|
Title: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: HorseRider on July 06, 2013, 06:47:57 AM This post is a cross post. 2 BITFUNER users was victims of a hacker named "htemp" at the same time, please see the story and discussion it here:
https://bitcointalk.org/index.php?topic=251051.0 Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: Deprived on July 06, 2013, 11:45:26 AM The flaw in question didn't require the thief to obtain the login for the victims - it just required the victims to visit other websites whilst logged into Bitfunder. Unless the 2 raised in that thread are actually old-style key-logged password etc that just happened to occur at the same time as the flaw in Bitfunder was being abused.
There were reports of many more than 2 people affected by it. At the time there was no way to prevent it with 2FA (2FA only applied to logging in which didn't make any difference). The way to prevent it was not to visit any unknown links whilst logged into Bitfunder (using a different browser for Bitfunder would also prevent the easiest route for attackers but isn't necessarily totally safe) and logging out of Bitfunder before doing anything else. The problem WAS the result of bad decisions in respect of Bitfunder's design - it accepted POST requests without verifying they originated from a session connected to Bitfunder (so the attacker only had to send the request and it would work if you were logged in - without any need for them to obtain information about your session or even know who you were). Transfers was just the easiest way to abuse it - not the only way. The public assets list for Bitfunder was likely very useful to attackers as well - as it allows them to transfer 1 share then work out how many you have left to know how large a transfer to clear the rest, plus also allows them to see what else you hold they can steal. Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: nubbins on July 06, 2013, 12:42:40 PM Incredibly shocking. BitFunder gets an F for security.
IF you've got money in there, get it out NOW... if this is possible, who knows what other huge, gaping security holes there are. Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: 🏰 TradeFortress 🏰 on July 06, 2013, 12:43:05 PM The same vulnerability still works, just in a slightly different format, FYI.
Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: nubbins on July 06, 2013, 12:50:25 PM The same vulnerability still works, just in a slightly different format, FYI. ::) You'd think that if you were creating an exchange, you'd hire someone who knows basic web security principles. This is a step above SQL injection... not very advanced stuff. Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: 🏰 TradeFortress 🏰 on July 06, 2013, 12:51:19 PM The same vulnerability still works, just in a slightly different format, FYI. ::) You'd think that if you were creating an exchange, you'd hire someone who knows basic web security principles. This is a step above SQL injection... not very advanced stuff. I was pretty much shocked at the amount of attention paid to security for bitcoin web services. Originally I thought MPEx were absolutely crazy, but now that's actually a pretty good method if you expect your users to jump through the hoops. Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: nubbins on July 06, 2013, 01:24:06 PM Other exchanges Uh, brb. Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: Ukyo on July 06, 2013, 07:33:01 PM The same vulnerability still works, just in a slightly different format, FYI. ::) You'd think that if you were creating an exchange, you'd hire someone who knows basic web security principles. This is a step above SQL injection... not very advanced stuff. This was why transfers require 2-factor as of weeks ago. A cross site post could not magically come up with a 2-factor code. As well as putting some per-page protections in place, and doing some additional checks, you will soon see 2-factor as an option for most other requests. As it stands, BitFunder itself is not "hacked". Quote it accepted POST requests without verifying they originated from a session connected to Bitfunder The system does indeed check for sessions. The user must have had a recent and still active session.-Ukyo Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: Lohoris on July 06, 2013, 07:37:57 PM Oh, god, this is so noobish I'll just delete my account... but there's no delete button. Nor any contact info.
Well, I've never used it anyway, I'll just delete the bookmark... Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: Ukyo on July 06, 2013, 08:48:21 PM Quote it accepted POST requests without verifying they originated from a session connected to Bitfunder The system does indeed check for sessions. The user must have had a recent and still active session.-Ukyo Two different things. It DID check that there was an active session (NOT what I said). It did NOT check that the request originated from that session (what I DID say). As long as the user is logged in, the session is active. Cross-browser or not, it IS being submitted by the active session as the session details are provided. As you state, it made sure there was an Active session, and it does indeed verify that active session is the one making the POST. What it does not check is if it was a cross site script using that session that was left open by the user, a trojen that runs in the background with hidden browser being used load pages, get proper per-page security tokens, and make requests, etc. Once the desktop is hacked there are limitations to what can be done. It is not hard to use a background trojan to intercept 2-factor keys either at setup times. This can effect any site. I have seen many "bot" trojans for games etc that pretend to be the end user and will use active logged in sessions to browse, load pages, even play games for them. Even banks (I use citibank) now even require you, once logged in, to submit additional security question answers to be able to do most things for this reason. I am working to add a new level of security that while it may be a bit controversial, will be fully optional, but give one of the most secure methods of protection. Keep in mind, generating a code per page might stop a cross-browser attack, effectively becoming a per-page 2-factor, but it wont stop infections from generating on and using it. With this said, you will also see per-page key generation within a few days that all submits will be required to adhere to. Triple checking the functionality on all posts and making sure no other problems are created, and it works exactly as intended are the current main focus right now. On a side note, I can say that many users (less than 25 users) who were hit with transfers, had one time no-bad-password logins from different ips, who did transfers. We have seen a large user/email/pass list attempt on both bitfunder and weexchange from a botnet which we put some protections in place from. Ultimately, all we can do is try to recognize and ban/block those ips, as well as slow them down, and inform any recognized accounts that they are in danger. We had seen thousands of login attempts that mostly did not work, for accounts that never existed on either site. -Ukyo Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: Deprived on July 06, 2013, 08:55:57 PM Once the desktop is hacked there are limitations to what can be done. It is not hard to use a background trojan to intercept 2-factor keys either at setup times. This can effect any site. I actually deleted my post before you replied to it - as I didn't want to get into arguing details of the difference between referring to an active session and being made by an active session. On the quoted part, this is one reason I far prefer Yubikey to Google Authenticator. There's nothing a trojan can log that allows them to duplicate output from a Yubikey - and no way to force one that's plugged in to generate a code even with full desktop control. Other reason I prefer Yubikey is it's far faster just to touch it to generate a code than to take my smartphone out of standby (which needs a password as the memory is encrypted), lookup and then type a Google 2FA code. Downside of Yubikey is you can't use it on smartphones - so users have to turn it off if they plan to access the site via mobile. Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: Ukyo on July 06, 2013, 09:06:52 PM Agreed. I do like Yubikey, and have been talking to them about mobile options as well! :)
Title: Re: [Cross post] BitFunder.com has been hacked and IT IS BitFunder's fault Post by: furuknap on July 07, 2013, 04:41:45 PM Ukyo, are you starting to see my point yet?
I warned you about this over a month ago, yet you failed to get back to me. I posted my concerns then, and hate to pull the 'I told you so' card, but really, I told you so. This incident combined with the other general concerns I've voiced have now firmly convinced me to never set foot in BitFunder. You need to rethink the entire exchange and get someone with the experience required to help you build the code. You need to kill off that wee exchange idea as it's just a silly distraction for both users and you, that adds about as much security as a paper wrapping on a gold bar. .b |