cuddlefish (OP)
|
|
June 16, 2011, 08:03:57 PM |
|
A lot of sites I've seen (Bitcoin7, Witcoin) are very vulnerable to CSRF attacks. Use a token! Use a token!
|
|
|
|
|
wumpus
|
|
June 16, 2011, 08:21:00 PM |
|
Shouldn't this be in "Development"
I fully agree, though.
|
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
|
|
|
cuddlefish (OP)
|
|
June 16, 2011, 08:21:48 PM |
|
Shouldn't this be in "Development"
I fully agree, though.
That's more of the bitcoin client itself.
|
|
|
|
genjix
Legendary
Offline
Activity: 1232
Merit: 1076
|
|
June 17, 2011, 01:10:20 AM |
|
|
|
|
|
|
cuddlefish (OP)
|
|
June 18, 2011, 03:54:43 AM |
|
bitlockers.com and mtgox.com also vulnerable
|
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 04:52:45 AM |
|
I've just cleared my schedule for a few hours.
|
|
|
|
lemonginger
Full Member
Offline
Activity: 210
Merit: 100
firstbits: 121vnq
|
|
June 18, 2011, 05:28:29 AM |
|
WTF?
There should be a bitcoin site code auditor team put together stat. Trusted coders with experience coding financial software that can give an voluntary "seal of approval". Too many people trying to get rich quick jumping in the game too quick with some basic errors.
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 05:44:15 AM |
|
Cuddlefish, thanks for the heads up. I'm implementing fixes right now.
As an aside, we got to it early; there is an attempted exploit out in the wild for bitoption right now, but it was unsuccesful.
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 05:53:01 AM |
|
p.s. try the link.
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 09:44:48 AM |
|
OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.
My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.
|
|
|
|
cuddlefish (OP)
|
|
June 18, 2011, 05:53:36 PM |
|
OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.
My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.
Perhaps a getToken api call that returns a CSRF token?
|
|
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 18, 2011, 07:13:01 PM |
|
Re: API, yes, that's a possibility. The other option is that API devs pull the data from the cookie directly; re: ESAPI, thanks, I'll check it out.
|
|
|
|
|
nrd525
Legendary
Offline
Activity: 1868
Merit: 1023
|
|
June 20, 2011, 06:17:47 AM |
|
Are sessions a safer way to go than cookies?
I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.
|
Digital Gold for Gamblers and True Believers
|
|
|
cuddlefish (OP)
|
|
June 20, 2011, 06:23:40 AM |
|
Are sessions a safer way to go than cookies?
I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.
Irrelevant. The only effective way is: GETs for anything that doesn't issue a INSERT, DELETE, or UPDATE. POSTs for stuff that does, and require a CSRF token.
|
|
|
|
lemonginger
Full Member
Offline
Activity: 210
Merit: 100
firstbits: 121vnq
|
|
June 20, 2011, 03:34:21 PM |
|
why was this moved to offtopic?
Security seems to be about the most on topic discussion of all for bitcoin this week
|
|
|
|
|