Bitcoin Forum
November 12, 2024, 03:40:55 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: mybitcoin security vulnerabilities  (Read 4259 times)
hybriz_ (OP)
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
May 30, 2011, 12:16:43 AM
Last edit: May 30, 2011, 12:31:09 AM by hybriz_
 #1

OH HAI GUISE!

so, i've stumbled upon some "lame" vulnerabilities in mybitcoin.com that affect mainly normal users.

I've tried to contact the owners without success so basically this thread serves as a warning to all mybitcoin users that in a week's time i'll disclose the vulnerability details if they don't get fixed.

my advice is to have few coins in the mybitcoin wallet...they can easily be stolen by other users without you noticing...(well, you'll notice when the balance is 0).

Cheers,
hybriz_

(EDIT) PS: if you guys are in the mood for a donation... 1H3EUkytqu8Mdzbhd33CaTBTsQgJSo5spj :-)
AntiVigilante
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
May 30, 2011, 12:18:38 AM
 #2

A week is too short for lower traffic sites.

Have you tried #bitcoin-otc on freenode?

Otherwise, stop trolling Smiley

Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296
Goal: http://forum.bitcoin.org/index.php?topic=12536.0
Means: Code, donations, and brutal criticism. I've got a thick skin. 1Gc3xCHAzwvTDnyMW3evBBr5qNRDN3DRpq
hybriz_ (OP)
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
May 30, 2011, 12:26:07 AM
 #3

it's been like 4 or 5 days now since I tried contacting them... on IRC, via message in their service.

apparently no one knows who are the owners and they are rumored to be missing.

just because of this warning, i bet many people will try and find the easy vulnerabilities... maybe by Wednesday i'll disclose them :-)

in the mean time, PROTIP: don't keep much money there unless you're willing to loose it.

Cheers,
hybriz_
Anonymous
Guest

May 30, 2011, 12:29:27 AM
 #4

Thanks for telling us about it and giving us a chance to save our btc from mybitcoin.

 Smiley
AntiVigilante
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
May 30, 2011, 12:29:55 AM
 #5

it's been like 4 or 5 days now since I tried contacting them... on IRC, via message in their service.

apparently no one knows who are the owners and they are rumored to be missing.

just because of this warning, i bet many people will try and find the easy vulnerabilities... maybe by Wednesday i'll disclose them :-)

in the mean time, PROTIP: don't keep much money there unless you're willing to loose it.

Cheers,
hybriz_

It's not a high traffic site compared to mtgox. So good luck taking much out. Also it's Memorial Day weekend. People will be out til Monday night.

Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296
Goal: http://forum.bitcoin.org/index.php?topic=12536.0
Means: Code, donations, and brutal criticism. I've got a thick skin. 1Gc3xCHAzwvTDnyMW3evBBr5qNRDN3DRpq
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
May 30, 2011, 12:33:22 AM
 #6

i'll disclose the vulnerability details if they don't get fixed.

You mean the fact that the captcha always uses the same background, same font, same number of characters, same 3 colours on characters, same purple colour on the 2 brush strokes over the characters every time?

error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
May 30, 2011, 01:31:15 AM
 #7

Whoever runs mybitcoin has been missing for far longer than four or five days.

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
Bit_Happy
Legendary
*
Offline Offline

Activity: 2114
Merit: 1040


A Great Time to Start Something!


View Profile
May 30, 2011, 01:40:41 AM
 #8

A service like that is needed: Are there any similar fully developed sites*?
*MT. Gox merchant API is supposed to be better in the new version coming soon, any others?

theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13410


View Profile
May 30, 2011, 02:56:22 AM
 #9

I'm not surprised. MyBitcoin is still accepting payments with only 1 confirmation, which would allow some of the larger pools to steal BTC right now.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
darbsllim
Sr. Member
****
Offline Offline

Activity: 297
Merit: 251


Founder, Filmmaker, Fun Guy


View Profile
May 30, 2011, 04:20:49 AM
 #10

Is there another more secure web wallet that we can use?

Brad Mills,
Investor - Former miner - Former Bitcoin Business Owner - Survivor of the Great Bitcoin Crashes of 2011 and 2012, the MtGox Heist of 2014 & the 2017 crypto bubble.
Bitrated user: bradmillscan.
AntiVigilante
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
May 30, 2011, 04:25:52 AM
 #11

Is there another more secure web wallet that we can use?

Mtgox or maybe instawallet for short term.

Confirmations are low in OTC as well. Perhaps it just needs to be updated.

Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296
Goal: http://forum.bitcoin.org/index.php?topic=12536.0
Means: Code, donations, and brutal criticism. I've got a thick skin. 1Gc3xCHAzwvTDnyMW3evBBr5qNRDN3DRpq
MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
May 30, 2011, 05:02:11 AM
 #12

System is now down for maintenance.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
darbsllim
Sr. Member
****
Offline Offline

Activity: 297
Merit: 251


Founder, Filmmaker, Fun Guy


View Profile
May 30, 2011, 05:51:57 AM
 #13

System is now down for maintenance.

are you the mybitcoin dev creighto?

Brad Mills,
Investor - Former miner - Former Bitcoin Business Owner - Survivor of the Great Bitcoin Crashes of 2011 and 2012, the MtGox Heist of 2014 & the 2017 crypto bubble.
Bitrated user: bradmillscan.
MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
May 30, 2011, 05:57:27 AM
 #14

System is now down for maintenance.

are you the mybitcoin dev creighto?

No.  I had tried to login, and this is the error that I received.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
May 30, 2011, 05:59:01 AM
 #15

System is now down for maintenance.

are you the mybitcoin dev creighto?

No.  I had tried to login, and this is the error that I received.

IT's back up now, and the captcha is slightly different.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
May 30, 2011, 06:18:08 AM
 #16

IT's back up now, and the captcha is slightly different.

How is the captcha any different?

I just went and reloaded a few times and it's still the same as I described:

Quote
always uses the same background, same font, same number of characters, same 3 colours on characters, same purple colour on the 2 brush strokes over the characters every time?

I'm not saying it wouldn't be a challenge, but in the state it's in at the moment, I'm sure I could crack it in a couple of weeks.

MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
May 30, 2011, 06:25:21 AM
 #17

IT's back up now, and the captcha is slightly different.

How is the captcha any different?


It's case sensitive.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
May 30, 2011, 06:29:07 AM
 #18

IT's back up now, and the captcha is slightly different.

How is the captcha any different?


It's case sensitive.

Hahaha wow, but after 30 reloads, I didn't see any lower-case letters in the image, so I'll just assume any input needs to be upper-case.

Edit: Also, I was able to log in with eRzD even though the image showed ERZD.

Fiyasko
Legendary
*
Offline Offline

Activity: 1428
Merit: 1001


Okey Dokey Lokey


View Profile
May 31, 2011, 02:49:33 PM
 #19

Why the heck are people holding ßtc funds in online accounts?
I just dont get it.....

like maybe if "my comp burned out so now im on my lappy and i didnt loose my wallet.dat HAR HAR"
But my wallets on many frequent backups so I unno

http://bitcoin-otc.com/viewratingdetail.php?nick=DingoRabiit&sign=ANY&type=RECV <-My Ratings
https://bitcointalk.org/index.php?topic=857670.0 GAWminers and associated things are not to be trusted, Especially the "mineral" exchange
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
May 31, 2011, 02:54:26 PM
 #20

Why the heck are people holding ßtc funds in online accounts?
I just dont get it.....

like maybe if "my comp burned out so now im on my lappy and i didnt loose my wallet.dat HAR HAR"
But my wallets on many frequent backups so I unno

If I'm in a situation where I need to use an internet cafe, I'd rather have a few coins online than plug my wallet.dat into some public pc's usb port.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!