Bitcoin Forum

LocalBitcoins.com exploit!

Do NOT open any attachments within the site's messaging system!

https://localbitcoins.com/forums/#!/general-discussion#regarding-the-passport-imag

attachments such as? exe files?.....

a simple HTML with JavaScript that steals the current user's bitcoins from their on-site wallet.

over 1000 BTC stolen already.
https://blockchain.info/address/1EfEy1Ms6swbnfsL3VfLiY3asf9dhDCoCu

traders probably don't have their life savings in there, but they do have there what they need for their daily business

LocalBitcoins isn't that where people actually meet in person  why are there bitcoins on the site?

To put them into the site's escrow for example. And the site features not only in-person trading but also various forms of online trading.

Localbitcoins is one of the few places where I can pick up some BTC with Paypal (at a premium of course) . I hope this doesn't affect traders...

if you dare to take a glimpse into the forums right now... Rome is burning!

Talk of lawsuits and losses of 13BTC+
Ouch...

Many lost over 5 BTC. not sure how much is true but most of the posters there are decent sellers.

Have you personally lost anything?

How it works exactly? It releases escrow? It sends bitcoins from wallet (impossible with 2FA)?

I expect to be out 4.7 bitcoins depending on how they resolve the issue.

Coinbase is the way.

Hope you all get repaid.

I hope they are fixing this shit, cause a shitstorm is coming...

My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

Great news


And cashouts are working again.

People keep putting Coins into online wallets whose security they don't know crap about!  WHEN WILL PEOPLE LEARN?

If you are an active seller on LocalBitcoins it's helpful to keep some bitcoins in the wallet in order to be able to fund sales efficiently.

I keep just enough to fund the maximum sale amount I have listed in my ads.

I lost 2.23 BTC to this and not happy.  And you can't even do online sales unless you have BTC in your wallet because they go into escrow most of the time.

Of course it's going to affect everyone. I don't even feel comfortable using the site now that I just lost about $300+ in bitcoin. It could have been much worse too because I had about 11 BTC on there just a  couple of hours earlier.  Thank goodness I sold most of it before then.

did the site offer 2fa on ind. user accounts?... ive never used the site but was eventually thinking of trying it...I think i'll wait!

Yes I had 2 factor enabled on my other acct, but not on this one. I hadn't gotten around to putting it on this one which turned out to be a big mistake.  But it wasn't even a problem with someone hacking my password or anything else...it was a flaw with the LBC site.   Although I should have enabled it and just costly bit of laziness there.

Turns out I lost nothing.

They re-enabled the withdrawals, and I was able to pull out my 4.7 BTC.

The last claim I saw, they stated that they would restore all accounts that lost bitcoins to the hack/scam.

Where did you see that?

Anyone interested in joining a bailout fund in exchange for equity with localbitcoins? I've been interested in their equity for a while now, but they've never needed funding until perhaps now. It's been generally an excellent service but lately, they've been pushing out new features very fast. Even some simple UI changes can do the site a lot of good.

Same for me, I pulled out my 2.4 BTCs, but I've been idle for weeks on localbitcoins, so I did not read anything from the site.

spiccioli

Most of those transactions date back to June or earlier.  Is the bug that old?

The address in the script is actually 12PLw9HYoK6BguB1w4QcNBKzmRANJ5bj2c - so it looks like less than 100 has been stolen.  The bug was a plain XSS, localbitcoins seemed to correctly use a CSRF token, but since this wasn't CSRF (the javascript was running in the context of localbitcoins.com) it didn't help.

The solution (in retrospect, so not particularly helpful, but perhaps others will learn from this) is do what Google does, and put all unsanitised user content (e.g. attachments, forums anything that user can control) into a separate domain - e.g. google use the domain googleusercontent.com for all gmail attachments, then even if an attacker is able to get javascript running it has no access to the real site due to same origin policy.

Will

Over and over and over and over again ... I come to the conclusion, that the overwhelming proportion of bitcoin-users and bitcoin-startups do simply miss the basic mental requirements to deal with something like money. Events like this make me missing my good old banker, who is completely incompetent to give any advice but knows how not to rise conflict with the law and give me the security my money stays even when the it-system fails.

Bitcoin has a long long way to go.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Tell me: who of you has any idea how money-business works? Who of you has any degree in economics? Who of you has ever seen a bank-office from the inside?

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

localbitcoins.com have optional 2FA but that goes only for logon, and not for withdrawals; you're already logged on when that happens.


sorry, false report then it seems; although i believe the damage is way over 80 BTC if you skim over their forums.

Regardless, the community should create alternative websites. Perhaps a coder could even pool on the p2p listings across multiple websites.

I see some people yelling and calling their lawyers.  People who have enough BTC in an online wallet to pay a lawyer to do anything meaningful about this are incompetent in the first place.  Fees for decent lawyer start at at least 4 BTC an hour, and this involves dealings with a foreign company (most likely).  I wasn't affected, but if I was I would certainly sit back and see how it turned out before calling anyone.  A couple of weeks of trading fees is enough to reimburse all users.  Stupid USAnians seem to cling to their lawyers every time something unexpected happens.

What an idiot.

Most online banking in US is unsecured without 2FA. Many experts have spoken regarding this. In Europe, many banks give their customers a card reader as a form of 2FA when doing online banking.

Banks dont give you your money back if your online banking password is compromised ( go read the damn fine print). Your gold old bankers have given you a false sense of security.

Same with creditcare "smart" chip, they use it to protect merchants NOT the card holders. Anyone can pick up your card, and somehow guess your PIN (believe it or not, many ppl use their birthdate as PIN) and they can go shopping spree. In the good old days without smart chips, merchant has to check the signature on the back of your card for every single transaction.

Yeah those are experts!

??? Every bank-accont I used for the last ten years uses simple 2fa by sms.


They use 2fa. I don't know what's your point.


If someone uses his birthday as a pin nobody can't help him. And even in this case: One call to your bank (most offer emergency-lines), and the card is closed. Most cards have a transaction limit of 1.500 / day, so the damage is reduced. Often the transaction isn't processed at this moment and will never processed, or it can be chargebacked. My ec was stolen several times and I didn't loose a cent.

Also: every bank has insurances. If their it failes, the insurances gives the customers account. If there are proovable fraudulent transaction, the insurances pay. And so on.

The only risk I know are this stupid shops which accept ec by signature. But even in this case, if someone shops for thousands of euros: if you can prove it was not your signature than the insurance will pay. And you will be able to proove, cause every shop needs to save the bills. If it doesn't, its insurancy has to pay.

In Bitcointalk nearly every day I find a thread about fraud or scam, someone who looses his account on a wallet due to hackers or stupidity. If both happens with a bank in most cases they get their money back. Here I have seen nearly no case that anybody could help them to get their money back. No chance. Who has your private key can transact your money to his adress and there's absoltely no chance you get it ever back.

blockchain.info ist the onliest case I know which replaced the amount, out of their own money. This is the way it has to be, this gives me hope.

The problem is not the code. Bitcoins code is by far better then bankers code. The problem is the organization respectively the lack of professionel organisation. I hope it will come, but by now bitcoin is the most user-unfriendly kind of money ever existed.

My totally incompetent banker offers me a insurance-system and a banking-system and a law-system which was made to protect me as a consumer.

I don't say bitcoin won't have this. I hope it will.

You need to leave the bitcoins in the wallet if you want to sell them. Exactly the same if you want to sell them in another marketplace like Mt.Gox or Bitstamp.
If you don't want to use this services you need to sell privately without scrow... and I believe more a company than the average private seller... How did you buy your bitcoins, sir?

I expect a system which provides those services will exist within six months.

You're joking?

Such systems need years to eat through regulation-walls, they need billions in the background to make insurance profitable, and they need years of organizing and planning and so on. There is no shortcut.

There are miles between this and every actuall company involved in bitcoin atm.

we'll see it in years. Maybe. If the interest in bitcoins survives.

I got this from LBC and they were true to their word:

"Hi,

As you all probably know, there was a security exploit on LocalBitcoins.com document uploads allowing one user to steal wallet funds with a specially crafted file.

You are being contacted for the reimbursement. We will pay reimbursements automatically for those users who have enabled two-factor authentication since the incident.

If you don't have two-factor authentication enabled and still want the reimbursement right away, just reply to this email. You can also request the reimbursement directly to some other bitcoin address.

For the rest we will reserve some time, so that people can enable two-factor protection. You can enable two-factor even without a smartphone with desktop applications and feature phone apps. See more info about the two-factor authentication here https://localbitcoins.com/guides/security#two-factor

Sincerest apologies for the incident.

- Jeremias Kangas / LocalBitcoins.com"

I enabled two factor and the stolen BTC are back in my acct now.

We'll see.

BTW, I consider dealing with regulation-walls to be a waste of time and resources. Limiting Bitcoin business models to only the ones sanctioned by governments is like inventing the automobile but artificially restricting it to horse-drawn carriage speeds.

They should enable email based authentication or at least security questions for bitcoin withdrawals.

This is the exploit in question:


Retrieved from this site: http://urlquery.net/report.php?id=5191051

Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.

It enables in-person trading without requiring internet access at all, for neither buyer nor seller. All that's required is that seller can receive SMS.

In practice, many do have smartphones and transfer their coins directly though.

For online trading, escrow is pretty necessary in most cases though. That's why traders often have a few coins in their localbitcoins.com wallets.

Did you personnaly lose anything?

They'll learn when they're able to recognize their own vanity, stupidity, and unreadiness. Which would often enough seem about as likely as pigs flying, sadly.


This, basically. With the addendum that not everyone is cut out to run a business (https://bitcointalk.org/index.php?topic=124441.0). And the post-script that paying attention to what the actually capable (http://trilema.com/category/bitcoin/) have to say is a necessary step.

bitcoin withdraw should be authenticated through email

With 2FA I think is enough

2FA is not convenient if you use the site many times a day, and it does not work when you are abroad and use a different sim card

Some I bought them from Bitstamp.  And moved them the instant they showed up in Bitstamp account, to my private wallet.  

Some I got for pay - made machine parts for someone. She wanted pay me in Bitcoin, I said sure.

Some others I got for pay - wrote code for somebody wanted special exclusive super-secret software analyze enormous big pile of data, paid Bitcoin to keep private from someone else looking at bank account.

Some others I got for pay - Main job, security consult.  I look at malware, see what it does by read machine code, figure out how to clean infected machines.  Clients implement, or I implement, cleaning software, clients then sell.  Pays well.  Twice now I asked pay me in Bitcoin, they said 'sure, whatever'.

A couple I bought direct in person, smartphone to smartphone, from speculator got nervous back when price was USD$60.

As the saying goes:

Those who fail to learn from history are doomed to repeat it.

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.

+1

You can't withdrawal without 2FA code, if enabled.

At lease an email based 2FA is much better

looks like the exploit just sucked out peoples BTC, through a loophole even if they had 2FA.

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

You had to open the attachment (that was in fact an HTML page) and not have 2FA on withdrawals enabled.

Will

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  >:(

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.

Ten days ago I was browsing through LBC Site, and there was great advice on how to trade safely. I specifically remember them reminding people to always be cautious with any attachments in emails, etc.
People clicked on attachments, did not have 2FA, and sure enough the thief got their coins.