Bitcoin Forum
December 03, 2016, 06:51:29 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 6 7 8 9 »  All
  Print  
Author Topic: If your Mt. Gox account has been compromised, PLEASE READ.  (Read 33015 times)
osborn_20
Newbie
*
Offline Offline

Activity: 12


View Profile
June 18, 2011, 09:01:49 PM
 #61

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Also doesn't anybody think is suspicious that all this attacks are happening at the same time?.


1480747889
Hero Member
*
Offline Offline

Posts: 1480747889

View Profile Personal Message (Offline)

Ignore
1480747889
Reply with quote  #2

1480747889
Report to moderator
1480747889
Hero Member
*
Offline Offline

Posts: 1480747889

View Profile Personal Message (Offline)

Ignore
1480747889
Reply with quote  #2

1480747889
Report to moderator
1480747889
Hero Member
*
Offline Offline

Posts: 1480747889

View Profile Personal Message (Offline)

Ignore
1480747889
Reply with quote  #2

1480747889
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480747889
Hero Member
*
Offline Offline

Posts: 1480747889

View Profile Personal Message (Offline)

Ignore
1480747889
Reply with quote  #2

1480747889
Report to moderator
1480747889
Hero Member
*
Offline Offline

Posts: 1480747889

View Profile Personal Message (Offline)

Ignore
1480747889
Reply with quote  #2

1480747889
Report to moderator
1480747889
Hero Member
*
Offline Offline

Posts: 1480747889

View Profile Personal Message (Offline)

Ignore
1480747889
Reply with quote  #2

1480747889
Report to moderator
CamelToeBob
Newbie
*
Offline Offline

Activity: 5


View Profile
June 18, 2011, 09:13:00 PM
 #62

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

The message from mtgox makes it sound like some type of XSS.
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 18, 2011, 09:15:11 PM
 #63

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Also doesn't anybody think is suspicious that all this attacks are happening at the same time?.



Bitcoin has had a lot of attention lately. Of course there will be attacks from every side. People who just want to earn a buck from it in less elegant ways, and people who want to see Bitcoin vanish off the earth.

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

The message from mtgox makes it sound like some type of XSS.
How exactly would an XSS work in this case? I have never followed any links to Mt. Gox from external sites, and my account was broken into at a point where I couldn't even access Mt. Gox (probably due to the DDoS attacks).

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
Grant
Full Member
***
Offline Offline

Activity: 168



View Profile
June 18, 2011, 09:40:06 PM
 #64

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.


Noshit it looks bad, it was enough to completely diminish my trust in the system, and i've been bitcoin enthusiast since december. Imagine how "attractive" this looks for someone who considers to invest. If this happened in december when i discovered bitcoin i'd certainly run far away from here.

We don't need "banking", there is no way to track funds to a person anyway (we can track the block explorer yes but that's it, it may be a thiefs account and it may be someone who pretends to be a victims 2nd wallet). What's needed is better security, until then i'm taking most of my bitcoin savings far away from bitcoin.



joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 18, 2011, 09:58:10 PM
 #65

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.


Noshit it looks bad, it was enough to completely diminish my trust in the system, and i've been bitcoin enthusiast since december. Imagine how "attractive" this looks for someone who considers to invest. If this happened in december when i discovered bitcoin i'd certainly run far away from here.

We don't need "banking", there is no way to track funds to a person anyway (we can track the block explorer yes but that's it, it may be a thiefs account and it may be someone who pretends to be a victims 2nd wallet). What's needed is better security, until then i'm taking most of my bitcoin savings far away from bitcoin.



The issue is not with Bitcoin. It is perfectly possible for someone to set up a Bitcoin bank, that has insurance against theft etc, just like "conventional" banks. The issue here lies with Mt. Gox, which is only a single independent exchange. Bitcoin itself (as an idea and protocol) is technically sound. The only thing I am missing is wallet encryption in the client by default, but that can be overcome for now by storing a wallet on a machine that is not connected to the internet, using third-party encryption software.

Bitcoin is much like digital cash, with the difference that you can encrypt a Bitcoin wallet, while you can't encrypt an IRL wallet.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
alexanderanon
Full Member
***
Offline Offline

Activity: 211



View Profile
June 18, 2011, 10:55:37 PM
 #66

Any reports of problems with TradeHill, anyone?
joshuad31
Newbie
*
Offline Offline

Activity: 15


View Profile
June 19, 2011, 01:16:11 AM
 #67

any newbie reading this please keep your bitcoins seperated in many individual places in case one of your locations is compromised

...and make sure no one else has access to the places you stored your files in.

Obviously this is the dawn of a new age of cypto currency but if they ever expect bitcoin to become mainstream and not just somebody's hobby shouldn't all these issues be addressed by the software programmers of bitcoin.  I mean do you really want to solve this problem?  Well its easy. Let me outline the steps:

1. The bitcoin software needs to encrypt the wallet file.  It read/writes to a wallet that always remains encrypted
2. If you really want bitcoin to go mainstream then it seems to me like incorporating a trading mechanism like mtgox directly into the software itself would seem wise.  That way you don't need to rely on an ewallet system which can be compromised every time you need to convert currency.

Till these two problems are solved how can anyone rely upon bitcoin as a reliable and secure means of currency?

~J

Bitrated user: joshuad31.
mahun
Newbie
*
Offline Offline

Activity: 17


View Profile
June 19, 2011, 01:58:20 AM
 #68

http://forum.bitcoin.org/index.php?topic=19221.0

in short:
did not reuse password.
did not use email during registration, instead wrote down login/password to keepass.
brand new mtgox.com account.
funded it with 50.56 and after 3-4 hours unable to login to site.
it could not be hacked from email, since email was not used during registration.
no trojans found and computer was offline.
did not visit any websites in between so recent CSRF issue did not affect me.
JTaBitCoinKing
Newbie
*
Offline Offline

Activity: 28


View Profile
June 19, 2011, 04:04:59 AM
 #69

Well that Dollor is no less doomed then the Bitcoin.
neneko
Newbie
*
Offline Offline

Activity: 28


View Profile
June 19, 2011, 04:26:54 AM
 #70

any newbie reading this please keep your bitcoins seperated in many individual places in case one of your locations is compromised

...and make sure no one else has access to the places you stored your files in.

Obviously this is the dawn of a new age of cypto currency but if they ever expect bitcoin to become mainstream and not just somebody's hobby shouldn't all these issues be addressed by the software programmers of bitcoin.  I mean do you really want to solve this problem?  Well its easy. Let me outline the steps:

1. The bitcoin software needs to encrypt the wallet file.  It read/writes to a wallet that always remains encrypted
2. If you really want bitcoin to go mainstream then it seems to me like incorporating a trading mechanism like mtgox directly into the software itself would seem wise.  That way you don't need to rely on an ewallet system which can be compromised every time you need to convert currency.

Till these two problems are solved how can anyone rely upon bitcoin as a reliable and secure means of currency?

~J
The first problem confuses me a little, mostly because these attacks had absolutely nothing to do with anyones wallet file.

The second is just a terrible suggestion and goes against the very basic principles of bitcoin and what it's supposed to be.

Safer banking solutions would be great and they will no doubt come when bitcoin grows bigger but for now just calm down a little and look at what actually happened. These attacks happened due to a site (mt. gox) having security flaws and the attacks only affected accounts at that site. They had nothing to do with how bitcoin works as a currency.
TheMummy
Newbie
*
Offline Offline

Activity: 2


View Profile
June 19, 2011, 05:48:44 AM
 #71

I can't login using my account. It was fine about an hour ago. My email has been changed as well so I can't get my password back.

My ticket: #1899
Mr2001
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 19, 2011, 06:50:46 AM
 #72

I can't login using my account. It was fine about an hour ago. My email has been changed as well so I can't get my password back.

My ticket: #1899
Same here. Ticket #1912. I can't log in, and password recovery says no email address is on file (but I believe I set one when I signed up).

I've been using a separate browser for mtgox, with no other pages open, ever since I heard about the CSRF exploit. I tried to change my password at that time too, but when I clicked "Change", the page flickered but nothing happened (on multiple browsers).
fasthands
Newbie
*
Offline Offline

Activity: 4


View Profile
June 19, 2011, 08:48:01 AM
 #73

Change your Mt. Gox password. Twenty charters in best, with both uppercase and lowercase letters along with a few numbers. No words from the dictonary!
Mr2001
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 19, 2011, 10:25:00 AM
 #74

Change your Mt. Gox password. Twenty charters in best, with both uppercase and lowercase letters along with a few numbers. No words from the dictonary!
Am I the only one who was unable to change passwords?
mikef
Newbie
*
Offline Offline

Activity: 7


View Profile
June 19, 2011, 12:10:41 PM
 #75

My account was locked today - not able to get in or recover password. Reading the forums, I was already hopeless. But finally mtgox support got back to me and reopened the account. I hear this is related to tracking stolen bitcoins.

So if you're in the same situation, not being able to log in (instead of malicious transactions), contact mtgox support.
puppy1014
Jr. Member
*
Offline Offline

Activity: 48


View Profile
June 19, 2011, 12:42:20 PM
 #76

My acc has been hacked and i lost 5 BTC the id and the pass don't match  Cry no way i sure about my password. I use Avira and Zone Alarm latest so this  is't have any trojan or keylogger in my PC  . So i think mtgox steal my acc ?
my ticket # 1942 now i can't do anything with my account ( login , recover my pass i think someone changed it )
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 19, 2011, 08:13:44 PM
 #77

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

I told you so

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
digimag
Full Member
***
Offline Offline

Activity: 138


View Profile
June 19, 2011, 08:29:38 PM
 #78

Hey hey…

I believe people at MTGOX are little stupid kids.

Do not change your password.

Just delete your damn MT GOX account and go find a more trustworthy site.

I've just downloaded that CSV file with all the informations, I can't believe it.

Mt GOX IS NOT SECURE.

Mt Gox is a fucking security hole and you'd better get out of there quick.

For instance, try Trade Hill.

17opQsbw8873x4PTwzvacEjNR2a59mSxoT
digimag
Full Member
***
Offline Offline

Activity: 138


View Profile
June 19, 2011, 08:33:36 PM
 #79

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

I told you so

As I said, there is no use to change your password if it will be hacked again.

What just happened is just not serious. It's such a fucking joke I can't believe it.

I would recommend to get out of there and go somewhere else.

If those people can not secure their web server, they should be responsible for it and assume the consequences.

17opQsbw8873x4PTwzvacEjNR2a59mSxoT
tomfmason
Newbie
*
Offline Offline

Activity: 1


View Profile
June 19, 2011, 08:49:55 PM
 #80

I like how the orginial thread was removed. Cover up or what?

weaksauce imo
Pages: « 1 2 3 [4] 5 6 7 8 9 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!