Bitcoin Forum
December 06, 2016, 09:59:28 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3] 4 5 »  All
  Print  
Author Topic: Reports of MtGox being hacked ARE REAL (Fixed)  (Read 40207 times)
Bunghole
Member
**
Offline Offline

Activity: 64



View Profile
June 18, 2011, 04:03:07 AM
 #41

Watch how Bitcoin brings computer security to the masses. Just another undiscovered benefit.

It has certainly impacted me personally.  I have learned a lot about security in the past two weeks on this site, and I have already begun migrating from Windows to Ubuntu.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481061568
Hero Member
*
Offline Offline

Posts: 1481061568

View Profile Personal Message (Offline)

Ignore
1481061568
Reply with quote  #2

1481061568
Report to moderator
1481061568
Hero Member
*
Offline Offline

Posts: 1481061568

View Profile Personal Message (Offline)

Ignore
1481061568
Reply with quote  #2

1481061568
Report to moderator
1481061568
Hero Member
*
Offline Offline

Posts: 1481061568

View Profile Personal Message (Offline)

Ignore
1481061568
Reply with quote  #2

1481061568
Report to moderator
Dirt Rider
Member
**
Offline Offline

Activity: 111


View Profile
June 18, 2011, 04:06:01 AM
 #42

Is it just me or does all this seem just a little bit sensational.
kokojie
Legendary
*
Offline Offline

Activity: 1498



View Profile WWW
June 18, 2011, 04:22:27 AM
 #43

Not sure if this is relevant, but I've noticed that TradeHill does not automatically log you out after a period of inactivity.  I noticed that one morning when I hopped on my computer, I did not have to log in - I was still logged in from the night before.

The fact that tradehill doesn't log you out has no impact on your security, IF tradehill properly implemented security measures to prevent CSRF


If my post has been helpful, send me some love -> BTC: 1kokojUapmWqCqPw3Ch2rjcVh57tJEzka | PPC: PDyXAgA8eH47gokVW6zVZPSuu15aao5nZF | Bitshares: kokojie
My reputation
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 18, 2011, 04:24:55 AM
 #44

Mtgox is not the only CSRF'able site.
http://forum.bitcoin.org/index.php?topic=18020.0

Capitan
Member
**
Offline Offline

Activity: 112


View Profile
June 18, 2011, 05:29:33 AM
 #45

Is there a firefox plugin that will
So they are taking my cookies? NOZ! Angry

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

Nope.avi.
CSRF != XSS.

XSS = put my javascript on your site

CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript

how can this be dealt on a client side besides what's been mentioned above, is there a method to detect/disable both vulnerabilities without turning off cookies and js?
Is there a firefox plugin that will make each tab have it's own session? That would take care of the problem.
Capitan
Member
**
Offline Offline

Activity: 112


View Profile
June 18, 2011, 05:30:06 AM
 #46

The noscript add-on says it has "limited" CSRF protection. I'm not sure what that means.
Capitan
Member
**
Offline Offline

Activity: 112


View Profile
June 18, 2011, 05:32:14 AM
 #47

in my understanding any web site is vulnerable to such attack? is this correct?

Not correctly-designed ones.

(I don't blame MagicalTux, since he didn't write the code.)

Could you or anyone please point me where one can read how it can be dealt with on a server side?


That info is on the wiki page for CSRF. Basically the server side needs to put a unique token on each page and check for the presence of it on postback. Also doing an HTTP Referrer check helps a lot. There are other things as well but those are the main two.
Horkabork
Full Member
***
Offline Offline

Activity: 140



View Profile
June 18, 2011, 05:44:37 AM
 #48

Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.

EDIT: It's fixed by MagicalTux. Sounds like it was just a website bug, not a security thing.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
iCEBREAKER
Legendary
*
Offline Offline

Activity: 1498


Crypto is the separation of Power and State.


View Profile WWW
June 18, 2011, 05:49:07 AM
 #49

Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.

Yep, same here.

I demand that strong feelings be expressed, and highly recommend a general panic.  Mass hysteria is our only option!

The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy.  David Chaum 1996
Fungibility provides privacy as a side effect.  Adam Back 2014
"Monero" : { Private - Auditable - 100% Fungible - Flexible Blocksize - Wild & Free® - Intro - Wallets - Podcats - Roadmap - Dice - Blackjack - Github - Android }


Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016
Blocks must necessarily be full for the Bitcoin network to be able to pay for its own security.  davout 2015
Blocksize is an intentionally limited resource, like the 21e6 BTC limit.  Changing it degrades the surrounding economics, creating negative incentives.  Jeff Garzik 2013


"I believed @Dashpay instamine was a bug & not a feature but then read: https://bitcointalk.org/index.php?topic=421615.msg13017231#msg13017231
I'm not against people making money, but can't support questionable origins."
https://twitter.com/Tone_LLT/status/717822927908024320


The raison d'être of bitcoin is trustlessness. - Eric Lombrozo 2015
It is an Engineering Requirement that Bitcoin be “Above the Law”  Paul Sztorc 2015
Resiliency, not efficiency, is the paramount goal of decentralized, non-state sanctioned currency -Jon Matonis 2015

Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016

Technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months. - Phil Zimmerman 2013

The only way to make software secure, reliable, and fast is to make it small. Fight Features. - Andy Tanenbaum 2004

"Hard forks cannot be co
Desu
Newbie
*
Offline Offline

Activity: 28



View Profile
June 18, 2011, 05:56:50 AM
 #50

Man, I saw this shit coming after the crash earlier this week. Then poor Allinvains Hacks...:[
No worries all protected her, Still lovin Them BTC.

Tip me?
1KBuL4At3kKEsBbDwAqKa16CG4nbyjosdD
That's right, I'm a girl on the Interwebz
http://flipforbits.com/?id=1570
Spend cheaply, Win More. : ]
imperi
Full Member
***
Offline Offline

Activity: 196


View Profile
June 18, 2011, 06:04:09 AM
 #51

Man, I saw this shit coming after the crash earlier this week. Then poor Allinvains Hacks...:[
No worries all protected her, Still lovin Them BTC.

I think it's a guy, just with a girly name.
beeph
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 18, 2011, 06:05:20 AM
 #52

so as I understand it you're only vulnerable if you're compromised by another site already?  Why dont you clearly state what actions can make you vulnerable instead of making people think that mtgox has a virus on it or something (which is what most 'regular' people woul infer from this)

goldbit
Newbie
*
Offline Offline

Activity: 23



View Profile
June 18, 2011, 06:06:32 AM
 #53

Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.

Same problem here.
I am extremely nervous right now. I hope it is just a glitch at Mt Gox.

Can anyone confirm it?

19pTRoTFAcQ2PVBPrqVoWGy7RczDNhTygN
mouse
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 18, 2011, 06:07:11 AM
 #54

I believe that this type of attack is when the session token is stored as a cookie AND the server doesn't check the referrer. The normal method is to store a new session token on each post to the client, which gets sebmitted back each time (so its stored in the users webpage, not in a cookie).

This is just from memory, but if its true, then, honestly, I have no faith at all in any website that fell for this. This issue would fall under 'basic' security and has probably been around for years. Sure it might be plugged now, but what else isn't?

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction.
dr.bitcoin
Newbie
*
Offline Offline

Activity: 28


View Profile
June 18, 2011, 06:16:07 AM
 #55

Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)

People, there's a reason for which bank have IT departments, security officers, response teams etc.

We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...
dr.bitcoin
Newbie
*
Offline Offline

Activity: 28


View Profile
June 18, 2011, 06:18:50 AM
 #56

mouse, you are pretty much correct.
cottoneyeJoe
Member
**
Offline Offline

Activity: 91


View Profile
June 18, 2011, 07:21:18 AM
 #57

Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)

People, there's a reason for which bank have IT departments, security officers, response teams etc.

We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...

Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.

Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.

What I find encouraging about this situation, as some others have mentioned:

- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)
- the hole was apparently closed pretty damn fast once Mt.Gox became aware/verified it

As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank

Quote
"Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique...cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

from http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access

..and those details came to light many many months after the event.

I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.

Stay with the state regulated banks and fiat currencies if you want perceived safety of regulators and so called experts looking out for you. Be prepared to take more than a modicum of self-responsibility out here, however.

Bravo, bitcoin community!

Horkabork
Full Member
***
Offline Offline

Activity: 140



View Profile
June 18, 2011, 07:33:42 AM
 #58

The login issue is fixed for me and it looks like several others. It sounds like it was unrelated to the security stuff.

Kudos to MagicalTux for fixing the login issue almost as soon as he heard of it.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
charliesheen
Member
**
Offline Offline

Activity: 98


View Profile WWW
June 18, 2011, 08:31:15 AM
 #59

my php curl attempts stopped working a few hours ago, any explanation for this?

Grant
Full Member
***
Offline Offline

Activity: 168



View Profile
June 18, 2011, 08:52:32 AM
 #60

Both bugs are fixed now. I have just verified it.

I still feel kinda paranoid about logging in without a verification from mtgox.

I panic withdrew 50% of my funds yesterday after seeing this thread. (something i had originally planned to use for trading)

Pages: « 1 2 [3] 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!