Bitcoin Forum

Economy => Marketplace => Topic started by: BouerBouer on June 19, 2011, 11:07:23 PM



Title: Offering free security analysis of BTC markets or BTC-related sites
Post by: BouerBouer on June 19, 2011, 11:07:23 PM
Hey guys, I recently started looking more into the crisis over at Mt. Gox, and I was absolutely shocked to find out that all of these accounts, worth (likely) over half a million dollars combined, were hacked with a simple SQL injection.

Now, what is an SQL injection, you may ask? It is one of the most basic and well-known methods of cracking websites. It is constantly seen as one of the most high-risk attacks possible on websites, yet it seems to be over-looked time and again. I'm guessing that whoever was behind this attack has been inspired by the recent Lulzsec epidemic, as most of their recent attacks seem to use this method. If I remember correctly, they downright admitted this was the case in their recent leak of a few thousand FBI accounts.

Now, SQL injection is not the only method of attacking websites. There are, of course, others. But by Mt. Gox simply ignoring a very basic vulnerability in their site, they put their customer's at risk. And so, this happened. As a result, out of personal disgust I will be doing free security audits for any site related to BTC market trading or any site that uses BTC that would like to be audited.

If you would like me to audit the site, just post the website URL here and I will PM you any vulnerabilities I find. If you wish to be on the safe side, you can just post here that you would like me to audit the site then PM me with the URL. Again, this is entirely free, but donations are appreciated at my address: 1LmRDt5z5Ry4JarzcRow3HFa1dLYFf5kJF.

Most likely I will only point out the possible vulnerabilites, but if I have some knowledge on the vulnerability then I will suggest ways to prevent your website from coming under attack through it.


Title: Re: Offering free security analysis of BTC markets or BTC-related sites
Post by: done on June 19, 2011, 11:11:58 PM
great way to contribute to the community. we need more individuals like you here.


Title: Re: Offering free security analysis of BTC markets or BTC-related sites
Post by: Jered Kenna (TradeHill) on June 19, 2011, 11:21:10 PM
Hey guys, I recently started looking more into the crisis over at Mt. Gox, and I was absolutely shocked to find out that all of these accounts, worth (likely) over half a million dollars combined, were hacked with a simple SQL injection.

Now, what is an SQL injection, you may ask? It is one of the most basic and well-known methods of cracking websites. It is constantly seen as one of the most high-risk attacks possible on websites, yet it seems to be over-looked time and again. I'm guessing that whoever was behind this attack has been inspired by the recent Lulzsec epidemic, as most of their recent attacks seem to use this method. If I remember correctly, they downright admitted this was the case in their recent leak of a few thousand FBI accounts.

Now, SQL injection is not the only method of attacking websites. There are, of course, others. But by Mt. Gox simply ignoring a very basic vulnerability in their site, they put their customer's at risk. And so, this happened. As a result, out of personal disgust I will be doing free security audits for any site related to BTC market trading or any site that uses BTC that would like to be audited.

If you would like me to audit the site, just post the website URL here and I will PM you any vulnerabilities I find. If you wish to be on the safe side, you can just post here that you would like me to audit the site then PM me with the URL. Again, this is entirely free, but donations are appreciated at my address: 1LmRDt5z5Ry4JarzcRow3HFa1dLYFf5kJF.

Most likely I will only point out the possible vulnerabilites, but if I have some knowledge on the vulnerability then I will suggest ways to prevent your website from coming under attack through it.

Hi, we would be interested in speaking with you. We are also creating a community funded Task Force to beef up security across the Bitcoin community. Send an email to info@tradhill.com with the title "Task Force"

Regards,
Adam



Title: Re: Offering free security analysis of BTC markets or BTC-related sites
Post by: BouerBouer on June 19, 2011, 11:35:23 PM
Hi, we would be interested in speaking with you. We are also creating a community funded Task Force to beef up security across the Bitcoin community. Send an email to info@tradhill.com with the title "Task Force"

Regards,
Adam

Okay, well thank you very much for the offer Adam, and I will be writing you an e-mail shortly. :)

However, I will keep this thread open as I would also like to do some freelance vulnerability checks on my own. So does anybody have any requests for me?


Title: Re: Offering free security analysis of BTC markets or BTC-related sites
Post by: BouerBouer on June 23, 2011, 12:19:19 AM
Hey guys, as I have not received any word about the aforementioned "Task Force", I would like to remind everyone that I would still be willing to do this. :)