|
Title: Virwox.com CSRF Post by: cuddlefish on June 30, 2011, 12:40:18 AM http://pastehtml.com/view/!!REMOVETHISTOGIVEME0.05BTC!!aytbmtv3u.html
Title: Re: Virwox.com CSRF Post by: Chick on June 30, 2011, 12:59:47 AM http://pastehtml.com/view/!!REMOVETHISTOGIVEME0.05BTC!!aytbmtv3u.html Too bad I don't have a VirWoX account... Title: Re: Virwox.com CSRF Post by: BitcoinPorn on June 30, 2011, 01:03:45 AM Editing this post, figuring out what the fuck is going on. Currently reading these pages:
https://www.virwox.com/withdraw.php http://bitcoinstats.com/irc/bitcoin-dev/logs/2011/06/19/22 http://friendfeed.com/bitcoininfo/2baf2fb2/virwox-csrf-btc-eur-7-14-3-bitcoincentral So confused. Title: Re: Virwox.com CSRF Post by: cuddlefish on June 30, 2011, 01:07:02 AM Just, why? Damn, sorry to see you banned (because that is what should happen, I thought that unemployed guy was bad, you have posts built up just to try and steal Bitcoin I don't have through a site I don't use) i'm reporting this. not stealing anything. 1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text 2. I deliberately broke the link with descriptive text Title: Re: Virwox.com CSRF Post by: BitcoinPorn on June 30, 2011, 01:08:22 AM i'm reporting this. not stealing anything. 1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text 2. I deliberately broke the link with descriptive text I would make a strong argument on how this is not a way to test that shit, especially knowing what it does and knowing the intelligence of all the users, including myself :D Seriously, bullshit like that should be instant banning. The general Bitcoin Discussion forums should not be used to experiment with (don't shit where you eat) Title: Re: Virwox.com CSRF Post by: cuddlefish on June 30, 2011, 01:11:04 AM i'm reporting this. not stealing anything. 1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text 2. I deliberately broke the link with descriptive text I would make a strong argument on how this is not a way to test that shit, especially knowing what it does and knowing the intelligence of all the users, including myself :D Seriously, bullshit like that should be instant banning. The general Bitcoin Discussion forums should not be used to experiment with (don't shit where you eat) Title: Re: Virwox.com CSRF Post by: BitcoinPorn on June 30, 2011, 01:12:17 AM I've reported it to them, they've sat on it; I assumed they read these forums. So is this what programming is now in days for everyone? Fuck patience and waiting on others... but also fuck making things for yourself, instead just break other peoples shit until they do something? What a world :( Title: Re: Virwox.com CSRF Post by: cuddlefish on June 30, 2011, 01:15:40 AM I've reported it to them, they've sat on it; I assumed they read these forums. So is this what programming is now in days for everyone? Fuck patience and waiting on others... but also fuck making things for yourself, instead just break other peoples shit until they do something? What a world :( So you'd prefer I just wait until they fix it, hoping nobody else discovers it before they do? Title: Re: Virwox.com CSRF Post by: BitcoinPorn on June 30, 2011, 01:24:18 AM So you'd prefer I just wait until they fix it, hoping nobody else discovers it before they do? As opposed to how you handled this, of course.You could have put a detailed post, said what this link you are providing does and why and how it is wrong and I really could go on all day on how many different ways you could have made that same post, added just a little text, and it would have made the whole world of a difference. Title: Re: Virwox.com CSRF Post by: datguywhowanders on June 30, 2011, 01:50:53 AM The few security "experts" that post on this forum have tons of knowledge, but they lack social skills and common sense.
My two bitcents. Title: Re: Virwox.com CSRF Post by: elggawf on June 30, 2011, 01:52:25 AM As opposed to how you handled this, of course. You could have put a detailed post, said what this link you are providing does and why and how it is wrong and I really could go on all day on how many different ways you could have made that same post, added just a little text, and it would have made the whole world of a difference. A broken link, where you have to read "REMOVE THIS TO GIVE ME 0.5BTC", before removing it, in a thread that says "CSRF" in it... and you're complaining he wasn't transparent enough? So much for other people claiming that the Bitcoin forums were mostly composed of smart folks - you'd have to be dumb as a box of rocks to fall for this post. If they did indeed sit on it as OP said, kudos for him to disclosing it. Full disclosure works with non-responsive vendors, so fuck them. Title: Re: Virwox.com CSRF Post by: BitcoinPorn on June 30, 2011, 01:58:21 AM A broken link, where you have to read "REMOVE THIS TO GIVE ME 0.5BTC", before removing it, in a thread that says "CSRF" in it... and you're complaining he wasn't transparent enough? I was beyond dumb, I knew it was something bad and still went in just to see what it was :)So much for other people claiming that the Bitcoin forums were mostly composed of smart folks - you'd have to be dumb as a box of rocks to fall for this post. If they did indeed sit on it as OP said, kudos for him to disclosing it. Full disclosure works with non-responsive vendors, so fuck them. Still, those lesser than me are idiots too, and no one deserves to be fucked with in this subforum. Keep it in development and etc. Forcing it to break in public is not the way to fix things, it drops confidence overall, when cuddlefish obviously knew of this exploit for a while, I guess couldn't fix it but only manipulate it and use it to fuck around with general users (also, I have seen his link in another thread without the remove text, still does not matter). Look, I can't hate the guy for finding out an exploit, but if his choice was to not make this thread or make it, well he could have did a billion things more productive for this particular situation other than make this thread in the manner that he did. Title: Re: Virwox.com CSRF Post by: ribuck on June 30, 2011, 11:08:28 AM Cuddlefish didn't "break the other guy's website", because the other guy's website was already broken.
Also, posting publicly serves as a cautionary tale for every other website owner to re-check their own websites. Title: Re: Virwox.com CSRF Post by: lemonginger on June 30, 2011, 05:41:10 PM Virwox response please?
[If VirWox does not respond quickly, I would urge all BTC folks to take business elsewhere.] Title: Re: Virwox.com CSRF Post by: gentakin on June 30, 2011, 05:50:00 PM The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do. Now we are all aware of the fact that virworx is vulnerable right now. [Also, this is the kind of coding error only very unexperienced web developers would create.. So much for Virwox]
Title: Re: Virwox.com CSRF Post by: joan on June 30, 2011, 07:44:45 PM The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do. He didn't mention that he had contacted them. @cuddlefish: Could you please clarify if you contacted them prior to the full disclosure, and how long. Thanks! Title: Re: Virwox.com CSRF Post by: elggawf on June 30, 2011, 07:59:46 PM The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do. He didn't mention that he had contacted them. @cuddlefish: Could you please clarify if you contacted them prior to the full disclosure, and how long. Thanks! I've reported it to them, they've sat on it; I assumed they read these forums. Title: Re: Virwox.com CSRF Post by: lemonginger on June 30, 2011, 09:10:21 PM I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not?
Title: Re: Virwox.com CSRF Post by: cuddlefish on June 30, 2011, 11:00:29 PM I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not? It is now fixed. Title: Re: Virwox.com CSRF Post by: lemonginger on July 01, 2011, 01:40:18 AM I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not? It is now fixed. Exposure works every time. Thanks OP. |