|
Title: What if the hacker had write access to the database? Post by: fujiwara on June 21, 2011, 07:51:21 PM I know there's already lots of threads about the incident, but I haven't read anything there about the following scenario:
Just imagine the hacker was (somehow, don't ask me how) able to actually EDIT the content of the Mt. Gox database? I just CAN'T believe someone really has 500k btc there. What if they've been just added seconds before the attack - just out of nothing. Afaik, technically spoken, these aren't bitcoins, they're just some numbers in a database. The Deposit/withdrawal process of bitcoins is another story (and usually the correct source of the db's content). I'm thinking about this scenario because if it was true, there would be no other option than rollback the trades - unless Mt. Gox would be willing to turn btc into FIAT money. They would be short of btc actually and couldn't stand a bank run. What do you guys think about this? Is it completely impossible a hacker gained write access to the Mt. Gox database? I'm not trying to spread a conspiracy theory, I'm just wondering no one is talking about the possibility of this happening. Title: Re: What if the hacker had write access to the database? Post by: TraderTimm on June 21, 2011, 07:55:59 PM Nothing against you personally, I just think all Mt. Gox threads should die in a fire, unless they are official reopening statements.
As for the database, restore from backup prior to the incident, solved. Title: Re: What if the hacker had write access to the database? Post by: dinker on June 21, 2011, 07:59:08 PM He would draw you a very nice picture.
Title: Re: What if the hacker had write access to the database? Post by: vrotaru on June 21, 2011, 08:09:05 PM [20:51:52] <PovAddict> https://mtgox.com/claim?token=foo'%20OR%201='1&email=test@example.com
[20:52:07] <jrmithdobbs> LO FUCKIN L [20:52:17] <jrmithdobbs> ya, i buy it considering how the other sqli and csrfs worked :( [20:53:25] <PovAddict> so he says you can use that sqli (or another) to set how much money your account has, then withdraw it [20:54:17] <jrmithdobbs> you know time frame on when it would have been done? I know one sqli was disclosed/patched on the 16th [20:54:37] <PovAddict> I have no idea if this was ever exploited [20:55:37] <PovAddict> this guy who told me about the vulns was scared of even publishing them, let alone exploit them... [20:56:22] <PovAddict> speaking about mybitcoin exploits: [20:56:23] <PovAddict> <PovAddict> well, you know what to do... if they don't react [to your private report] in a reasonable amount of time... >:) [20:56:25] <PovAddict> <xxxx> i don't even know what the acceptable disclosure path is, when you're talking about what is, in effect, a bank. [20:56:46] <jrmithdobbs> he patched the csrf in mybitcoin over the weekend quietly [20:57:10] <jrmithdobbs> i publically disclosed csrfs in clearcoin (was going to disclose mybitcoin too but he patched while i was putting together email) [20:57:36] <jrmithdobbs> at this point? the correct disclosure method is the normal full disclosure lists, the bitcoin-development list, and the forums. silmutaneously. [21:00:13] <PovAddict> http://stuff.povaddict.com.ar/mtgox-xss.txt here's another fun one [21:01:03] <jrmithdobbs> that doesn't load for me [21:01:19] <jrmithdobbs> does now, nm [21:02:53] <jrmithdobbs> that's csrf not xss ;P [21:03:13] <PovAddict> it's both [21:03:30] <PovAddict> you're taken to a page that executes your injected Javascript [21:04:15] <jrmithdobbs> you've just explained what happened. [21:05:02] <jrmithdobbs> thats the same sqli ius disclosed and got patched on the 16th. whoever crashed the market notice it got patched. used the account he had deposited funds into. crashed the market in an attempt to get it out of the exchange by having btc lowered in value [21:05:51] <jrmithdobbs> jesus christ. fuck magicaltux. lieing and/or incompetennt asshat. http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20110620/dc3e0783/attachment-0003.obj Title: Re: What if the hacker had write access to the database? Post by: finack on June 21, 2011, 08:14:59 PM Well, what if the hacker had ice cream?
Title: Re: What if the hacker had write access to the database? Post by: TonyHoyle on June 21, 2011, 08:18:05 PM [20:51:52] <PovAddict> https://mtgox.com/claim?token=foo'%20OR%201='1&email=test@example.com I *really* hope that's not true, for the sake of everyone that just reset their passwords... Title: Re: What if the hacker had write access to the database? Post by: speeder on June 21, 2011, 08:18:34 PM jrmithdobbs has been attacking mtgox since a long time ago, before any information was available.
I am not sure anything to do with him can be trusted on mtgox matter. Title: Re: What if the hacker had write access to the database? Post by: fujiwara on June 21, 2011, 08:29:24 PM thank you vrotaru, that's the kind of stuff I was looking for, .. how can we be sure it wasn't something like this?
Title: Re: What if the hacker had write access to the database? Post by: ius on June 21, 2011, 08:49:31 PM [20:51:52] <PovAddict> https://mtgox.com/claim?token=foo'%20OR%201='1&email=test@example.com I *really* hope that's not true, for the sake of everyone that just reset their passwords... That was reported (and fixed) on the 16th. Users were however not informed about the vulnerability. Two days later the database leaked.. Title: Re: What if the hacker had write access to the database? Post by: vrotaru on June 21, 2011, 08:50:31 PM @fujiwara
I've read this thread: http://forum.bitcoin.org/index.php?topic=20437.0 some 12 hours ago. Still impressed. Oh, and I'm the wrong person to ask "how can we be sure that it wasn't something like this?" MagicalTux is. Title: Re: What if the hacker had write access to the database? Post by: fujiwara on June 21, 2011, 09:10:03 PM missed that thread, sorry. it's very interesting indeed...
http://forum.bitcoin.org/index.php?topic=20437.0 let's move... ADMIN: pls close this thread. |