If your Mt. Gox account has been compromised, PLEASE READ.

[TrainDeluxe]

I also get this error on login now:

Too many failure from your IP, temporarly blocked

Does anybody know what it means or have sold it?

[1713298641]

1713298641

[1713298641]

1713298641

[1713298641]

1713298641

[geek-trader]

I also get this error on login now:

Too many failure from your IP, temporarly blocked

Does anybody know what it means or have sold it?

I was getting it, then I clicked "forgot password" and reset my password, and I can log in now.

[opticbit]

Mine hasn't been touched, but is a low balance, changed my pw just incase attacer was sitting on it, waiting for me to add more funds.

[MBH]

Was anyone using this app, by any chance? I downloaded it the other day but decided against giving them my password. Noticed today that there is a new version that is now closed source. Coincidence?

I saw the app in the market and it spooked me since it wasn't developed by MtGox itself.

My friend installed it & gave it access. I donno if he got compromised or not (if not, he probably doesn't have worthy funds).

I highly suspect this app.

[joepie91]

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

[lechuck]

have you guys considered that mt.gox servers themselfes might be compromised with backdoors, hosted at a insecure location or their passfiles might have been stolen? pfiles get stolen all the time from porn sites and such, all it takes is the pfile, a good wordlist or rainbow table and jack the ripper to decrypt the password hashes.

[jondecker76]

It has been proven that MtGox has been compromised via a CSRF attack.  I lost 20BTC myself,

06/14/11 15:45 Withdraw BTC 17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC -20.19 0 0.009 0.059

I also emailed MtGox as soon as I found out, and received an automated reply and assigned support ticket #1605

From my understanding, all you have to do is have the MtGox webiste open in your browser at the same time as another website running the attack.  I commonly open all of my bitcoin related sites in separate tabs in firefox (not anymore!).

My question is, is MtGox going to refund our money that they failed to secure?  20 BTC may not seem like a lot to some people, but it was a lot to me, and rightfully mine.  I  hope they do the right thing for those that lost money due to their security flaw.
(in fact, I would even continue to use MtGox now that they have fixed the problem, and they did the right thing in returning money to those that lost out)

[apflux]

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.

Maybe a CSRF attack that changed your password and the funds were transferred later?

[joepie91]

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.

Maybe a CSRF attack that changed your password and the funds were transferred later?

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

[apflux]

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

So if it wasn't a XSS attack and the passwords were strong, it could only be that either the clients, the servers or the network traffic was compromised. Was any victim using linux? I tend to the servers, but how can you tell?

[randomguy7]

Has a site been found which actually performs the CSRF attack? Maybe some well visited bitcoin site is vulnerable to xss and got the attack code included.

[joepie91]

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

So if it wasn't a XSS attack and the passwords were strong, it could only be that either the clients, the servers or the network traffic was compromised. Was any victim using linux? I tend to the servers, but how can you tell?

Yes. If you read the reports in this thread, you will see several people were using Linux.

I have also just seen a report of someone allegedly selling the Mt. Gox database. It would be nice if we could get a response from MagicalTux on all of this.

[Megamind]

My account is safe although it has only a few BTC. Anyway, my new password is looooong.

[evileric]

Thankfully I'm not one of those affected as I'm still hoarding my coins and biding my time. The markeyts will mature and securirty will improve with time, still, remember the old saying:j Don't put all of your eggs in one basket, or keep all of your coins in one wallet

[F104]

It would be nice if we could get a response from MagicalTux on all of this.

I'm beginning to think we have heard all we are ever going to hear from him.

[joepie91]

It would be nice if we could get a response from MagicalTux on all of this.

I'm beginning to think we have heard all we are ever going to hear from him.

To be fair, he posted a thread today at http://forum.bitcoin.org/index.php?topic=18858 - however, so far it looks a lot like deny-everything marketing talk, although I may be wrong.
Plus I don't understand why he doesn't just implement two factor authentication (through email) instead of a withdrawal password, as the latter can still be circumvented when someone indeed successfully exploits the site to a point where he has database read access.

[zzyyxx]

as Jondecker76 said
  "I have stepped forward on a few other posts - I also had money stolen from my MtGox account (20.19 BTC)
I even reported it to MtGox with no reply (this report was made before it was announced that there was a security exploit found).
It has recently been revealed that MtGox did in fact have a vulnerability, and someone even showed them the exploit by using it to prove it was there. There are also a dozen or so of us that have had this happen. Yet, the owner claimed that he can see no evidence in his logs that our money was lost due to the exploit, and that he is not going to refund anybody for the BTC stolen from his (insecure) site.
I for one will never use MtGox again.  Its one thing to make a mistake and have such a simple exploit left open it happens. Its another thing to not own up to your responsibilities as a responsible business owner. Look at the number of trades on his market, look at his fee and do the math.  Bottom line is that he makes very good money from his userbase, and should be trivial to do the right thing for a few handfuls of users that lost modest amounts of bitcoins.  I don't know if it can be proven one way or another whether or not the withdrawn funds were via an exploit or not - but honestly, look at the evidence"

having been a victim of this security flaw myself, I dont see why, considering the mass amount of cash mtgox is pulling in right now. they don't reimburse the people who, in say the 24 hour or 48 hour window this scam occurred, and reported a trouble ticket to them in that time (seems all happened on the 15th 16th) even if from their own funds for gods sake... up to say "x" amount, but whatever... I guess that's why I don't run a business.

[Big Time Coin]

having been a victim of this security flaw myself, I dont see why, considering the mass amount of cash mtgox is pulling in right now. they don't reimburse the people who, in say the 24 hour or 48 hour window this scam occurred, and reported a trouble ticket to them in that time (seems all happened on the 15th 16th) even if from their own funds for gods sake... up to say "x" amount,

qft

if they are a financial institution, they have to have fraud recovery efforts.  He is trying to be legit, maybe he will come around when he thinks that hey I should have spent the money on security, now i have to pay for the breach.

[osborn_20]

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Also doesn't anybody think is suspicious that all this attacks are happening at the same time?.

[CamelToeBob]

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

The message from mtgox makes it sound like some type of XSS.