Bitcoin Forum

This exploit is no longer active.

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


<tcatm> workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode

<tcatm> phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password

liek a surgeon general warning?

I should mention it's a CSRF vulnerability. so people know what to do to protect themselves.

That would make sense, my account was hacked and the only places I used my password was mtgox, tradehill, and deepbit.

Pardon my ignorance, but slush's pool would be vulnerable too? Is this something bitcoin platform wide..ie with the API's ?

what is CSRF?

Cross-Site Request Forgery

It could be. It is a general security problem many websites have.

Tradehill has no reports of being hacked. If reports of Mtgox security breach is true I'm guessing they would liquidate their BTC. Be wary in the next coming weeks and months.

Hordes of panicky people seem to be fleeing Mt. Gox for some unknown reason.  Professor, without knowing precisely what the danger is, would you say it's time for our viewers to crack each other's heads open and feast on the goo inside?

So what this means...

If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.

To protect yourself, use a seperate browser for mtgox ONLY.

If you normally use firefox, install chrome and use that for mtgox.  If you use chrome, install firefox.

If you use both, install a seperate copy of firefox portable if you're on windows.

By the way on mtgox.com you can register names like " apple" with a space in front, separate from an account "apple". Maybe this can lead to an exploit.

I want to add that phantomcircuit is an op for #bitcoin on IRC, where other folks have confirmed it as well. So don't let his mere 15 posts on the forum here dissuade you as he does speak with authority.

There's no need to install an entirely separate browser. Make a new profile, just for Mt. Gox, and run it from a shortcut like this:
firefox.exe -P "NewProfileNameHere" -no-remote

Then you can do the same for your other profile and run both at the same time, with no interaction.

Yeah, that'll work.  I was trying to provide a simple solution for people who aren't techies.

So they are taking my cookies? NOZ! >:(

I have independently confirmed that MtGox has a GIGANTIC CSRF vuln that lets me empty your account.

MagicalTux, you should know better than that. Honestly.

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

Not sure if this is relevant, but I've noticed that TradeHill does not automatically log you out after a period of inactivity.  I noticed that one morning when I hopped on my computer, I did not have to log in - I was still logged in from the night before.

Nope.avi.
CSRF != XSS.

XSS = put my javascript on your site

CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript

Also confirmed. This isn't acceptable.

So the exploit has been fixed?

Seems to me they should take the market offline until this is fixed.

Pretty sure Mt. Gox would have legal responsibility for coins/funds lost due to the exploit.

Allowing users who haven't read this thread to lose funds is negligent.

nvm..

for chrome, you can open mtgox in incognito-mode and that will work too, right?

I see some of you devs talking about releasing a script for the script kiddies that can be used to empty users mtGox accounts, only because you haven't been able to get hold of MagicalTux.

If you do a whois listing of mtgox.com you will find contact information, also a phone number.

Before you all go apeshit over this issue, be aware that mtGox is probably flooded with requests, so it can be difficult to get hold of them quickly.

But I agree this is not an acceptable situation, but deal with it as adults, and remember anyone who creates a tool that can be used for mischief can also be held responsible for this. It is better to try to get hold of MagicalTux or someone else at mtGox instead of trying to make the matter worse.

I feel sorry for anyone that have lost their funds, and hope everyone take proper security precations.

Edit: I see now it is claimed that the issues in question has been fixed. Good.

Seconded.

He's been trying to get ahold of him for a week.

Now that we know the attack vector, can we search for bitcoin related websites that were taking advantage of it?

Yess, you can start with the buttcoins website, it just advertised for a wallet stealing site.

and today was my first time using mtgox.... good thing i didnt want i needed to and took everything out once i finished. I even hit log out which i almost never do. Seems like some admin has removed this from the news. Good no need to cause panic over something which has been fixed.

walletinspector.info has once again been replaced by a static png image. They tried to re-implement it as a "funny" javascript-only form. Linode's abuse department didn't find my pointing this out humorous. The original site before ~00:00 CST did really steal wallets and the owner tried to play it off as a harmless prank to avoid service termination.

I'm still slightly disappointed that service was not outright canceled once it was discovered the authorized user of that VPS was in fact responsible for said site and that it wasn't due to a compromise.

At least it's not harmful, for now.

until 5 minutes ago, the following banner appeared on bitcoincharts.com:
http://i1236.photobucket.com/albums/ff458/bodhiforest/bitcoin_security/MtGoxSecurityFlawWarning_june18_on_bitcoincharts.png

sounds like everything is safer then ever. excellent job guys.

how can this be dealt on a client side besides what's been mentioned above, is there a method to detect/disable both vulnerabilities without turning off cookies and js?

were there any other sites that been exploited with these things in the past?

in my understanding any web site is vulnerable to such attack? is this correct?

Not correctly-designed ones.

(I don't blame MagicalTux, since he didn't write the code.)

+1, thought exactly the same thing.

Could you or anyone please point me where one can read how it can be dealt with on a server side?

It has certainly impacted me personally.  I have learned a lot about security in the past two weeks on this site, and I have already begun migrating from Windows to Ubuntu.

Is it just me or does all this seem just a little bit sensational.

The fact that tradehill doesn't log you out has no impact on your security, IF tradehill properly implemented security measures to prevent CSRF

Mtgox is not the only CSRF'able site.
http://forum.bitcoin.org/index.php?topic=18020.0

Is there a firefox plugin that will Is there a firefox plugin that will make each tab have it's own session? That would take care of the problem.

The noscript add-on says it has "limited" CSRF protection. I'm not sure what that means.

That info is on the wiki page for CSRF. Basically the server side needs to put a unique token on each page and check for the presence of it on postback. Also doing an HTTP Referrer check helps a lot. There are other things as well but those are the main two.

Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.

EDIT: It's fixed by MagicalTux. Sounds like it was just a website bug, not a security thing.

Yep, same here.

I demand that strong feelings be expressed, and highly recommend a general panic.  Mass hysteria is our only option!

Man, I saw this shit coming after the crash earlier this week. Then poor Allinvains Hacks...:[
No worries all protected her, Still lovin Them BTC.

I think it's a guy, just with a girly name.

so as I understand it you're only vulnerable if you're compromised by another site already?  Why dont you clearly state what actions can make you vulnerable instead of making people think that mtgox has a virus on it or something (which is what most 'regular' people woul infer from this)

Same problem here.
I am extremely nervous right now. I hope it is just a glitch at Mt Gox.

Can anyone confirm it?

I believe that this type of attack is when the session token is stored as a cookie AND the server doesn't check the referrer. The normal method is to store a new session token on each post to the client, which gets sebmitted back each time (so its stored in the users webpage, not in a cookie).

This is just from memory, but if its true, then, honestly, I have no faith at all in any website that fell for this. This issue would fall under 'basic' security and has probably been around for years. Sure it might be plugged now, but what else isn't?

Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)

People, there's a reason for which bank have IT departments, security officers, response teams etc.

We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...

mouse, you are pretty much correct.

Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.

Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.

What I find encouraging about this situation, as some others have mentioned:

- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)
- the hole was apparently closed pretty damn fast once Mt.Gox became aware/verified it

As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank


from http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access

..and those details came to light many many months after the event.

I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.

Stay with the state regulated banks and fiat currencies if you want perceived safety of regulators and so called experts looking out for you. Be prepared to take more than a modicum of self-responsibility out here, however.

Bravo, bitcoin community!

The login issue is fixed for me and it looks like several others. It sounds like it was unrelated to the security stuff.

Kudos to MagicalTux for fixing the login issue almost as soon as he heard of it.

my php curl attempts stopped working a few hours ago, any explanation for this?

I still feel kinda paranoid about logging in without a verification from mtgox.

I panic withdrew 50% of my funds yesterday after seeing this thread. (something i had originally planned to use for trading)

seconded, I actually think the server is just being hammered or something, apparently I just got through a few second ago and printed me some data, I wrote a script to ping it every 15 minutes, thought it was up but I guess not.

this is why I don't keep bitcoin/money in MtGox.
I alway do my business quick, get in and out.

Hell the wallet I sent all my coins to, I only boot when I want to trade.  Well after waiting for the block download.

This is why we need two-factor authentication ASAP.  I think MagicalTux said it was being worked on right now.  I hope so.

Bitoption was hit with CSRF attacks today as well; no successes, though.

Re: Curl and Mt. Gox, I believe they changed their SSL Cert recently. My linux boxes didn't have a good CA chain to their authority, and resisted all attempts to add the chain in. Eventually I just imported the direct Gox one and marked it trusted. Curl finally shut up at that point.

I have sent MagicalTux a PM about a CSS history sniffing vulnerability and haven't had a response yet.

What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)

From IRC several hours ago

Doesn't look like it.

But he has "PHP can do ANYTHING!" in his motto which suggests that he knows some stuff about web dev. (I haven't seen non web-dev fans of PHP so far.)

And I think any decent web developer should be well aware of CSRF.

It takes approximately a minute to check whether your site has CSRF vulnerability. Then it takes approximately a minute to fix this (via referer check, which is less than perfect, but will work).

So, no, being 'alone' is not an excuse. It takes just two fucking minutes to secure your site. If you cannot find two minutes then you shouldn't be in business.

If you don't know web stuff very well then, well, pay somebody who can secure it.

There are NO excuses for for-profit enterprises.

Even if you protect your private keys and passwords carefully it appears you could be compromised on MtGox. People expect an exchange to be secure, and that's completely reasonable (quote from MtGox frontpage: "Safe and Easy"). Security should be the number one priority for such operations - you'd rather be unable to trade due to a non-security-related bug rather than lose all of yours coins, right?


It should have been prevented (not caught) during development. But the few bits of MtGox history I picked up learnt me that MtGox was sold and is based on a code base once used for a completely different trading purpose. I hope the current maintainer(s?) aren't the same ones who wrote the insecure code. Neglecting security to "keep things running" doesn't sound like proper practise to me, regardless.


By who? Especially your second point shouldn't have been the responsibility of the users. In case of a security incident I expect full (and pre-emptive) transparency about the issue, it's impact and mitigation. Look at LastPass, think they did a pretty good job recently.. I haven't seen MtGox do anything like that at all.


So you're basically saying regulations and audits are pointless, backed up by a single example. Go tell your bank how they can save some cash..


We're not.
-The reference bitcoin client currently stores keys in plaintext, which is a huge vulnerability considering 'the average user' needs lots of handholding to remain secure (0.4 should at least protect you from clueless adversaries).
- Exchanges aren't as secure as they should be - CSRF vulnerabilties were reported in multiple exchanges.

Bottom line: I believe MtGox is operating understaffed on a outdated, re-used and potentially inherently insecure code base. The very least they could do is get some auditing done and hire some competent developers to fix found issues.

1. Britcoin was never hacked.
2. We have all the funds there.
3. A team of 4 is working fulltime on the code: https://gitorious.org/intersango/

This is exactly why I tell everyone to setup separate account for such jobs: e.g. separate firefox/browser profile used ONLY to access say mtgox.com

btw.: Trololololo

So an JS based exploit?

Personally I always disliked the JS usage in there.
There is a reason most banks do not do JS or at least allow to not use it.

Such site should be imo a pure simple and spartan XHTML site, no fancy JS.  And users should be adviced to turn off JS in the browser profile used for this site.
Would be glad to see such change in future in mtgox.

Nope, the bug was not related to JavaScript.

JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.

Nope, you were vulnerable just by visiting a malicious site whilst logged into Mt Gox - or even just an otherwise-trustworthy site with a malicious ad on it, in theory. The problem was with Mt Gox. They failed to verify that form data sumitted from your browser telling the site to do stuff was actually submitted by you rather than from some random evil webpage you've visited. This is a well known type of security issue and the methods of preventing it are also well-known.


Javascript makes CSRF slightly easier to exploit but not much. If you had Javascript disabled the malicious website would have to trick you into clicking a button on the page in order to hack you, but the button could be named and styled and presented however they wanted. (Also, as joepie91 says, it doesn't matter whether Mt Gox itself used Javascript or not.)

So, just to get this right:

We found a massive security hole. Multiple people claim to have money stolen. MtGox writes a line on IRC stating the hole was not exploited, and we remain with multiple users who claim to not have been paid the money owed by MtGox?

I'd like this examined in detail. If my money ever disappears in such a fashion, I will be on the next plane to Japan to figure out in person what the fuck happened.

Just saying, this isn't a SONY-class incident leaking personal data, we have money vanishing according to some people, and just found a potential cause of it.

I'm also disgusted by the fact that many of us are missing money, the exploit was found, yet a single person announces on IRC that according to his logs, the exploit never happened.  I for one will never use MtGox again, and would suggest the same for others. There are other markets out there now..

I remember when Deepbit was hacked some time ago and some people lost bitcoins.  They fixed the problem by requiring email validation of receiving address change, owned up to the mistake and paid money back.  Thats what you do as an honest business

I'll admit, as soon as multiple people started claiming they were being hacked, I bought up as many bitcoins as I could with my remaining MtGoxUSD and got the coins out of there ASAP.  It will be a long time before I trust the website enough to use it regularly again.

Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post (http://forum.bitcoin.org/index.php?topic=5307.msg84312#msg84312) about it.

I'd prefer hardware two-factor auth. tbh. (anything on the internet has vurnabilities) Something like Vasco Go3 http://www.vasco.com/products/digipass/digipass_go_range/digipass_go3.aspx And would be more than willing to fund a onetime fee for it.

myopenid works with RSA tokens

Damn it...! I knew it wasn't any of my systems that got compromised..!

You entrust a BRAND NEW SITE (tradehill) with your regular password you use for "everything" related to bitcoins??

What's wrong with you?

My favorite part is that they blame the websites.

+1

A good friend of mine lost about 20 btc.

I sent a reply to my original ticket, requesting them to take responsibility for recent incidents. This was their response:


Judge for yourself, i'm done using MtGox...

Well it has everything to do with possibility to disable JS in browser, which users might want to do.

Even as makomk JS was not necessity for THIS attack (just making it a bit easier by autosubmiting), overall it's better if users can turn off all JS. And say Flash (I recall some bitcoin sites, not cantors probably but at least stats pages - require it).

might be worth adding a captcha to any form of transaction via the web on mtgox?

Will

Javascript is a legitimate technology that is pretty much a basic cornerstone of the web as it is now. You can't just take that away. A way better option would probably be if browsers by default protect against CSRF attacks, like they do with XSS now.

On logical grounds, this cannot be true because a XSRF vulnerability can only be found and confirmed by exploiting it, and several people already confirmed they have tried the exploit before and after it was fixed. The statement that the vuln was never exploited is therefore false.

In addition, I seriously doubt that a developer that was careless enough to trust a session token without checking the referal url could think of logging it. And if MtGox did not log the referal url of the http requests of each transaction, they cannot possibly claim that they know the flaw was not exploited.

If you have been stolen money from your MtGox account prior to the fix of this exploit, the least you are in right of demanding is the full log showing your transactions as well as the one where your funds were stollen. If the log does not contain any referal urls, or they are not from mtgox domain, or the ips used were only yours, then there really is something fishy.

Surely, the logs can be rewritten to make it  seem like the transaction was requested from another IP. Just to make sure it is not the case, some people who have NOT been hacked but have done multiple transactions from the same IP should claim that their account got hacked and ask the   logs just to ascertain that there is only their IP there and there is no log rewritting going on.

Another VERY important thing if you got stollen from your MtGox account but they refuse to be liable for it: MAKE A COPY OF YOUR BROWSER CACHE now and have it checked by a web developer you trust. If you were victim of XSRF the code of the forged request is likely still in your browser's cache where it can be found with a simple grep for the mtgox domain name.

They could had just used MySQL injection instead (the 2nd bug as people say in forums) - the database of all users+passwords(weak hash) is leaked.

I have been following a few threads on the MtGox incident and I must say I am appaled by what I read!

The facts are:
1. someone patched together an exchange reusing insecure code that was developed for a completely diferent purpose.
2. someone else bought it later and made some improvements (nothing really significant though).
3. being one of the first, and for the lack of a better exchange, MtGox became big
4. MtGox started to generate profits of about $50,000/day or $70,000 on a really good day.
5. MtGox got hacked, the market has crashed, some people lost money and bitcoins, most people lost value (BTC going down etc.)
6. It is obvious that this could have been prevented given the significant profits made by MtGox. it was not.

What people say:
1. it's OK, this is the wild west and we're still building a country here.
2. he's one man, what would you expect?
3. well, as bad as it is, MtGox is trying really hard to fix it
4. etc.

Guys, why don't you try to pull something like this in the real world, on your own customers?
What do you think would happen?

IMHO, this kind of money should not be left in the hands of some kid who thinks he knows about computers.
Simply because there's always another computer-savvy  kid around the corner...