|
phantomcircuit (OP)
|
 |
June 18, 2011, 01:58:48 AM
Last edit: July 22, 2011, 07:27:32 PM by phantomcircuit |
|
This exploit is no longer active.
I have identified an exploit in MtGox allowing an attacker to completely take over some users account.
I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.
All of the threads about MtGox accounts being hacked are REAL.
A strong password will not help you. Anti Virus software WILL NOT HELP YOU.
This is not a trojan or a virus.
You can protect yourself by only visiting MtGox and then immediately logging out.
<tcatm> workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode
<tcatm> phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password
|
|
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
|
mizerydearia
|
 |
June 18, 2011, 02:01:36 AM |
|
liek a surgeon general warning? BITCOIN GENERAL'S WARNING: Trading
bitcoins Causes ____ ______, _____ _______,
_________ and May Complicate ________. |
|
|
|
|
|
phantomcircuit (OP)
|
|
June 18, 2011, 02:04:42 AM |
|
I should mention it's a CSRF vulnerability. so people know what to do to protect themselves.
|
|
|
|
|
ibisy70
Member
 Offline
Activity: 88
Merit: 10
|
|
June 18, 2011, 02:05:01 AM |
|
That would make sense, my account was hacked and the only places I used my password was mtgox, tradehill, and deepbit.
|
|
|
|
|
allinvain
Legendary
Offline
Activity: 3080
Merit: 1080
|
|
June 18, 2011, 02:06:28 AM |
|
Pardon my ignorance, but slush's pool would be vulnerable too? Is this something bitcoin platform wide..ie with the API's ?
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
June 18, 2011, 02:09:15 AM |
|
I should mention it's a CSRF vulnerability. so people know what to do to protect themselves.
what is CSRF? |
|
|
|
|
|
mizerydearia
|
|
June 18, 2011, 02:10:37 AM |
|
what is CSRF?
Cross-Site Request Forgery |
|
|
|
|
|
Astrohacker
|
|
June 18, 2011, 02:11:10 AM |
|
Pardon my ignorance, but slush's pool would be vulnerable too? Is this something bitcoin platform wide..ie with the API's ?
It could be. It is a general security problem many websites have. |
|
|
|
|
|
Vince Torres
|
|
June 18, 2011, 02:15:27 AM |
|
Tradehill has no reports of being hacked. If reports of Mtgox security breach is true I'm guessing they would liquidate their BTC. Be wary in the next coming weeks and months.
|
Namecoin.com .bit domain registrar. Register a new .bit domain for just $1! BTC: 1LpKzg24NHmrxLZbnVphcstV3s7uA8cSnT LTC: LWHswCFRPouCXTNiT8B9HUVnGrae9eojVg
|
|
|
|
Adam
|
|
June 18, 2011, 02:15:48 AM |
|
I have identified an exploit in MtGox allowing an attacker to completely take over some users account.
I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.
All of the threads about MtGox accounts being hacked are REAL.
A strong password will not help you. Anti Virus software WILL NOT HELP YOU.
This is not a trojan or a virus.
You can protect yourself by only visiting MtGox and then immediately logging out.
Hordes of panicky people seem to be fleeing Mt. Gox for some unknown reason. Professor, without knowing precisely what the danger is, would you say it's time for our viewers to crack each other's heads open and feast on the goo inside? |
|
|
|
|
kgo
|
|
June 18, 2011, 02:19:45 AM |
|
So what this means...
If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.
To protect yourself, use a seperate browser for mtgox ONLY.
If you normally use firefox, install chrome and use that for mtgox. If you use chrome, install firefox.
If you use both, install a seperate copy of firefox portable if you're on windows.
|
|
|
|
|
|
imperi
|
|
June 18, 2011, 02:23:31 AM |
|
By the way on mtgox.com you can register names like " apple" with a space in front, separate from an account "apple". Maybe this can lead to an exploit.
|
|
|
|
|
|
Horkabork
|
|
June 18, 2011, 02:25:09 AM |
|
I want to add that phantomcircuit is an op for #bitcoin on IRC, where other folks have confirmed it as well. So don't let his mere 15 posts on the forum here dissuade you as he does speak with authority.
|
|
|
|
|
Horkabork
|
|
June 18, 2011, 02:29:30 AM |
|
So what this means...
If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.
To protect yourself, use a seperate browser for mtgox ONLY.
If you normally use firefox, install chrome and use that for mtgox. If you use chrome, install firefox.
If you use both, install a seperate copy of firefox portable if you're on windows.
There's no need to install an entirely separate browser. Make a new profile, just for Mt. Gox, and run it from a shortcut like this: firefox.exe -P "NewProfileNameHere" -no-remote Then you can do the same for your other profile and run both at the same time, with no interaction. |
|
|
|
|
kgo
|
|
June 18, 2011, 02:32:37 AM |
|
So what this means...
If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.
To protect yourself, use a seperate browser for mtgox ONLY.
If you normally use firefox, install chrome and use that for mtgox. If you use chrome, install firefox.
If you use both, install a seperate copy of firefox portable if you're on windows.
There's no need to install an entirely separate browser. Make a new profile, just for Mt. Gox, and run it from a shortcut like this: firefox.exe -P "NewProfileNameHere" -no-remote Then you can do the same for your other profile and run both at the same time, with no interaction. Yeah, that'll work. I was trying to provide a simple solution for people who aren't techies. |
|
|
|
|
Icy-
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 18, 2011, 02:42:46 AM |
|
So they are taking my cookies? NOZ!  |
|
|
|
|
|
cuddlefish
|
|
June 18, 2011, 02:44:50 AM |
|
I have independently confirmed that MtGox has a GIGANTIC CSRF vuln that lets me empty your account.
MagicalTux, you should know better than that. Honestly.
|
|
|
|
|
|
imperi
|
|
June 18, 2011, 02:47:02 AM |
|
So they are taking my cookies? NOZ! Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox. I don't know this specific exploit but that is how it generally works. |
|
|
|
|
Bunghole
Member
Offline
Activity: 64
Merit: 10
|
|
June 18, 2011, 02:48:26 AM |
|
Not sure if this is relevant, but I've noticed that TradeHill does not automatically log you out after a period of inactivity. I noticed that one morning when I hopped on my computer, I did not have to log in - I was still logged in from the night before.
|
|
|
|
|
|
cuddlefish
|
|
June 18, 2011, 02:54:11 AM |
|
So they are taking my cookies? NOZ! Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox. I don't know this specific exploit but that is how it generally works. Nope.avi. CSRF != XSS. XSS = put my javascript on your site CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript |
|
|
|
|
|
