Bitcoin Forum

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed. While it is not known for sure that an attacker has discovered the flaw, you should assume that the list is public.

Anyone with a bitscalper account should immediately:
- Withdraw all funds. No one should trust bitscalper.com after a security flaw of this sort, and I wouldn't be surprised if they run away with everyone's money once this gets out.
- Change your password on any site where you've used the same password as bitscalper.com.

Because I do not consider Bitscalper to be reputable, I've decided to announce the existence of this flaw publicly before sending the technical details to bitscalper. Otherwise I fear that he may run away with everyone's money instead of alerting his users and losing trust.

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

It's quite amazing how this community seems to attract the worst security practices.

Wow ! What a nice, well run site !

Theymos, thank you for the info.

And now, I assume the stampede of traffic is preventing website access, meaning Bitscalper admin could probably make off with everything left, anyway - not that withdrawals usually work... Hope nobody had a substantial amount left there. :x

ETA: was able to get through to site. Extremely sluggish, but can still get to account page. Small withdrawal request still "processing" from 2/9. ETA2: Wow, it was actually processed. Huh.

There, I just took one simple step that could have gone a long way.

hax0rs gonna hax

But then how would you include the user's password in the email you send them when they forget it? ;)

Better yet, how could you give away everyone's money to anyone with a computer?

I saw this coming from far off. Except for the part on honesty, thanks.

Don't care that much..
Withdrew my 0.5BTC when I started to realize I wasn't really making much
Plus I use keepass... so a nice 32 character password in there that can't be used for anything else. Bad luck for anyone who tried to use my password from it :)

"Bug reports are welcome at bugtraq@bitscalper.com. Thank you for your cooperation."

Clearly the site op has come back from the future, and knows this isn't a problem:
© 2012/2013 bitscalper.com

Damn!

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.


No surprises from BS's side, though.

Ente

Most people are honest in situations like that. It's also penny wise and pound stupid to take the Bitcoin. He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin (assuming that there are even a few thousand bitcoin at BitScalper).
 

I'd say that unfortunately many software developers in general do not follow important security practices. The main difference with this community is that there is a considerable amount of people capable of exploiting such vulnerabilities. And, well, most of the time there's money involved, not only ordinary data.

Congratulations for both chsx3 and theymos for the honest behavior.

Really? Why? It wouldnt be to me. In fact it wouldnt be worth 5BTC to me.
The knowledge that I didnt scam people and helped avoid them get scammed would be worth a lot more to me, but the "hero" status on this board.. nop.

Sorry to hear that.

Plain text passwords?  Words escape me how incompetent someone could be to even think of allowing that.  It's an unforgivable error.

Your expectations of people that believe they understand mathematics, economics and computing at the same time, are too high. Because few of these people exist.

Thanks for the heads up Theymos.

damn, I knew this was too good to be true. This is the reason I only deposited 5 btc

(grew to 5.3532907242433 within a couple weeks)

Luckily I have been using separate passwords on every single site since MTGox got hacked back in june.

I use separate password for everything, thanks to last pass. I am a bit paranoid, so my main banking account has its own password that I don't store anywhere and a RSA key that is locked in a safe.

Use last pass or similar website to manage your passwords.

Being paranoid: Please trust (your local) keepass (keepassx in linux) instead of a website.. We just saw what you may get in trusting an external entity ;-)

Ente

Plaintext passwords? Seriously?

People should have seen this comming.
By now, the coins are probably already gone.

Didn't gox have a similar thing occur once?

No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked.

While I have changed my password, had a unique one for that site and withdrew (though it has not arrived), how well would a 11 char password hold up?

Bitscalper didn't use any hashing, so every password got out. As for Mt. Gox back then, try this link: How secure is my password? (http://howsecureismypassword.net/)

Wow.  Glad it was unique.  It says years so I guess it was not too bad.  Thanks, good link

I call bullshit on this one...

Theymos, have you seen the leaked logins or are you just spreading FUD?

PS: I have no bitcoin on bitscalper, but I made an account there and got some profits out a while back.

I have the logins. I'll release technical details once it's fixed.

Here's me logged into the admin account (you can see I tried to withdraw his 851 BTC -- still pending):
https://i.imgur.com/l92H3.png

 :o

And btc-e was also compromised https://bitcointalk.org/index.php?topic=63767.msg747080#msg747080

Here is what I posted when I checked out Bitscalper a little while ago.


He did not even hash his passwords. I'm glad I did not sign-up !

Why, do you use the same password for everything? :P

No, I use a password manager for everything valuable.

No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.

Too true :( It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.

There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it.

End-to-end encryption and security is the way to go, but it needs user involvement and education.

For passwords, something like SRP over HTTPS would be just about bulletproof, except for the untrustable javascript crypto implementation.

See http://www.matasano.com/articles/javascript-cryptography/ for a full discussion of javascript cryptography.

Theymos is the Hero of Winterfell...

I guess it wouldn't surprise anyone here to know that when KalyHost went down over that one weekend a few weeks back, the reason BitScalper was freaking out is because if he never bothered to backup the wallets OR his site's code.

The fact that they didn't have SSL says even more about their [il]legitimacy.
I'm glad I didn't fall victim to this.

Yes, because only legitimate persons can get a free SSL cert at startcom.  ::)

lol

not to mention anyone with a linux box can install openssl and generate their own cert, it really means nothing unless its a cert from a reputable certification agency

So what's the story here, has anybody been able to pull any deposits out since this news hit or are the coins officially gone?

Clearly there was no validation on input on the sql statements.

I'm currently seeing password in cleartext on an error page, across a non-encrypted link.


Error 1054 : Unknown column 'readable' in 'field list'

SQL = [UPDATE spyuser SET readable ='PASSWORD' WHERE email = 'user@example.com']
Array (

• => Array ( [file] => /var/www/p/app/database.php [line] => 19 [function] => db_report_error [args] => Array (
• => UPDATE spyuser SET readable ='PASSWORD' WHERE email = 'user@example.com' ) ) [1] => Array ( [file] => /var/www/p/app/index.php [line] => 14 [function] => db_query [args] => Array (
• => UPDATE spyuser SET readable ='PASSWORD' WHERE email = 'user@example.com' ) ) )
  
  [/tt]
  
  

Because of personal freedom concerns, management of bitscalper was forced to leave the site alone for the last ten days. We did just notice the security breach and we do apologize about any issue that this might cause. We want to clarify that we did not store any password in plain text, rather the server was compromised to add a textual password column to the database, supposedly for the hacker to get all the user's passwords.
We did store all the passwords in MD5, while we acknowledge that it is not the state of the art, it still works for decently choosen passwords. We will be posting any update/finding on here. Thanks and apologizes for delaying intervention.

umm.. md5 is not just not State of the Art - md5 is just as good as plaintext for almost every password with a length of less than maybe a quadrillion characters..

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..
Looking at the list of withdrawals: Any word to those.. i guess 70 or 80 people who try to cash out? Will they get their BTC back?

The security vulnerability I used still exists. Read the email I sent to info@bitscalper.com.

I'm not disputing that. But it seems the exploit allowed the retrieval of clear text passwords. If they are not stored in clear text, how would that be possible?

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

+2

Can we please make javascript illegal? Thanks.

Yes, agree, it's a huge exploit running in every browser.  These forums suffered from javascript exploits  recently...maybe you knew that already.

This is how most modern websites work.  You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it.  Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Uh, no. Maybe, just maybe, if someone was using SSL... which this site wasn't. But "most modern websites"? Utter BS.

If you're sending the hash to the server for authentication, hashing has no point: if your database leaks, anybody in possession of the leak can authenticate himself as any of your users. Remember the client is in control of whatever he sends to your server. He doesn't need to execute the javascript you send him, he can forge any requests as he pleases.

The whole point of hashing a password instead of storing it in clear text is to prevent issues in case of a database leak. The hashing operation must be done in the server.

SSL wouldn't be of any help. Hashing in the client and authenticating the hash == storing passwords in clear text.

To be honest, it is a little less bad than storing clear passwords because at least a leak wouldn't allow an attacker to screw users who use the same password on different sites. But in what concerns your server, it is the same.

Yes that was my point.