creighto?

No.  I had tried to login, and this is the error that I received.

IT's back up now, and the captcha is slightly different.

How is the captcha any different?

I just went and reloaded a few times and it's still the same as I described:


I'm not saying it wouldn't be a challenge, but in the state it's in at the moment, I'm sure I could crack it in a couple of weeks.

It's case sensitive.

Hahaha wow, but after 30 reloads, I didn't see any lower-case letters in the image, so I'll just assume any input needs to be upper-case.

Edit: Also, I was able to log in with eRzD even though the image showed ERZD.

Why the heck are people holding ßtc funds in online accounts?
I just dont get it.....

like maybe if "my comp burned out so now im on my lappy and i didnt loose my wallet.dat HAR HAR"
But my wallets on many frequent backups so I unno

If I'm in a situation where I need to use an internet cafe, I'd rather have a few coins online than plug my wallet.dat into some public pc's usb port.

Off topic, but I have to ask: Alex, do you live in Australia?  ;D

Yes, land of the slow internet.

I suppose I look upside down to you?

I was wondering why your picture is upside down  ;)

Plenty of reasons. Access to my wallet wherever there is an internet connection. No needing to backup the wallet. In person transactions with my smartphone. Instant transactions from mybitcoin user to user, instead of waiting for confirmations, making this one of the best options for in-person trades. Email notifications of incoming payments. If necessary, secure access to my wallet (TOR, I2P) without needing to install bitcoin to my computer.

I wouldn't store very large amounts on the site, but for small transactions it's great to have an online wallet.

I use Mybitcoin.com because it has most of the pros of paypal, but if they were to try some of the things that paypal has done, the mass exodus of the userbase would punish them severely.

So did we ever receive word about what these so called vulnerabilities were? Also, while I'm thinking about it, would anyone else be interested in an additional online wallet to compete with myBitcoin?

Yes.

Yes, interested

It hasn't been the promised week, yet. Wait until tonight/tomorrow night (Sunday).

I sent them a message on May 24th, and got an answer on May 29th. So, they are not "missing". ;)

Yes, definitely.

Yes. One with (optional) fund insurance would be nice too.

Maybe he is talking about the XSS vulnerability on the payment page. If I recall correctly I was able to send code to it.