cuddlefish (OP)
|
|
June 16, 2011, 08:03:57 PM |
|
A lot of sites I've seen (Bitcoin7, Witcoin) are very vulnerable to CSRF attacks. Use a token! Use a token!
|
|
|
|
|
|
|
|
|
Even if you use Bitcoin through Tor, the way transactions are handled by the network makes anonymity difficult to achieve. Do not expect your transactions to be anonymous unless you really know what you're doing.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
wumpus
|
|
June 16, 2011, 08:21:00 PM |
|
Shouldn't this be in "Development"
I fully agree, though.
|
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
|
|
|
cuddlefish (OP)
|
|
June 16, 2011, 08:21:48 PM |
|
Shouldn't this be in "Development"
I fully agree, though.
That's more of the bitcoin client itself.
|
|
|
|
genjix
Legendary
Offline
Activity: 1232
Merit: 1076
|
|
June 17, 2011, 01:10:20 AM |
|
|
|
|
|
|
cuddlefish (OP)
|
|
June 18, 2011, 03:54:43 AM |
|
bitlockers.com and mtgox.com also vulnerable
|
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 04:52:45 AM |
|
I've just cleared my schedule for a few hours.
|
|
|
|
lemonginger
Full Member
Offline
Activity: 210
Merit: 100
firstbits: 121vnq
|
|
June 18, 2011, 05:28:29 AM |
|
WTF?
There should be a bitcoin site code auditor team put together stat. Trusted coders with experience coding financial software that can give an voluntary "seal of approval". Too many people trying to get rich quick jumping in the game too quick with some basic errors.
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 05:44:15 AM |
|
Cuddlefish, thanks for the heads up. I'm implementing fixes right now.
As an aside, we got to it early; there is an attempted exploit out in the wild for bitoption right now, but it was unsuccesful.
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 05:53:01 AM |
|
p.s. try the link.
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 09:44:48 AM |
|
OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.
My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.
|
|
|
|
cuddlefish (OP)
|
|
June 18, 2011, 05:53:36 PM |
|
OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.
My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.
Perhaps a getToken api call that returns a CSRF token?
|
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 07:13:01 PM |
|
Re: API, yes, that's a possibility. The other option is that API devs pull the data from the cookie directly; re: ESAPI, thanks, I'll check it out.
|
|
|
|
|
nrd525
Legendary
Offline
Activity: 1867
Merit: 1023
|
|
June 20, 2011, 06:17:47 AM |
|
Are sessions a safer way to go than cookies?
I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.
|
Digital Gold for Gamblers and True Believers
|
|
|
cuddlefish (OP)
|
|
June 20, 2011, 06:23:40 AM |
|
Are sessions a safer way to go than cookies?
I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.
Irrelevant. The only effective way is: GETs for anything that doesn't issue a INSERT, DELETE, or UPDATE. POSTs for stuff that does, and require a CSRF token.
|
|
|
|
lemonginger
Full Member
Offline
Activity: 210
Merit: 100
firstbits: 121vnq
|
|
June 20, 2011, 03:34:21 PM |
|
why was this moved to offtopic?
Security seems to be about the most on topic discussion of all for bitcoin this week
|
|
|
|
cuddlefish (OP)
|
|
June 20, 2011, 06:38:03 PM |
|
why was this moved to offtopic?
Security seems to be about the most on topic discussion of all for bitcoin this week
I did. Suggest a better forum, I'll move it there.
|
|
|
|
jrmithdobbs
Newbie
Offline
Activity: 67
Merit: 0
|
|
June 21, 2011, 06:26:51 AM |
|
why was this moved to offtopic?
Security seems to be about the most on topic discussion of all for bitcoin this week
I did. Suggest a better forum, I'll move it there. But there's not a clowns forum! http://www.youtube.com/watch?v=_B0CyOAO8y0
|
|
|
|
PCRon
Newbie
Offline
Activity: 46
Merit: 0
|
|
June 24, 2011, 06:13:47 PM |
|
Sorry... What is CSRF?
|
|
|
|
SlipperySlope
|
|
June 24, 2011, 10:11:01 PM |
|
Sorry... What is CSRF?
I'm writing a set of Java clients for popular exchanges and for the last two days I've been debugging communications with the TradeHill API. The error message has been .... Forbidden 403 CSRF verification failed. Request aborted. TradeHill says that they will look into their django server configuration regarding a possible fix that I found on the internet. CSRF is an acronym for Cross Site Request Fraud, and what the original poster wants is for bitcoin financial web sites to enforce security so that someone else cannot hijack your session with the web site. CSRF is a protocol in which the server sends to you a certain random token and which your client, e.g. web browser returns to prove that you are the same entity that originally started the session. For example, TradeHill sends to me the following HTTP header when I perform an HTTP against their API URL at https://api-test.tradehill.com/APIv1/USD/GetBalance .. Set-Cookie: csrftoken=35d13f0f2708ee17b0834719b902ad65; Max-Age=31449600; Path=/ <== GENERATED BY TRADEHILL, UNIQUE FOR EACH SESSION My subsequent API request must specify that token when performing an HTTP POST, e.g. ... X-CSRFToken: 35d13f0f2708ee17b0834719b902ad65 <== PROVES THAT I ORIGINATED THE SESSION
|
|
|
|
|