But when it comes to something as personal as money all bets are off.
True, but if there is enough proof and enough people take action, one would be taking a risk to accept "tainted" coins. They might not be able to spend them! The issue with that is that you would still be forced to use the tainted coins system, only you are forced by fear, rather than by a technical implementation. |
|
|
|
It would be nice if we could get a response from MagicalTux on all of this.
I'm beginning to think we have heard all we are ever going to hear from him. To be fair, he posted a thread today at http://forum.bitcoin.org/index.php?topic=18858 - however, so far it looks a lot like deny-everything marketing talk, although I may be wrong. Plus I don't understand why he doesn't just implement two factor authentication (through email) instead of a withdrawal password, as the latter can still be circumvented when someone indeed successfully exploits the site to a point where he has database read access. |
|
|
|
The fact that it uses MD5 is an issue. It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.  Where was MD5 mentioned? |
|
|
|
MagicalTux, a few cases can already be found here: http://forum.bitcoin.org/index.php?topic=18050.0It also has some information regarding passwords strengths and operating systems that people used etc. Also, have you received my PM about the CSS history sniffing vulnerability? Copy in case that disappears: Mt. Gox Db Purportedly for Sale... Posted to the 'Bin: "I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL..... would send user&pass in here but,I want to sell to big buyer Email: auto36299386@hushmail.comMake big offer!!! ~cRazIeStinGeR~" http://pastebin.com/xhnNdvteI call that a fake/scam attempt. If it was true, this "hacker" would first have emptied as many accounts as possible before selling it. My account remains untouched and so do accounts of most others, only a small % of the people got "exploited". If the easiest way of "laundering" stolen money would be the exact site you compromised (Mt. Gox) I can imagine that someone does not want to go through the trouble of laundering everything, and would rather sell off the entire database in one hit and have others deal with that. Not to mention selling the database to multiple people. Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this. In one expression: FUD Hashes (even salted) can be bruteforced. Especially if someone has for example already set up Bitcoin mining rigs, he would have considerable power to use on bruteforcing passwords, not to mention things like Amazon AWS (or other cloud computing services) that can be used to very quickly crack hashes. |
|
|
|
My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.
So if it wasn't a XSS attack and the passwords were strong, it could only be that either the clients, the servers or the network traffic was compromised. Was any victim using linux? I tend to the servers, but how can you tell? Yes. If you read the reports in this thread, you will see several people were using Linux. I have also just seen a report of someone allegedly selling the Mt. Gox database. It would be nice if we could get a response from MagicalTux on all of this. |
|
|
|
THIS HAS BEEN FIXED.
I have identified an exploit in MtGox allowing an attacker to completely take over some users account.
I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.
All of the threads about MtGox accounts being hacked are REAL.
A strong password will not help you. Anti Virus software WILL NOT HELP YOU.
This is not a trojan or a virus.
You can protect yourself by only visiting MtGox and then immediately logging out.
<tcatm> workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode
<tcatm> phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password
So an JS based exploit? Personally I always disliked the JS usage in there. There is a reason most banks do not do JS or at least allow to not use it. Such site should be imo a pure simple and spartan XHTML site, no fancy JS. And users should be adviced to turn off JS in the browser profile used for this site. Would be glad to see such change in future in mtgox. JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site. |
|
|
|
You can do multiple wallets by just creating multiple accounts and tuning bitcoin client on each one separately either by runas on windows or su on linux. On vista and windows 7 you can shift right click and run as another user.
The second idea opens up risks of the money that you have guaranteed being spent when the transaction goes through. The best way of achieving the same thing would be to create a new keypair then send the money to that keypair then export and delete the private key and print it out and give it to your friend. Services already exist to do this e.g. bitbills.
You cannot really equate bitcoin to checks. It's a lot more like cash.
Will
I believe his suggestion was for creating an intuitive UI for this that does all the work for you. It's great that you can use multiple wallets using commandline switches, but that is far outside the scope of knowledge/willingness to tinker about, of the average user. |
|
|
|
* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
Maybe a CSRF attack that changed your password and the funds were transferred later? My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away. |
|
|
|
allinvillain you have not responded to my question.
what kind of mega-farm did u own in order to produce 25k btc from your start date you mentioned?
has anyone done the math on if this is feasible or not with the difficulty jumps?
He was supposedly a miner back when the difficulty was very low. |
|
|
|
Banks earn money by giving loans for buying houses etc and giving interest on savings. (Since they use savings to give loans) They can still do this with bitcoins.
Banks earn money by giving loans more than 20 times higher in total than their own funds. They cannot do this with bitcoins. They can only lend a bitcoin for a bitcoin they possess. They wont do much profit with it. Yes, they can. If a bank / webwallet (essentially the same thing) keeps a balance on your account, you have no guarantee that every single BTC is backed by an actual BTC in their possession. Only at the moment everyone would withdraw all of his bitcoins, you could find out whether said webwallet/bank REALLY has all the bitcoins they claim to have. It would be possible for them to offer interest and give out loans, basically causing fractional reserve banking on a smaller scale. The difference is that you do not HAVE to use these systems, and can easily use Bitcoin without relying on banks/webwallets with practices like these. |
|
|
|
I'm sure you guys can think of something fun  Guys. Do not advocate DOSing these people. This is counter productive. The original site referenced in this thread had already been disabled by the time I saw this but walletinspector.info had not. THIS is the proper way to handle this: - long quote snipped- Followed by a polite phone call to both the owner of the compromised site and to linode's listed abuse contacted in the whois database for the ip. The site was pulled within a couple hours. I never advocated (D)DoSing. I just pasted the whois information of the owner of the site. |
|
|
|
|
I have sent MagicalTux a PM about a CSS history sniffing vulnerability and haven't had a response yet.
|
|
|
|
Possibly, but it needs a propagation method and a new C&C server or destination address since that's been blocked. Its an arms race I agree.
Keep your wallet encrypted and only decrypt for transactions, use TrueCrypt.
These stealers typically get run once (bound to a legit application) and then exit and never run again. They only need to steal your wallet once. So no C&C is involved. |
|
|
|
|
I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):
* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.
Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.
|
|
|
|
I bet this is related to lulzsec's recent dump of 62,000 passwords. Password reuse anyone?
What is this? Lulzsec is a group that have been hacking quite a number of well know networks and systems in the last week or so. They've exposed many security flaws, and gottn hold of many many username password combinations. A lot of fairly new forum users have supposedly had their MT.Gox account hacked, and had their bitcoin taken, or if USD it's exchanged for bitcoin and taken. There's nothing wrong with MT.Gox's security, only that a great number of users have been using the same username:password combination as another website that's been hacked. If you look at the stickied thread in Newbies you can see that most people don't seem to reuse both their username and password on Mt. Gox. EDIT
Another possibility is that the user with the hacked system had a password stealing trojan on their system.
I know that at least for me that is not the case. The only options for what is happening are:
1)MTGox are themselves stealing users money
2)Users are reusing password/username combinations from other sites that have been hacked
3)Users have a compromised system that has resulted in their username/password being lifted.
4)MTGox has some major security holes
1 is not likely as MTGox make enough money as it is, also why then wouldn't they steal everyonese instead of just a few accounts worth?
I don't think Mt. Gox stole it themselves. Besides them indeed getting more gain from running a business, there are a lot more "invisible" ways to make money disappear from accounts if you have access to the system. So that's extremely unlikely. 4 is more likely but still not probable. MTGox have a simple but robust system that has been strengthened through attacks almost since it's inception.
They use username:password authentication over https, so that's not leaked.
They are vulnerable to a CSS history sniffing attack because they use GET requests for their forms, to just name a vulnerability I found (which can be thwarted by having a long non-dictionary password, by the way). So no, it's not as robust as you seem to imply. Again because it's over https there is little to no chance of having your session hijacked.
They limit the number of password attempts so accounts cannot be brute forced.
I believe that that only works per IP, and that you have a practically infinite amount of attempts per account if you do distributed bruteforce (aka, let every bot in your botnet do 5 tries). The system itself isn't likely easily hacked, otherwise everyones bitcoin in MTGox would be gone.
It would be a much better to stay relatively low-profile, and not give the impression that Mt. Gox were compromised, if it's indeed unsafe. That way you can slowly keep stealing more and more funds, while other people just attribute it to user error. Options 2 & 3 are the most likely and most common in these situations.
I know that at least for me both 2 and 3 are not applicable. I don't reuse passwords, and I've turned my entire system pretty much upside down to see if there was anything suspicious - which there wasn't. |
|
|
|
It did take me 12 hours to download all the blocks though. Isn't this going to become a huge issue for new users a couple of years from now when it takes days to download all the blocks? What if BTC is still around 100 years from now? How long will it take then?
There are other option available in the future. Including, but not limited to, simply including a recent copy of the blockchain in each new client release to be downloaded directly rather than over the p2p network and verified by each client upon first start. It's the verification process that takes most of the time, not the actual downloading. Does that not introduce centralization? Not really, because at this point the client will still verify all the blocks upon first start, regardless of where the blockchain came from. In the future, there are likely to be clients that come with a blockchain already in it and trust this included blockchain, but that would require trust in the client developers. Yes, but if the majority of people (>50%) uses the same client, wouldn't that allow the client developers to "force the network into a different blockchain"? |
|
|
|
There is definitely something about Mt. Gox to copy. Quick comparison of main layout elements, obviously showing things being copied:
Now I am not a particular supporter of copyright law as it stands, but I do believe that you can't simply copy the entire design (and make a few changes) for commercial purposes, especially not for a relatively lucrative business.
The thing about referal programs is just based on what I have experienced in the past few years, from an "internet user" viewpoint. It's all great that you look at it from an "ecommerce guy" viewpoint, but it's the "regular internet users" that have to deal with the consequences - and from a "regular internet user" viewpoint I've found that I (and many others with me) have usually found companies that rely this heavily on referal systems, are often shady in one way or another.
I understand your point about physical location, but I tried to make a point about American vs West-European mostly. I don't think that for example a UK-based business would be any different from a US-based business in that regard.
LOL I think this conversation is over. I have proved my points exactly. The Western European vs American argument is completely erroneous to the topic were discussing oh and by the way, bringing those screenshots was a waste of effort on your part and did not help your case at all LOL Cheers buddy TradeHill is an American company? I am tired of trying to decipher Magical Tux's thick Jap accent  Yes sir! The management are Americans based in Chile, and the programming and design team in Washington, DC. Why so hostile? I'm having to try a proper discussion and you resort to laughing and ridiculing, that's not really going to help. Well, Chile is in America too - just not in the "United States"!
Anyways - calling a completely basic design (horizontal + vertical navbar, company name in the footer(!)...) a ripoff is a bit much in my opinion.
People are used to this layout from MtGox - why suddenly swith to something completely new and out-of-the-box, just to be different?!
My point is not that it's similar, but that it's practically identical. The tradehill layout is basically the Mt. Gox layout/design with a color change, a font size change, some changes in the text, a different logo, and the exchange rate bar removed. The menu (with the shadow effect thing) for example is a dead giveaway. bitcoin7 is "operating unlicensed and therefore illegally (in their jurisdiction)"
What licenses are required to operate a bitcoin exchange in the United States?
Especially given that BTC aren't recognized as a currency, aren't they just the equivalent of people buying/selling WoW gold on eBay?
Also, does TH have whatever the appropriate licences are?
Also making claims that someone is operating "illegally" is quite easy - especially with BTC there's not that much regulated or available, as it is a relatively new field of operations. It's very often not sure for example if BTC are "money", "goods" or anything else.
This claim was in regards to the various non-Bitcoin currencies that were used. Again I can't recall in exactly what thread it was (and the forum is too slow now for me to go look for it), but someone pointed out that under their jurisdiction they would be operation illegally because of the other currencies, not because of Bitcoin. |
|
|
|
I bet this is related to lulzsec's recent dump of 62,000 passwords. Password reuse anyone?
I am not in the dump, nor do I reuse passwords. So *if* the Lulzsec DB is in some way related (which I doubt as that dump was released after accounts started getting broken into) it is at least not the only attack vector. |
|
|
|
I've seen a similar thread not too long ago about someone posting how their bitcoins were moved out of mt. gox. He had pictures any everything.
I think I will stay away from mt. gox.
To be fair, people tend to use terrible passwords. Not sure whether there is a security problem with Mt. Gox or not, but I'd bet that this is just users being users and using passwords like 'password' and '12345' Just a warning to everyone to not use MtGox. Sigh, I knew I should have stuck with BitcoinExchange.
What should I tell them? I mean I swear it was stolen from me. What can they do?
Everyone? There are far more traders not getting BTC stolen than traders claiming they have had BTC stolen. This sort of thing happens everywhere. Furthermore your title is sensationalist (MtGox clearly didn't scam you, you probably scammed yourself by having a shitty password) which leads me to believe you are lying in order to try get some sort of compensation. Sorry if your BTC really did get stolen. That sucks. But what were you doing with 17BTC in your MtGox account anyway? Surely you've read all the reports from people claiming to have their accounts compromised. The entire point is that weak passwords are not the issue here: http://forum.bitcoin.org/index.php?topic=18050.0 |
|
|
|
|
Show Posts
