Bitcoin Forum
July 25, 2016, 11:53:01 AM *
News: Latest stable version of Bitcoin Core: 0.12.1 [Torrent]
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 »  All
  Print  
Author Topic: Reports of MtGox being hacked ARE REAL (Fixed)  (Read 39534 times)
phantomcircuit
Sr. Member
****
Offline Offline

Activity: 462


View Profile
June 18, 2011, 01:58:48 AM
 #1

This exploit is no longer active.

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


<tcatm> workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode

<tcatm> phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password
...
.                     MoneyPot.com - Your Trusted Bitcoin Gambling Wallet                 ......
...

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1469447581
Hero Member
*
Offline Offline

Posts: 1469447581

View Profile Personal Message (Offline)

Ignore
1469447581
Reply with quote  #2

1469447581
Report to moderator
mizerydearia
Hero Member
*****
Offline Offline

Activity: 574



View Profile
June 18, 2011, 02:01:36 AM
 #2

liek a surgeon general warning?

Code:
BITCOIN GENERAL'S WARNING: Trading
bitcoins Causes ____ ______, _____ _______,
_________ and May Complicate ________.
phantomcircuit
Sr. Member
****
Offline Offline

Activity: 462


View Profile
June 18, 2011, 02:04:42 AM
 #3

I should mention it's a CSRF vulnerability. so people know what to do to protect themselves.
ibisy70
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 18, 2011, 02:05:01 AM
 #4

That would make sense, my account was hacked and the only places I used my password was mtgox, tradehill, and deepbit.
allinvain
Legendary
*
Offline Offline

Activity: 1876



View Profile
June 18, 2011, 02:06:28 AM
 #5

Pardon my ignorance, but slush's pool would be vulnerable too? Is this something bitcoin platform wide..ie with the API's ?

cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
June 18, 2011, 02:09:15 AM
 #6

I should mention it's a CSRF vulnerability. so people know what to do to protect themselves.

what is CSRF?
mizerydearia
Hero Member
*****
Offline Offline

Activity: 574



View Profile
June 18, 2011, 02:10:37 AM
 #7

what is CSRF?
Cross-Site Request Forgery
Astrohacker
Full Member
***
Offline Offline

Activity: 156



View Profile WWW
June 18, 2011, 02:11:10 AM
 #8

Pardon my ignorance, but slush's pool would be vulnerable too? Is this something bitcoin platform wide..ie with the API's ?

It could be. It is a general security problem many websites have.
Vince Torres
Sr. Member
****
Offline Offline

Activity: 337


View Profile
June 18, 2011, 02:15:27 AM
 #9

Tradehill has no reports of being hacked. If reports of Mtgox security breach is true I'm guessing they would liquidate their BTC. Be wary in the next coming weeks and months.

Namecoin.com .bit domain registrar. Register a new .bit domain for just $1!
BTC: 1LpKzg24NHmrxLZbnVphcstV3s7uA8cSnT
LTC: LWHswCFRPouCXTNiT8B9HUVnGrae9eojVg
Adam
Member
**
Offline Offline

Activity: 84


View Profile
June 18, 2011, 02:15:48 AM
 #10

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


Hordes of panicky people seem to be fleeing Mt. Gox for some unknown reason.  Professor, without knowing precisely what the danger is, would you say it's time for our viewers to crack each other's heads open and feast on the goo inside?

kgo
Hero Member
*****
Offline Offline

Activity: 548


View Profile
June 18, 2011, 02:19:45 AM
 #11

So what this means...

If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.

To protect yourself, use a seperate browser for mtgox ONLY.

If you normally use firefox, install chrome and use that for mtgox.  If you use chrome, install firefox.

If you use both, install a seperate copy of firefox portable if you're on windows.
imperi
Full Member
***
Offline Offline

Activity: 196


View Profile
June 18, 2011, 02:23:31 AM
 #12

By the way on mtgox.com you can register names like " apple" with a space in front, separate from an account "apple". Maybe this can lead to an exploit.
Horkabork
Full Member
***
Offline Offline

Activity: 140



View Profile
June 18, 2011, 02:25:09 AM
 #13

I want to add that phantomcircuit is an op for #bitcoin on IRC, where other folks have confirmed it as well. So don't let his mere 15 posts on the forum here dissuade you as he does speak with authority.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
Horkabork
Full Member
***
Offline Offline

Activity: 140



View Profile
June 18, 2011, 02:29:30 AM
 #14

So what this means...

If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.

To protect yourself, use a seperate browser for mtgox ONLY.

If you normally use firefox, install chrome and use that for mtgox.  If you use chrome, install firefox.

If you use both, install a seperate copy of firefox portable if you're on windows.

There's no need to install an entirely separate browser. Make a new profile, just for Mt. Gox, and run it from a shortcut like this:
firefox.exe -P "NewProfileNameHere" -no-remote

Then you can do the same for your other profile and run both at the same time, with no interaction.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
kgo
Hero Member
*****
Offline Offline

Activity: 548


View Profile
June 18, 2011, 02:32:37 AM
 #15

So what this means...

If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.

To protect yourself, use a seperate browser for mtgox ONLY.

If you normally use firefox, install chrome and use that for mtgox.  If you use chrome, install firefox.

If you use both, install a seperate copy of firefox portable if you're on windows.

There's no need to install an entirely separate browser. Make a new profile, just for Mt. Gox, and run it from a shortcut like this:
firefox.exe -P "NewProfileNameHere" -no-remote

Then you can do the same for your other profile and run both at the same time, with no interaction.

Yeah, that'll work.  I was trying to provide a simple solution for people who aren't techies.
Icy-
Newbie
*
Offline Offline

Activity: 28


View Profile
June 18, 2011, 02:42:46 AM
 #16

So they are taking my cookies? NOZ! Angry
cuddlefish
Full Member
***
Offline Offline

Activity: 126


View Profile WWW
June 18, 2011, 02:44:50 AM
 #17

I have independently confirmed that MtGox has a GIGANTIC CSRF vuln that lets me empty your account.

MagicalTux, you should know better than that. Honestly.

I'm Nathaniel Theis.
Selling 1 BTC for cash near Berkeley, CA
161eFswCmjZvijEmiEdXVCKy8EXYfybZzx
imperi
Full Member
***
Offline Offline

Activity: 196


View Profile
June 18, 2011, 02:47:02 AM
 #18

So they are taking my cookies? NOZ! Angry

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.
Bunghole
Member
**
Offline Offline

Activity: 64



View Profile
June 18, 2011, 02:48:26 AM
 #19

Not sure if this is relevant, but I've noticed that TradeHill does not automatically log you out after a period of inactivity.  I noticed that one morning when I hopped on my computer, I did not have to log in - I was still logged in from the night before.
cuddlefish
Full Member
***
Offline Offline

Activity: 126


View Profile WWW
June 18, 2011, 02:54:11 AM
 #20

So they are taking my cookies? NOZ! Angry

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

Nope.avi.
CSRF != XSS.

XSS = put my javascript on your site

CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript

I'm Nathaniel Theis.
Selling 1 BTC for cash near Berkeley, CA
161eFswCmjZvijEmiEdXVCKy8EXYfybZzx
Pages: [1] 2 3 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!