Bitcoin Forum
May 23, 2022, 09:15:33 AM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 »
1  Other / Off-topic / Re: Ask TF thread on: January 18, 2015, 02:40:38 PM


im sure tf would of been smart enough to use tor or a vpn at all times even before the hack so the ips wouldn't help in this case but badbear might see similarities as he can see more than we do.

Tor would be nice, the way the fbi has been crawling around it and with the exit node control. let him use something that's a potential honeypot. we can only hope that his ip leaked out, a temporary disconnect from vpn. I didn't really lose anything from any of this, I find tracking this bastard down better than that arg. I heard Australia is possibly banning encryption, while that does suck. it could become if he doesn't cash out by then.
2  Other / Off-topic / Re: Ask TF thread on: January 16, 2015, 05:44:06 PM
 
you never did give me an image or a good enough explanation Sad

It's kind of hard to paint a picture, this is more like looking for signs of arson after a huge fire has been set. The scam sites he ran have different names but all say sydney australia. The common theme is that all the sites use the same email, they all run fine for a while then payments stop. hashie said something like I'll give you a hint and posted a picture of team fortress, then dropped the email that leads to trade fortress. hashie and $username seem to have the same typing pattern when posting. for example
Inputs had been penetration tested regularly, and on security-critical projects I regularly spend upwards of $5000 on a thorough pentest by professional security forums firms.
made a typo.

This is the sticking point with me. TF was smart enough to know that you can't fully secure anything, and even if you make it so hard it isn't worth it, there's always social engineering. Leaving that much sitting around was foolish, and I don't think he's a fool. Maybe I'm giving him too much credit, I don't know.
Yeah, I don't have any explanation other than (i) lazyness (the system wasn't set up to make sending to cold storage easy, and it had to be performed manually), (ii) wanting to keep sufficient amounts on the server so nobody worries/panics, and (iii) about 1500 BTC was deposited within 48 hrs of the hack.

The later systems I've built do make sending to cold storage easier, but for the most recent site it was still an manual process. I intend on doing automatic cold storage transfers (hourly cronjob) for my future projects.

Good luck with your studies! Smiley When you come back, please try to be more level headed instead of throwing little tantrums.

All the best.

hashie vs TF
How could I have missed this thread? Thanks so much Quickseller (and everyone else of course). I will do whatever I can and if you guys ever need anything, just send me a PM. Wink
Enjoy your mod coins Smiley

no matter what username you use, certain typing traits will still show.

 the admin email is also tied with a website called die2nite. he post something on google about it here https://groups.google.com/forum/#!msg/mt_die2night/zwnstqaV7L0/1yzH4QcxCVIJ and he posted on the die2nite website here http://www.die2nite.com/tid/forum#!view/4|thread/1329041

My email ends with "glados.cc" and twinoid suggests me to change it to "glados.cl".

.cc is a valid domain name and I think it's more commonly used compared to .cl.

although he probably isn't still active in it

What things look like is that tf registers sites using fake names, then tries to change it later on. example, hashie is registered to queen elsa now. the Best explanation would be from tf as i'm pretty sure others have done research from his various scams and could elaborate more while we wait for tf to come back from vacation.
3  Other / Off-topic / Re: Ask TF thread on: January 16, 2015, 01:29:34 PM
various forum members have stated that TradeFortress doesn't seem to be the same post inputs.io hack and that very well maybe true given the context. However, you would think that if his website was breached and everything was tied to it. wouldn't someone from the community make a statement and say not to do business. Instead all you get is hey I have new website invest money in me and then something happened I lost your money.
4  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 16, 2015, 08:51:48 AM
So trade is a serial scammer?

Or an easy target to frame. I'm not defending him, just not sure if I can see a conclusive proof that the person using that e-mail address actually had control of said e-mail address and was the same person as TF. Does the Chromium bug report page validate poster's e-mail address?

https://bitcointalk.org/index.php?topic=327178.0 this post ties the hotmail account that was supposedly hacked in the inputs.io hack the recovery email was set to the admin@glados account. various forum members have stated that TradeFortress doesn't seem to be the same post inputs.io hack and that very well maybe true given the context. However, you would think that if his website was breached and everything was tied to it. wouldn't someone from the community make a statement and say not to do business. Instead all you get is hey I have new website invest money in me and then something happened I lost your money.
5  Other / Off-topic / Re: Ask TF thread on: January 16, 2015, 06:46:11 AM
https://bitcointalk.org/index.php?topic=327178.0 this post ties the hotmail account that was supposedly hacked in the inputs.io hack the recovery email was set to the admin@glados account.
6  Other / Off-topic / Re: Ask TF thread on: January 15, 2015, 07:47:11 PM
so hes working on new projects which require time and funding and hes not refunding anyones money?

Yeah, probably scammed people from inputs.io and other places. Then just funnels the money off and funds projects with your money. Hashie created social media accounts then was like I haz miners.
7  Other / Off-topic / Re: Ask TF thread on: January 15, 2015, 12:30:45 AM
Do you have any  idea who the hacker could of been?

At this point I don't have much to go on. The only things that stand out is that this email had to deal with the inputs.io hack. there are chat logs that are pretty much one sided in that they all seem to be from TraderFortress. in the chat logs there is a person called crypt0queen. probably would fit the whole frozen thing. it boils down to two things 1. we either believe that inputs.io was breached and that TradeFortress didn't hack it himself. or 2. that he was the victim of social engineering and had all of his shit compromised. the log is found here http://btcfaucet.com/logs/TradeFortress_inputsio.txt

09:10 < TradeFortress> hi
09:12 < TradeFortress> I take full responsibility for leaving that much in the hot wallet.
09:13 < TradeFortress> The hacker tried resetting passwords for my email addresses, and was able to reset one which was created 6 years earlier, without phone / recovery email and gmail happily allowed resetting.
09:14 < TradeFortress> That compromised email account was the recovery for another hotmail email, which was also compromised.
09:15 < TradeFortress> BigBitz|wrk, read please.
09:15 < TradeFortress> I didn't use the old email account without MFA
09:15 < TradeFortress> That old email acc was the recovery email of another account
09:15 < TradeFortress> @gmail > @hotmail > @gmail (2, recv'd forwarding from admin@glados.cc)
09:16 < TradeFortress> BigBitz|wrk: yes
09:16 < TradeFortress> linode 2FA was bypassed
09:16 < TradeFortress> they seem to be aware of it and don't bother to fix it.
09:16 < TradeFortress> BigBitz|wrk: yes
09:17 < TradeFortress> the attacker also used a (compromised?) server close to my geographical location
09:17 < TradeFortress> I think that helped massively with email recovery
09:18 < TradeFortress> pbase: no. I want to be open and communcative about what has happened.
09:19 < TradeFortress> BigBitz|wrk: I took significant efforts in protecting Inputs' server, but I've never thought about old abandoned emails.
09:20 < TradeFortress> BCB: What do you want me to do then? Invent a magic wand?
09:20 < TradeFortress> I'm refunding as much as I can from all the BTC I have, and the assets I or CL owns.
09:21 < TradeFortress> 9536feebe3a50b94f85ca27d56e669a7209bd4188385d55c5b97227c95cf7f74
09:21 < TradeFortress> BTC was sent here, it's still unspent. https://blockchain.info/address/1EMztWbGCBBrUAHquVeNjWpJKcB8gBzAFx
09:24 < TradeFortress> Quite simply, I wasn't sure what to do, if I could acquire 4K btc so users are not at a loss, and as well as investigating the scope of the hack.
09:25 < TradeFortress> *sign*
09:26 < TradeFortress> BigBitz|wrk: the txid was the first inputs hack
09:26 < TradeFortress> the API was the second, done by the same attacker who dumped the user DB, and then used the API
09:27 < TradeFortress> TheButterZone, I can't see how that'd hurt.
09:28 < TradeFortress> bitsav3: 2x gmail, 1x hotmail
09:30 < TradeFortress> bitnumus, if you check the txid lots of deposits are recent
09:32 < TradeFortress> bitnumus: yes, there's cold storage, but there was more in the hot pocket than cold storage
09:34 < TradeFortress> viboracecata?
09:35 < TradeFortress> theboos, I'm very interested in what security vulns viboracecata claims to have on Inputs.
09:35 < TradeFortress> so has he followed up with the claim? and how long ago?
09:36 < TradeFortress> I'm not aware of any unsolved security vulnerabilities relating to Input's code and enviroment, other than the DB has been compromised. The attack was done through email resets and bypassing security features on Linode's side.
09:37 < TradeFortress> 2FA
09:38 < TradeFortress> BCB: no.
09:38 < TradeFortress> web server was bought from Linode, bitcoind server was on macminicolo
09:38 < TradeFortress> (I own the metal to the macminicolo)
09:39 < TradeFortress> crypt0queen: that's what was used
09:39 < TradeFortress> it wasn't compromised through a server vuln
09:40 < TradeFortress> Linode's position is that my account was not compromised. The attacker simply reset my Linode password through an email request, and then ssh'd into Linode's lish, and got console access to my Linode through lish with my linode account password.
09:40 < TradeFortress> linode lets you reset  root passwords..
09:42 < TradeFortress> the attacker copied certain files via FTP using mc, to another (I believe compromised server), and accessed the bitcoind server by pretending to make withdraw requests for an account with an inflated balance
09:42 < TradeFortress> BigBitz: NO
09:42 < TradeFortress> FTP WAS NOT ENABLED
09:42 < TradeFortress> yes
09:43 < TradeFortress> I have obtained the logs
09:43 < TradeFortress> (through Linode)
09:43 < TradeFortress> attacker installed mc
09:43 < TradeFortress> transferred files to 10;15Hd@mastersearching.com:mercedes49@69.85.88.31
09:43 < TradeFortress> BigBitz|wrk: yes, internal ones
09:45 < TradeFortress> BigBitz|wrk, multiple files that relates to internal functions of Inputs, ie the controller.
09:46 < TradeFortress> I have no evidence of the bitcoind mac mini getting compromised. it didn't bark. I suspect the attacker also made one account have -4000 BTC
09:46 < TradeFortress> which allowed it to pass sanity checks
09:46 < TradeFortress> as the total balance as reported by the db matched.
09:46 < TradeFortress> BigBitz|wrk: I have the logs of what they did to the server.
09:47 < TradeFortress> on the server, via lish, I should say.
09:47 < TradeFortress> theboos: did it directly through the DB
09:47 < TradeFortress> wasn't logged.
09:47 < TradeFortress> as it copied DB access creds
09:48 < TradeFortress> BigBitz|wrk: not on the database
09:48 < TradeFortress> bitsav3, I think they're compromised hosts
09:48 < TradeFortress> like http://mastersearching.com/
09:48 < TradeFortress> theboos, of course I've audited the db
09:49 < TradeFortress> the DB doesn't log every single change
09:50 < TradeFortress> general_log wasn't enabled
09:50 < TradeFortress> nor binary logs
09:51 < TradeFortress> +infinity
09:53 < TradeFortress> BCB: it's not enabled.
09:54 < TradeFortress> I didn't disable them, I'm pretty sure they're not enabled by default.
09:55 < TradeFortress> yup BCB
09:55 < TradeFortress> coingenuity, yes, macmini bitcoind iplocked to the web linode
09:55 < TradeFortress> that's a surprise to me
09:56 < TradeFortress> pbase: no, I have saved disk images as soon as I detected the compromise
09:56 < TradeFortress> yep
09:56 < TradeFortress> BigBitz|wrk: installed the env myself.
09:57 < TradeFortress> pbase: definitely not publicly. I'd expect there to be quite a lot of sensitive information in RAM, such as cached mysql data.
09:58 < TradeFortress> actually, no, I didn't do a ram dump.
09:58 < TradeFortress> but the disk image includes db data
09:59 < TradeFortress> I am not aware of if it was forensically sound. I estimate not.
09:59 < TradeFortress> The disk image was dumped via cloning using linode manager.
09:59 < TradeFortress> took like half a hour too
10:01 < TradeFortress> no, not booted
10:01 < TradeFortress> it was cloned to another linode that have not been booted
10:01 < TradeFortress> another as in brand new.
10:02 < TradeFortress> first of all, I'll have to figure out how to transfer the disk image
10:03 < TradeFortress> then I'll have to boot the disk image and remove the db files?
10:04 < TradeFortress> user DB is sorta sensitive. while passwords are hashed w/ bcrypt, PINs are exposed, and there's emails
10:05 < TradeFortress> theboos, that sounds like a good idea
10:05 < TradeFortress> BCB: password reset for my emails, linode, yes.
10:06 < TradeFortress> bitsav3, I will
10:06 < TradeFortress> BCB: they're like typical resets, what do you want to see?
10:07 < TradeFortress> https://i.imgur.com/sQnXsx0.png
10:07 < TradeFortress> the second time the attacker tried to get in
10:08 < TradeFortress> apisnetworks (my shared host, attacker thought there was something useful in here)
10:09 < TradeFortress> pastebin?
10:09 < TradeFortress> http://pastebin.com/J7S9xWyT
10:10 < TradeFortress> BigBitz|wrk: yep, there was one from Oct 23 that I can't now find for some reason.
10:10 < TradeFortress> BigBitz|wrk: hence 'the second time'.
10:10 < TradeFortress> right
10:11 < TradeFortress> BigBitz|wrk: where did you get the impression that I 'didn't do anything'?
10:11 < TradeFortress> I didn't just disregard the password reset email, especially since I couldn't login to linode again
10:11 < TradeFortress> second reset was mine, to regain access
10:12 < TradeFortress> BCB: no
10:12 < TradeFortress> BigBitz|wrk: what?
10:12 < TradeFortress> look at the screenshot
10:12 < TradeFortress> look at the screenshot
10:12 < TradeFortress> how many emails do you see
10:12 < TradeFortress> 2
10:12 < TradeFortress> 1st one: second time attacker tried to get access
10:12 < TradeFortress> 2nd one: me regaining access
10:15 < TradeFortress> glados.cc is powered by google apps
10:15 < TradeFortress> btcfaucet, tried pass resets
10:16 < TradeFortress> btcfaucet, I do not know what they performed, I do not remember the answer to security questions myself.
10:16 < TradeFortress> BigBitz|wrk: when you have shell access you can easily disable that.
10:16 < TradeFortress> BCB: k
10:16 < TradeFortress> duh
10:17 < TradeFortress> with gmail account, I recovered access simply by entering my old (changed) password
10:17 < TradeFortress> probably due to that I usually sign in from that device
10:17 < TradeFortress> BCB: http://pastebin.com/MhKTa5zN
10:19 < TradeFortress> BCB: show original > I see this.
10:19 < TradeFortress> bitcoind was dedi, I own the metal to it.
10:19 < TradeFortress> web was xen
10:20 < TradeFortress> BCB: tell me how.
10:20 < TradeFortress> just like the apisnetworks?
10:20 < TradeFortress> I'm accessing it the same way
10:20 < TradeFortress> 'Show Original'
10:21 < TradeFortress> BCB: I copied the entirety
10:21 < TradeFortress> understatement :p
10:23 < TradeFortress> https://i.imgur.com/H0NEeI7.png
10:24 < TradeFortress> for the linode
10:25 < TradeFortress> balances were signed because it's POSSIBLE that someone would have a negative balance on inputs
10:25 < TradeFortress> but in normal operation it hsouldn't
10:25 < TradeFortress> btcfaucet, that won't work because the mini does some sanity checking, such as SUM(balance)
10:26 < TradeFortress> stqism: no
10:26 < TradeFortress> whitelisted
10:28 < TradeFortress> BCB: they are.
10:28 < TradeFortress> you asked for the second email
10:28 < TradeFortress> I sent you the original (as exposed by mail.google.com) and pastebinned & screenshotted it.
10:29 < TradeFortress> stqism: I thought tcp packets with a faked source won't be accepted.
10:30 < TradeFortress> BCB: haven't I already told this twice
10:30 < TradeFortress> the email, on the top, was the attacker's 2nd reset
10:30 < TradeFortress> then I was unable to login, so I had to reset it again
10:30 < TradeFortress> you asked for the SECOND
10:30 < TradeFortress> so I sent you the SECOND
10:30 < TradeFortress> ie the one at the bottom
10:31 < TradeFortress> you want the one on the top? ask for the FIRST then.
10:31 < TradeFortress> go look at the screenshots
10:31 < TradeFortress> BCB: of?
10:31 < TradeFortress> have you looked at the screenshot
10:31 < TradeFortress> look at the SECOND email because you asked for the 2nd's original.
10:32 < TradeFortress> check the scrollback
10:32 < TradeFortress> it's this, https://i.imgur.com/sQnXsx0.png, correct?
10:35 < TradeFortress> BigBitz|wrk: not after this.
10:35 < TradeFortress> BigBitz|wrk: to?
10:36 < TradeFortress> BigBitz|wrk: I exercise my right to reject it.
10:36 < TradeFortress> BCB: then why don't you ask.
10:38 < TradeFortress> https://i.imgur.com/pCtanaU.png
10:38 < TradeFortress> ever realize I might be screenshotting and uploading?
10:38 < TradeFortress> coingenuity, yep
10:39 < TradeFortress> BigBitz|wrk: gmail uses local time zones
10:39 < TradeFortress> BCB: did I? that's the full email.
10:41 < TradeFortress> kk, I've spent 1.5 hours or so here now.
10:42 < TradeFortress> I have another hundred emails to handle for Inputs.io
10:42 < TradeFortress> email me at admin@glados.cc if you want to contact me, I'll try and pop in tomorrow.
10:43 < TradeFortress> what is wrong with you BCB
10:43 < TradeFortress> do you need glasses
10:43 < TradeFortress> they are different emails
10:44 < TradeFortress> BCB: post them, show where it was the same timestamp
10:48 < TradeFortress> BCB: nothing useful on apisnetworks
10:48 < TradeFortress> most you could do is change the index.html on http://glados.cc/!
19:35 <@gribble> TradeFortress was last seen in #bitcoin-otc 8 hours, 46 minutes, and 30 seconds ago: <TradeFortress> most you could do is change the index.html on http://glados.cc/!

*update looks like hashie had control of email since it was started https://code.google.com/p/chromium/issues/detail?id=429395 Security: Window.opener bypasses same origin policy    
   1 person starred this issue and may be notified of changes.    Back to list
Status:     WontFix
Owner:    ----
Closed:     Nov 2
Type-Bug-Security


Add a comment below
     
Reported by ad...@glados.cc, Oct 31, 2014

VULNERABILITY DETAILS
Opened windows (through normal hrefs with target="_blank") can modify window.opener.location and replace the parent webpage with something else, even on a different origin (bypassing same origin policy).

While this doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab (which a user already mentally trusts).

window.opener.location should not be modifiable if on a different origin.

VERSION
Chrome Version: 37.0.2062.94 + stable
Operating System: Ubuntu

REPRODUCTION CASE

https://hashie.co/chrome/demo.html

That could have been someone completely different just using that as their username there. It's not though. It is TradeFortress as the same user made an earlier post here:

Quote
Oct 16, 2013
#2 ad...@glados.cc

I am also experiencing this bug on my website, https://coinchat.org .

So, there's now a definite link between TradeFortress and hashie. Interesting.

8  Other / Off-topic / Re: Ask TF thread on: January 14, 2015, 11:21:21 PM
Got any new projects which might gain some of your reputation back?

apparently hashie
https://code.google.com/p/chromium/issues/detail?id=429395

Security: Window.opener bypasses same origin policy    
   1 person starred this issue and may be notified of changes.    Back to list
Status:     WontFix
Owner:    ----
Closed:     Nov 2
Type-Bug-Security


Add a comment below
     
Reported by ad...@glados.cc, Oct 31, 2014

VULNERABILITY DETAILS
Opened windows (through normal hrefs with target="_blank") can modify window.opener.location and replace the parent webpage with something else, even on a different origin (bypassing same origin policy).

While this doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab (which a user already mentally trusts).

window.opener.location should not be modifiable if on a different origin.

VERSION
Chrome Version: 37.0.2062.94 + stable
Operating System: Ubuntu

REPRODUCTION CASE

https://hashie.co/chrome/demo.html

Oct 31, 2014
#1 meacer@chromium.org

Thanks for the report, but the repro doesn't seem to be working on Chrome 38 on Linux. Could you try reproducing with a more recent version?

Oct 31, 2014
#2 ad...@glados.cc

Unfortunately the latest version of Chromium in my PPA is 37.

I've been able to reproduce this on Chrome 38.0.2125.114 for Android.

Oct 31, 2014
#3 ad...@glados.cc

To clarify, the actual POC is in the link on the page. The https://hashie.co/chrome/demo.html page will be replaced with example.org by pix4bit.com

Nov 1, 2014
#4 meacer@chromium.org

The demo page doesn't work for me on M37 on Mac either. When I switch back to example.com tab I see a very brief flash of https://hashie.co/chrome/demo.html but otherwise the actual example.com page is displayed in page contents. I haven't tested on Android yet though.

Nov 2, 2014
#5 wfh@chromium.org

The user decides to trust a particular tab by inspecting the URL and determining the origin.  In all cases here both tabs area always showing the correct origin for the content being shown.

On android, when entering any data into a form, the origin is always shown, even if it's previously been elided by scrolling down.  The user can then make a trust decision based on this visible origin.

Given this, I don't see any risk to users more than the users just clicking on a link and visiting a new page, so I am closing with WontFix.
9  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 14, 2015, 05:47:21 PM

WOW how long did it take you to write this up lol i almost finish a cigarate reading this lol, in anycase i see what is being said and should always be vigilant. If i ever have more than 1 bitcoin i will make sure i buy a cheap computer get bitcoin wallet and send my stuff there and never keep computer plugged in to internet or even powered up. Will be fun each time i need to get to wallet with having to wait for updates but my 1 bitcoin will be safe  Wink

About 5 minutes with copy paste, most of it was public I'm just trying to put things in context. Was kind of in a hurry so I didn't post sources. I didn't find much about the email just the domain was registered to  yan wang and now shows mark russells. https://bitcointalk.org/index.php?topic=211169.0 doesn't really prove much. Tradefortress still hasn't responded to asking if his email was compromised. who ever updated the site was probably meaning mark russell as that had to deal with btc atms. Not that that is who it is, but is probably just targeting different people in the community. Honestly the biggest weakness to bitcoin is the centralization of something that's very nature goes against it. In other words thing like mining and the markets should have their own protocol. the miner itself should somehow send you payments. maybe something like using bittorrent or bittorernt sync. you could do something like bittorent sync and create keys that tie to miners so you could rent them out.. etc different keys are used for length of time. there is just to much faith and room for market manipulations if btc is just stored on websites. I suppose for the time being something like an escrow or something similar to btcbuckets. in that if you are to buy a contract dude doesn't get all the money up front but is slowly trickled during length of contract. Something must be done to prevent ponzi scam and to stop things like cex suspending operations. makes it so people are stuck in limbo state not doing shit very little options but to either sell, wait or try to redeem for physical hardware.

Why are you having a conversation with yourself, malaimult. Yes, I checked, you've sorted you're quoting out with all three alts. Good job!

So, darkangel/darkgamer/malaimult, could you explain your connection to the cloudminr.io ponzi? If you say you have none, then could you explain why you still carry their sig when the sig campaign ended ages ago? Surely you realise that you and picolo are going be the ones people go after when the shit hits the fan.

I'm rarely on here, pretty much only come to the forum when crap like mt.gox/ hashie happens. despite having my name begin with dark, I don't think we really have that much in common. I don't even have a sig. The only thing I can say about cloudminr is that it's close to how pbmining operated. you can't predict the market (you can however look at trends. with hacks, scams and bad publicity lowering the price or crashing the market in the case of mtgox. while good publicity sites accepting bitcoin and the like cause the price to rise.) and offering a contract for greater than 1 year will most likely create problems. you have no guarantee the site will be around 5 months later.  hashie attempted to make it look legit with the market. in a way even though hashie was a scam, you still had more control than you do with contracts as you could trade until the market was removed. Honestly you would have better luck with https://www.miningrigrentals.com/

*update looks like hashie had control of email since it was started https://code.google.com/p/chromium/issues/detail?id=429395 Security: Window.opener bypasses same origin policy    
   1 person starred this issue and may be notified of changes.    Back to list
Status:     WontFix
Owner:    ----
Closed:     Nov 2
Type-Bug-Security


Add a comment below
     
Reported by ad...@glados.cc, Oct 31, 2014

VULNERABILITY DETAILS
Opened windows (through normal hrefs with target="_blank") can modify window.opener.location and replace the parent webpage with something else, even on a different origin (bypassing same origin policy).

While this doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab (which a user already mentally trusts).

window.opener.location should not be modifiable if on a different origin.

VERSION
Chrome Version: 37.0.2062.94 + stable
Operating System: Ubuntu

REPRODUCTION CASE

https://hashie.co/chrome/demo.html

Oct 31, 2014
#1 meacer@chromium.org

Thanks for the report, but the repro doesn't seem to be working on Chrome 38 on Linux. Could you try reproducing with a more recent version?

Oct 31, 2014
#2 ad...@glados.cc

Unfortunately the latest version of Chromium in my PPA is 37.

I've been able to reproduce this on Chrome 38.0.2125.114 for Android.

Oct 31, 2014
#3 ad...@glados.cc

To clarify, the actual POC is in the link on the page. The https://hashie.co/chrome/demo.html page will be replaced with example.org by pix4bit.com

Nov 1, 2014
#4 meacer@chromium.org

The demo page doesn't work for me on M37 on Mac either. When I switch back to example.com tab I see a very brief flash of https://hashie.co/chrome/demo.html but otherwise the actual example.com page is displayed in page contents. I haven't tested on Android yet though.

Nov 2, 2014
#5 wfh@chromium.org

The user decides to trust a particular tab by inspecting the URL and determining the origin.  In all cases here both tabs area always showing the correct origin for the content being shown.

On android, when entering any data into a form, the origin is always shown, even if it's previously been elided by scrolling down.  The user can then make a trust decision based on this visible origin.

Given this, I don't see any risk to users more than the users just clicking on a link and visiting a new page, so I am closing with WontFix.
10  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 14, 2015, 01:35:07 PM

WOW how long did it take you to write this up lol i almost finish a cigarate reading this lol, in anycase i see what is being said and should always be vigilant. If i ever have more than 1 bitcoin i will make sure i buy a cheap computer get bitcoin wallet and send my stuff there and never keep computer plugged in to internet or even powered up. Will be fun each time i need to get to wallet with having to wait for updates but my 1 bitcoin will be safe  Wink

About 5 minutes with copy paste, most of it was public I'm just trying to put things in context. Was kind of in a hurry so I didn't post sources. I didn't find much about the email just the domain was registered to  yan wang and now shows mark russells. https://bitcointalk.org/index.php?topic=211169.0 doesn't really prove much. Tradefortress still hasn't responded to asking if his email was compromised. who ever updated the site was probably meaning mark russell as that had to deal with btc atms. Not that that is who it is, but is probably just targeting different people in the community. Honestly the biggest weakness to bitcoin is the centralization of something that's very nature goes against it. In other words thing like mining and the markets should have their own protocol. the miner itself should somehow send you payments. maybe something like using bittorrent or bittorernt sync. you could do something like bittorent sync and create keys that tie to miners so you could rent them out.. etc different keys are used for length of time. there is just to much faith and room for market manipulations if btc is just stored on websites. I suppose for the time being something like an escrow or something similar to btcbuckets. in that if you are to buy a contract dude doesn't get all the money up front but is slowly trickled during length of contract. Something must be done to prevent ponzi scam and to stop things like cex suspending operations. makes it so people are stuck in limbo state not doing shit very little options but to either sell, wait or try to redeem for physical hardware.
11  Other / Off-topic / Re: Ask TF thread on: January 13, 2015, 08:45:08 AM
TradeFortress has come out and said he was one of the owners of hashie.co, a cloudmining service that also had its hot wallet "hacked" with 97% of the BTC in it:

I might not be checking this thread or support@hashie.co much in the future, but if you need to contact me for any reason feel free to email me at admin@glados.cc Smiley

Bye everyone!

-Queen Elsa

LOL and why do you think that was him?

I'm not saying it was, all I'm asking is does he still have control of that email?  wondering if the hashie scam is some how related to the inputs.io hack and wondering who he has talked with on btc-otc as I think someone from there has vendettas against other members.
With this logic...

Quote from: Vortex20000
Hi, I won't be checking this account anymore, please email theymos@bitcointalk.org.

Am I theymos? Pshaww...

I understand it could be some dude just posting an email. The whole way the scam took place is weird. all I know is dude dropped an email that has a past. inputs.io had social engineering tactics and someone has gone around impersonating trade fortress. from what I have found people believe that trade fortress was another member called milkshake. the domain name for the email that was used was registered to yan wang and now shows mark russells. https://bitcointalk.org/index.php?topic=211169.0
12  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 13, 2015, 12:37:20 AM
Maybe, but they also wanted everyone to let it go and they carried on now for about 3 weeks I don't really think they will let it go. This is their xbox live entertainment.

 Huh I don't even know what your trying to say. You lost me a couple of conversations a go. Just seemed like a wall of gibberish.  Undecided

why post an email that was involved in a hack, even it's not TradeFortress it is someone that knows the community well and could be the same person that took down inputs.io as a way to gloat on here about previous achievements.
13  Other / Off-topic / Re: Ask TF thread on: January 13, 2015, 12:27:12 AM
TradeFortress has come out and said he was one of the owners of hashie.co, a cloudmining service that also had its hot wallet "hacked" with 97% of the BTC in it:

I might not be checking this thread or support@hashie.co much in the future, but if you need to contact me for any reason feel free to email me at admin@glados.cc Smiley

Bye everyone!

-Queen Elsa

LOL and why do you think that was him?

I'm not saying it was, all I'm asking is does he still have control of that email?  wondering if the hashie scam is some how related to the inputs.io hack and wondering who he has talked with on btc-otc as I think someone from there has vendettas against other members.
14  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 13, 2015, 12:05:45 AM
Until last week, inputs.io seemed like a nifty service for Bitcoin users. The company not only offered bitcoin wallets, it mixed the wallets up in order to anonymize the coins they stored, sped up bitcoin payments, and even spared them from the tiny transaction fees that are typically charged on the bitcoin network.

What are you talking about? It was hacked on October 24th 2013! Also, like I said earlier, just because Hashie posted the email here, that does not mean they control it. It's just a way to get people to stop emailing them and email someone else instead.

Maybe, but they also wanted everyone to let it go and they carried on now for about 3 weeks I don't really think they will let it go. This is their xbox live entertainment.
15  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 12, 2015, 11:40:54 PM
hashie is using the same email that seems to have been compromised last year. glados.cc and using the admin account that once belonged or may still belong to TradeFortress.

There's no evidence whatsoever to suggest that. Hashie simply posted Tradefortress' email address as their contact details.

If anyone wants to contact darkgamer, send him an email at admin@glados.cc. Oh my god! Darkgamer = hashie = TradeFortress!

Come on man, think about these things for at least 1 second.



Here’s your digital-currency lesson of the day, courtesy of a guy who calls himself TradeFortress: “I don’t recommend storing any bitcoins accessible on computers connected to the internet.”

That may sound like a paradox. Bitcoin is the world’s most popular digital currency, and it’s controlled by a vast collection of computers spread across the internet. But TradeFortress knows what he’s talking about. He’s the founder of inputs.io, a company that used to store bitcoins in digital wallets for people across the globe. The site was just hacked, with the bandits making off with more than a million dollars’ worth of bitcoins.

Yes, bitcoins are digital. And, yes, bitcoin transactions necessarily happen on the internet. But you can store bitcoins offline, and that’s what the most careful of investors will do. A collection of bitcoins is essentially a private cryptograph key you can use to send money to someone else, and though you can store that key in an online digital wallet, you can also store it on an offline computer — and even on a physical item here in the real world, writing it on a piece of paper or engraving it on a ring. That’s why your money can’t be hacked.

Until last week, inputs.io seemed like a nifty service for Bitcoin users. The company not only offered bitcoin wallets, it mixed the wallets up in order to anonymize the coins they stored, sped up bitcoin payments, and even spared them from the tiny transaction fees that are typically charged on the bitcoin network.

But there was a catch. You had to trust the company — and its internet-connected computers — with your bitcoins. In retrospect, that was a bad idea. And now, Inputs.io customers are learning just how bad of an idea it was.

The site was compromised on Oct 23, and again on Oct. 26, and hackers made off with 4,100 bitcoins ($1.2 million) stolen in two separate attacks. The company waited until this week to notify customers of the incident, which only affects certain users. A small number of Bitcoins belonging to TradeFortress’s other business, CoinLenders, were also taken, TradeFortress said in an email interview (He didn’t provide his real name).

Inputs.io doesn’t have the funds to pay back everything that was stolen, but TradeFortress says he’s going to issue partial refunds. “I’m repaying with all of my personal Bitcoins, as well as remaining cold storage coins on Inputs, which adds up to 1540 BTC,” he told WIRED.

TradeFortress says that this was a social engineering attack, meaning that the attacker masqueraded as someone he wasn’t in order to get access to the site’s systems on cloud-hosting provider Linode. “The attack was done through compromising a chain of email accounts which eventually allowed the attacker to reset the password for the the Linode server,” he said.

The hacker’s first step was recovering an email address for an account that TradeFortress set up six years ago.

The “attacker rented an Australian server to proxy as close to my geographical location so it won’t raise alarms with email recoveries,” TradeFortress said in a forum post.

“I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement,” TradeFortress wrote on the inputs.io website.

Like I said earlier, it wouldn't be hard to go around attacking websites once you learn enough about who runs them. I'm pretty sure that with all the above info it's not hard to think that maybe the email account got pwned.  I guess we won't know if it's hashie unless we email them. I'm just saying that it's someone that knows a bit about the bitcoin operations and it would be nice to have clarification from TraderFortress to find out if he still owns the email. I'm also saying that if a server was once compromised it would be good to take control of it during a scam like hashie as it wouldn't be hard to impersonate the site owner. in this way, you could offer a scam called hashie and run off with money. then, go right back and offer a new scam using the credentials of someone else.
16  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 12, 2015, 06:09:57 PM
09:36 < TradeFortress> I'm not aware of any unsolved security vulnerabilities relating to Input's code and enviroment, other than the DB has been compromised. The attack was done through email resets and bypassing security features on Linode's side.
09:37 < TradeFortress> 2FA
09:38 < TradeFortress> BCB: no.
09:38 < TradeFortress> web server was bought from Linode, bitcoind server was on macminicolo

Hashie was never on Linode?



no, but hashie did use digital ocean. it very well could have been compromised using something similar. hashie is using the same email that seems to have been compromised last year. glados.cc and using the admin account that once belonged or may still belong to TradeFortress. If I was to hack into a website I would probably watch from the moment it's known and ask questions about the hack to the person that got hacked so it looks like your helping them. in this way you have the upper hand in that you can understand the victims mode of thinking and counterattack any movements they make.
17  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 12, 2015, 05:04:26 PM
I personnaly find very strange that Elsa/Sahra/Hashie(Official), that have been hiding constantly her identity, suddendly throw an email like that linked to various sites, activities and logs...

It seems to me that it could be a good diversion...

Most likely you find it strange because you´re a sane person trying to apply sanity to the actions of amoral fuckers that should either be behind bars or on the bottom of a lake.
Yeah, but if I just jacked money from people the first thing I would do would be to talk about my other attacks and gloat about it. The person has a high ego to feed and wants to be treated like royalty. They still want to have some control over how this plays out as they control the website and will want to make sure people keep investing.
18  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 12, 2015, 04:07:54 PM
Do you have any evidence to suggest that this crypt0queen has anything to do with Hashie apart from the Halloween costume? It seems just as likely to me that this whole Hashie/Frozen shite could just be an attempt to use her as scapegoat.
Unfortunately, I don't all i found was chat logs from an old hack that was stored on http://btcfaucet.com/logs/TradeFortress_inputsio.txt just odd they use same email address. I don't know much about that hack other than that. I did use the coin chat back in 2013 coinchat@glados.cc the only thing is they both enjoy freenode hashie mentioned to someone in chat about a btc faucet and seems to be more hostile to some members then others. there isn't much to do except question the people in the logs. seems if the person has control of the site and is indeed communicating from that email they either never lost control of that server after the hack or they ditched it and gave it to someone else. You would think that after a heist like that you would have money for a while now they want more from the looks of it.
19  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 12, 2015, 03:26:28 PM
From a hacker standpoint this is what I would do use btc-otc or the bitcoin talk forum to find sites that are vulnerable then find out about said people that run site hijack it and make it your platform for spam scams or what have you. you learn enough to make website and use people that have a bitcoin related site to frame them for scams. the logs don't really explain but that is all I could really find it seems to be a one way conversation about dude asking for help because of hack. cryptoqueen bitch asks something server related. the frozen shit looks better in this contexts https://twitter.com/crypt0queen playing queen elsa
20  Economy / Service Announcements / Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH on: January 12, 2015, 03:02:12 PM
No, it´s not a question of buying. They send ice sculptures as payouts. Sounds good to me. I have the right shelf ready here for it.

I was talking about the contract you'd have to purchase to be able to withdraw.

what is that all about?

4k BTC hacked but where from???


Inputs.io. It was a web wallet that got hacked last year or the year before. No idea why it's being posted here though.
I might not be checking this thread or support@hashie.co much in the future, but if you need to contact me for any reason feel free to email me at admin@glados.cc Smiley
Bye everyone!

-Queen Elsa
  queen elsa might have been responsible as her email is the same as one that had been compromised,
Pages: [1] 2 3 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!