hybriz_ (OP)
Newbie
 Offline
Activity: 2
Merit: 0
|
 |
May 30, 2011, 12:16:43 AM
Last edit: May 30, 2011, 12:31:09 AM by hybriz_ |
|
OH HAI GUISE!
so, i've stumbled upon some "lame" vulnerabilities in mybitcoin.com that affect mainly normal users.
I've tried to contact the owners without success so basically this thread serves as a warning to all mybitcoin users that in a week's time i'll disclose the vulnerability details if they don't get fixed.
my advice is to have few coins in the mybitcoin wallet...they can easily be stolen by other users without you noticing...(well, you'll notice when the balance is 0).
Cheers,
hybriz_
(EDIT) PS: if you guys are in the mood for a donation... 1H3EUkytqu8Mdzbhd33CaTBTsQgJSo5spj :-)
|
|
|
|
|
|
|
|
TalkImg was created especially for hosting images on bitcointalk.org: try it next time you want to post an image
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
AntiVigilante
Member
Offline
Activity: 98
Merit: 10
|
|
May 30, 2011, 12:18:38 AM |
|
A week is too short for lower traffic sites. Have you tried #bitcoin-otc on freenode? Otherwise, stop trolling  |
|
|
|
hybriz_ (OP)
Newbie
Offline
Activity: 2
Merit: 0
|
|
May 30, 2011, 12:26:07 AM |
|
it's been like 4 or 5 days now since I tried contacting them... on IRC, via message in their service.
apparently no one knows who are the owners and they are rumored to be missing.
just because of this warning, i bet many people will try and find the easy vulnerabilities... maybe by Wednesday i'll disclose them :-)
in the mean time, PROTIP: don't keep much money there unless you're willing to loose it.
Cheers,
hybriz_
|
|
|
|
|
|
Anonymous
Guest
|
|
May 30, 2011, 12:29:27 AM |
|
Thanks for telling us about it and giving us a chance to save our btc from mybitcoin. |
|
|
|
|
AntiVigilante
Member
Offline
Activity: 98
Merit: 10
|
|
May 30, 2011, 12:29:55 AM |
|
it's been like 4 or 5 days now since I tried contacting them... on IRC, via message in their service.
apparently no one knows who are the owners and they are rumored to be missing.
just because of this warning, i bet many people will try and find the easy vulnerabilities... maybe by Wednesday i'll disclose them :-)
in the mean time, PROTIP: don't keep much money there unless you're willing to loose it.
Cheers,
hybriz_
It's not a high traffic site compared to mtgox. So good luck taking much out. Also it's Memorial Day weekend. People will be out til Monday night. |
|
|
|
|
Alex Beckenham
|
|
May 30, 2011, 12:33:22 AM |
|
i'll disclose the vulnerability details if they don't get fixed.
You mean the fact that the captcha always uses the same background, same font, same number of characters, same 3 colours on characters, same purple colour on the 2 brush strokes over the characters every time? |
|
|
|
|
error
|
|
May 30, 2011, 01:31:15 AM |
|
Whoever runs mybitcoin has been missing for far longer than four or five days.
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2100
Merit: 1040
A Great Time to Start Something!
|
|
May 30, 2011, 01:40:41 AM |
|
A service like that is needed: Are there any similar fully developed sites*?
*MT. Gox merchant API is supposed to be better in the new version coming soon, any others?
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5194
Merit: 12943
|
|
May 30, 2011, 02:56:22 AM |
|
I'm not surprised. MyBitcoin is still accepting payments with only 1 confirmation, which would allow some of the larger pools to steal BTC right now.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
darbsllim
Sr. Member
Offline
Activity: 297
Merit: 251
Founder, Filmmaker, Fun Guy
|
|
May 30, 2011, 04:20:49 AM |
|
Is there another more secure web wallet that we can use?
|
Brad Mills,
Investor - Former miner - Former Bitcoin Business Owner - Survivor of the Great Bitcoin Crashes of 2011 and 2012, the MtGox Heist of 2014 & the 2017 crypto bubble.
Bitrated user: bradmillscan.
|
|
|
AntiVigilante
Member
Offline
Activity: 98
Merit: 10
|
|
May 30, 2011, 04:25:52 AM |
|
Is there another more secure web wallet that we can use?
Mtgox or maybe instawallet for short term. Confirmations are low in OTC as well. Perhaps it just needs to be updated. |
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1007
|
|
May 30, 2011, 05:02:11 AM |
|
System is now down for maintenance.
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
darbsllim
Sr. Member
Offline
Activity: 297
Merit: 251
Founder, Filmmaker, Fun Guy
|
|
May 30, 2011, 05:51:57 AM |
|
System is now down for maintenance.
are you the mybitcoin dev creighto? |
Brad Mills,
Investor - Former miner - Former Bitcoin Business Owner - Survivor of the Great Bitcoin Crashes of 2011 and 2012, the MtGox Heist of 2014 & the 2017 crypto bubble.
Bitrated user: bradmillscan.
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1007
|
|
May 30, 2011, 05:57:27 AM |
|
System is now down for maintenance.
are you the mybitcoin dev creighto? No. I had tried to login, and this is the error that I received. |
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1007
|
|
May 30, 2011, 05:59:01 AM |
|
System is now down for maintenance.
are you the mybitcoin dev creighto? No. I had tried to login, and this is the error that I received. IT's back up now, and the captcha is slightly different. |
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
|
Alex Beckenham
|
|
May 30, 2011, 06:18:08 AM |
|
IT's back up now, and the captcha is slightly different.
How is the captcha any different? I just went and reloaded a few times and it's still the same as I described: always uses the same background, same font, same number of characters, same 3 colours on characters, same purple colour on the 2 brush strokes over the characters every time?
I'm not saying it wouldn't be a challenge, but in the state it's in at the moment, I'm sure I could crack it in a couple of weeks. |
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1007
|
|
May 30, 2011, 06:25:21 AM |
|
IT's back up now, and the captcha is slightly different.
How is the captcha any different? It's case sensitive. |
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
|
Alex Beckenham
|
|
May 30, 2011, 06:29:07 AM |
|
IT's back up now, and the captcha is slightly different.
How is the captcha any different? It's case sensitive. Hahaha wow, but after 30 reloads, I didn't see any lower-case letters in the image, so I'll just assume any input needs to be upper-case. Edit: Also, I was able to log in with eRzD even though the image showed ERZD. |
|
|
|
Fiyasko
Legendary
Offline
Activity: 1428
Merit: 1001
Okey Dokey Lokey
|
|
May 31, 2011, 02:49:33 PM |
|
Why the heck are people holding ßtc funds in online accounts?
I just dont get it.....
like maybe if "my comp burned out so now im on my lappy and i didnt loose my wallet.dat HAR HAR"
But my wallets on many frequent backups so I unno
|
|
|
|
|
Alex Beckenham
|
|
May 31, 2011, 02:54:26 PM |
|
Why the heck are people holding ßtc funds in online accounts?
I just dont get it.....
like maybe if "my comp burned out so now im on my lappy and i didnt loose my wallet.dat HAR HAR"
But my wallets on many frequent backups so I unno
If I'm in a situation where I need to use an internet cafe, I'd rather have a few coins online than plug my wallet.dat into some public pc's usb port. |
|
|
|
|
mewantsbitcoins
|
|
May 31, 2011, 02:56:06 PM |
|
Off topic, but I have to ask: Alex, do you live in Australia?  |
|
|
|
|
|
Alex Beckenham
|
|
May 31, 2011, 03:00:27 PM |
|
Off topic, but I have to ask: Alex, do you live in Australia? Yes, land of the slow internet. I suppose I look upside down to you? |
|
|
|
|
mewantsbitcoins
|
|
May 31, 2011, 03:01:22 PM |
|
I was wondering why your picture is upside down  |
|
|
|
|
|
Drifter
|
|
May 31, 2011, 03:03:34 PM |
|
Why the heck are people holding ßtc funds in online accounts?
I just dont get it.....
like maybe if "my comp burned out so now im on my lappy and i didnt loose my wallet.dat HAR HAR"
But my wallets on many frequent backups so I unno
Plenty of reasons. Access to my wallet wherever there is an internet connection. No needing to backup the wallet. In person transactions with my smartphone. Instant transactions from mybitcoin user to user, instead of waiting for confirmations, making this one of the best options for in-person trades. Email notifications of incoming payments. If necessary, secure access to my wallet (TOR, I2P) without needing to install bitcoin to my computer. I wouldn't store very large amounts on the site, but for small transactions it's great to have an online wallet. |
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1007
|
|
May 31, 2011, 04:20:15 PM |
|
I use Mybitcoin.com because it has most of the pros of paypal, but if they were to try some of the things that paypal has done, the mass exodus of the userbase would punish them severely.
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
datguywhowanders
Member
Offline
Activity: 112
Merit: 10
|
|
June 04, 2011, 11:37:32 PM |
|
So did we ever receive word about what these so called vulnerabilities were? Also, while I'm thinking about it, would anyone else be interested in an additional online wallet to compete with myBitcoin?
|
Donations Welcome: 163id7T8KZ6MevqT86DjrBF2kfCPrQsfZE
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1007
|
|
June 04, 2011, 11:47:03 PM |
|
would anyone else be interested in an additional online wallet to compete with myBitcoin?
Yes. |
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2100
Merit: 1040
A Great Time to Start Something!
|
|
June 05, 2011, 02:50:30 AM |
|
Yes, interested
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
June 05, 2011, 05:59:46 AM |
|
So did we ever receive word about what these so called vulnerabilities were?
It hasn't been the promised week, yet. Wait until tonight/tomorrow night (Sunday). |
|
|
|
WilliamJohnson
Newbie
Offline
Activity: 47
Merit: 0
|
|
June 05, 2011, 10:18:26 AM |
|
Whoever runs mybitcoin has been missing for far longer than four or five days.
I sent them a message on May 24th, and got an answer on May 29th. So, they are not "missing". would anyone else be interested in an additional online wallet to compete with myBitcoin?
Yes, definitely. |
|
|
|
|
|
carlerha
|
|
June 05, 2011, 10:45:29 AM |
|
would anyone else be interested in an additional online wallet to compete with myBitcoin? Yes. One with (optional) fund insurance would be nice too. |
|
|
|
|
TheKoziTwo
Legendary
Offline
Activity: 1552
Merit: 1047
|
|
June 05, 2011, 11:51:15 AM |
|
Maybe he is talking about the XSS vulnerability on the payment page. If I recall correctly I was able to send code to it.
|
|
|
|
|
