Bitcoin Forum
November 19, 2024, 02:43:27 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bter does not force https. Your password might get stolen.  (Read 323 times)
bcdev (OP)
Member
**
Offline Offline

Activity: 61
Merit: 10


View Profile
April 11, 2014, 10:50:36 PM
 #1

http://www.reddit.com/r/Bitcoin/comments/22tbrv/bter_does_not_force_https_your_password_might_be/

Every exchange forces you to use https. If for instance you connect to http://www.bitstamp.net/, you'll immediately get redirected to encrypted https://www.bitstamp.net/.
Every exchange except Bter. If you connect through http://bter.com and login, your username, password and cookies will go through internet unencrypted. I checked that with Wireshark.
Mail was sent to support. Since fix is about 5 lines in apache.conf, they should be able to fix it quickly.

Please share: If you have ever used Bter, consider your passwords compromised, and change them asap using https version of their website, in case someone intercepted your password or cookies. You might've sent your passwords in plaintext through internet like I did.

Even if you're using 2FA it doesn't save your cookies from being intercepted. So MITM is still able to login "beside you".
I think that this is critical, should be fixed asap, and all users should get e-mail from staff instructing them to change their password.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!