Bitcoin Forum
December 08, 2016, 02:34:36 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 »  All
  Print  
Author Topic: Reports of MtGox being hacked ARE REAL (Fixed)  (Read 40209 times)
Disposition
Full Member
***
Offline Offline

Activity: 122


View Profile
June 18, 2011, 09:01:55 AM
 #61

my php curl attempts stopped working a few hours ago, any explanation for this?

seconded, I actually think the server is just being hammered or something, apparently I just got through a few second ago and printed me some data, I wrote a script to ping it every 15 minutes, thought it was up but I guess not.
1481164476
Hero Member
*
Offline Offline

Posts: 1481164476

View Profile Personal Message (Offline)

Ignore
1481164476
Reply with quote  #2

1481164476
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481164476
Hero Member
*
Offline Offline

Posts: 1481164476

View Profile Personal Message (Offline)

Ignore
1481164476
Reply with quote  #2

1481164476
Report to moderator
1481164476
Hero Member
*
Offline Offline

Posts: 1481164476

View Profile Personal Message (Offline)

Ignore
1481164476
Reply with quote  #2

1481164476
Report to moderator
1481164476
Hero Member
*
Offline Offline

Posts: 1481164476

View Profile Personal Message (Offline)

Ignore
1481164476
Reply with quote  #2

1481164476
Report to moderator
mikey5287
Newbie
*
Offline Offline

Activity: 26


View Profile
June 18, 2011, 09:02:13 AM
 #62

this is why I don't keep bitcoin/money in MtGox.
I alway do my business quick, get in and out.

Hell the wallet I sent all my coins to, I only boot when I want to trade.  Well after waiting for the block download.

This signature space is currently for sale.
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
June 18, 2011, 09:54:47 AM
 #63

This is why we need two-factor authentication ASAP.  I think MagicalTux said it was being worked on right now.  I hope so.
bitoption
Jr. Member
*
Offline Offline

Activity: 56


View Profile WWW
June 18, 2011, 10:05:29 AM
 #64

Bitoption was hit with CSRF attacks today as well; no successes, though.

Re: Curl and Mt. Gox, I believe they changed their SSL Cert recently. My linux boxes didn't have a good CA chain to their authority, and resisted all attempts to add the chain in. Eventually I just imported the direct Gox one and marked it trusted. Curl finally shut up at that point.

----** In Beta: The First Bitcoin Options Market ----**

Explanation and discussion: http://forum.bitcoin.org/index.php?topic=9611.0

API Developer Thread:
http://forum.bitcoin.org/index.php?topic=14194.0

-----------------------------------------------------------
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 18, 2011, 10:12:31 AM
 #65

I have sent MagicalTux a PM about a CSS history sniffing vulnerability and haven't had a response yet.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
jondecker76
Full Member
***
Offline Offline

Activity: 238


View Profile
June 18, 2011, 10:20:24 AM
 #66

What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)

RollerBot Advanced Trading Platform
https://bitcointalk.org/index.php?topic=447727.0
BTC Donations for development: 1H36oTJsi3adFh68wwzz95tPP2xoAoTmhC
MiningBuddy
Staff
Legendary
*
Offline Offline

Activity: 1058


฿itcoin ฿itcoin ฿itcoin


View Profile
June 18, 2011, 10:59:43 AM
 #67

What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)
From IRC several hours ago
Quote
09:01   MagicalTux      • thermal: we checked the logs, the CSRF found by phantomcircuit was never exploited

Doesn't look like it.

killerstorm
Legendary
*
Offline Offline

Activity: 994



View Profile
June 18, 2011, 11:19:22 AM
 #68

(I don't blame MagicalTux, since he didn't write the code.)

But he has "PHP can do ANYTHING!" in his motto which suggests that he knows some stuff about web dev. (I haven't seen non web-dev fans of PHP so far.)

And I think any decent web developer should be well aware of CSRF.

It takes approximately a minute to check whether your site has CSRF vulnerability. Then it takes approximately a minute to fix this (via referer check, which is less than perfect, but will work).

So, no, being 'alone' is not an excuse. It takes just two fucking minutes to secure your site. If you cannot find two minutes then you shouldn't be in business.

If you don't know web stuff very well then, well, pay somebody who can secure it.

There are NO excuses for for-profit enterprises.

colored coins proof-of-concept: private currencies, stock/bond p2p exchange

Tips and donations: 16v13Fa9cPmfFzpm9mmbWwAkXY4gyY6uh4
ius
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 18, 2011, 11:48:44 AM
 #69

Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.

Even if you protect your private keys and passwords carefully it appears you could be compromised on MtGox. People expect an exchange to be secure, and that's completely reasonable (quote from MtGox frontpage: "Safe and Easy"). Security should be the number one priority for such operations - you'd rather be unable to trade due to a non-security-related bug rather than lose all of yours coins, right?

Quote
Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.

It should have been prevented (not caught) during development. But the few bits of MtGox history I picked up learnt me that MtGox was sold and is based on a code base once used for a completely different trading purpose. I hope the current maintainer(s?) aren't the same ones who wrote the insecure code. Neglecting security to "keep things running" doesn't sound like proper practise to me, regardless.

Quote
What I find encouraging about this situation, as some others have mentioned:

- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)

By who? Especially your second point shouldn't have been the responsibility of the users. In case of a security incident I expect full (and pre-emptive) transparency about the issue, it's impact and mitigation. Look at LastPass, think they did a pretty good job recently.. I haven't seen MtGox do anything like that at all.

Quote
As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank

So you're basically saying regulations and audits are pointless, backed up by a single example. Go tell your bank how they can save some cash..

Quote
I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.

We're not.
-The reference bitcoin client currently stores keys in plaintext, which is a huge vulnerability considering 'the average user' needs lots of handholding to remain secure (0.4 should at least protect you from clueless adversaries).
- Exchanges aren't as secure as they should be - CSRF vulnerabilties were reported in multiple exchanges.

Bottom line: I believe MtGox is operating understaffed on a outdated, re-used and potentially inherently insecure code base. The very least they could do is get some auditing done and hire some competent developers to fix found issues.

PGP: 0xCC06E446 Bitcoin: 19kdfgW1KXQgV7SCLEPAojtHxN9xotGkGH
genjix
Legendary
*
Offline Offline

Activity: 1232


View Profile
June 18, 2011, 11:57:56 AM
 #70

1. Britcoin was never hacked.
2. We have all the funds there.
3. A team of 4 is working fulltime on the code: https://gitorious.org/intersango/
Batouzo
Member
**
Offline Offline

Activity: 70


View Profile
June 18, 2011, 12:05:58 PM
 #71

So they are taking my cookies? NOZ! Angry

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

This is exactly why I tell everyone to setup separate account for such jobs: e.g. separate firefox/browser profile used ONLY to access say mtgox.com

btw.: Trololololo

Batouzo
Member
**
Offline Offline

Activity: 70


View Profile
June 18, 2011, 12:12:27 PM
 #72

THIS HAS BEEN FIXED.

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


<tcatm> workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode

<tcatm> phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password

So an JS based exploit?

Personally I always disliked the JS usage in there.
There is a reason most banks do not do JS or at least allow to not use it.

Such site should be imo a pure simple and spartan XHTML site, no fancy JS.  And users should be adviced to turn off JS in the browser profile used for this site.
Would be glad to see such change in future in mtgox.

tcatm
Sr. Member
****
Offline Offline

Activity: 337


View Profile
June 18, 2011, 12:34:51 PM
 #73

So an JS based exploit?

Nope, the bug was not related to JavaScript.
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 18, 2011, 12:37:13 PM
 #74

THIS HAS BEEN FIXED.

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


<tcatm> workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode

<tcatm> phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password

So an JS based exploit?

Personally I always disliked the JS usage in there.
There is a reason most banks do not do JS or at least allow to not use it.

Such site should be imo a pure simple and spartan XHTML site, no fancy JS.  And users should be adviced to turn off JS in the browser profile used for this site.
Would be glad to see such change in future in mtgox.



JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
June 18, 2011, 12:38:33 PM
 #75

so as I understand it you're only vulnerable if you're compromised by another site already?  Why dont you clearly state what actions can make you vulnerable instead of making people think that mtgox has a virus on it or something (which is what most 'regular' people woul infer from this)

Nope, you were vulnerable just by visiting a malicious site whilst logged into Mt Gox - or even just an otherwise-trustworthy site with a malicious ad on it, in theory. The problem was with Mt Gox. They failed to verify that form data sumitted from your browser telling the site to do stuff was actually submitted by you rather than from some random evil webpage you've visited. This is a well known type of security issue and the methods of preventing it are also well-known.

So an JS based exploit?

Javascript makes CSRF slightly easier to exploit but not much. If you had Javascript disabled the malicious website would have to trick you into clicking a button on the page in order to hack you, but the button could be named and styled and presented however they wanted. (Also, as joepie91 says, it doesn't matter whether Mt Gox itself used Javascript or not.)

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
Vandroiy
Legendary
*
Offline Offline

Activity: 1036


View Profile
June 18, 2011, 01:05:37 PM
 #76

So, just to get this right:

We found a massive security hole. Multiple people claim to have money stolen. MtGox writes a line on IRC stating the hole was not exploited, and we remain with multiple users who claim to not have been paid the money owed by MtGox?

I'd like this examined in detail. If my money ever disappears in such a fashion, I will be on the next plane to Japan to figure out in person what the fuck happened.

Just saying, this isn't a SONY-class incident leaking personal data, we have money vanishing according to some people, and just found a potential cause of it.
jondecker76
Full Member
***
Offline Offline

Activity: 238


View Profile
June 18, 2011, 02:00:44 PM
 #77

I'm also disgusted by the fact that many of us are missing money, the exploit was found, yet a single person announces on IRC that according to his logs, the exploit never happened.  I for one will never use MtGox again, and would suggest the same for others. There are other markets out there now..

I remember when Deepbit was hacked some time ago and some people lost bitcoins.  They fixed the problem by requiring email validation of receiving address change, owned up to the mistake and paid money back.  Thats what you do as an honest business

RollerBot Advanced Trading Platform
https://bitcointalk.org/index.php?topic=447727.0
BTC Donations for development: 1H36oTJsi3adFh68wwzz95tPP2xoAoTmhC
Ricochet
Sr. Member
****
Offline Offline

Activity: 373



View Profile
June 18, 2011, 06:18:14 PM
 #78

I'll admit, as soon as multiple people started claiming they were being hacked, I bought up as many bitcoins as I could with my remaining MtGoxUSD and got the coins out of there ASAP.  It will be a long time before I trust the website enough to use it regularly again.

This is why we need two-factor authentication ASAP.  I think MagicalTux said it was being worked on right now.  I hope so.
Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.
Grant
Full Member
***
Offline Offline

Activity: 168



View Profile
June 18, 2011, 07:15:03 PM
 #79


Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.

I'd prefer hardware two-factor auth. tbh. (anything on the internet has vurnabilities) Something like Vasco Go3 http://www.vasco.com/products/digipass/digipass_go_range/digipass_go3.aspx And would be more than willing to fund a onetime fee for it.

cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 18, 2011, 08:07:16 PM
 #80


Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.

I'd prefer hardware two-factor auth. tbh. (anything on the internet has vurnabilities) Something like Vasco Go3 http://www.vasco.com/products/digipass/digipass_go_range/digipass_go3.aspx And would be more than willing to fund a onetime fee for it.



myopenid works with RSA tokens

Pages: « 1 2 3 [4] 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!