Reports of MtGox being hacked ARE REAL (Fixed)

[Bunghole]

Watch how Bitcoin brings computer security to the masses. Just another undiscovered benefit.

It has certainly impacted me personally.  I have learned a lot about security in the past two weeks on this site, and I have already begun migrating from Windows to Ubuntu.

[1713494382]

1713494382

[Dirt Rider]

Is it just me or does all this seem just a little bit sensational.

[kokojie]

Not sure if this is relevant, but I've noticed that TradeHill does not automatically log you out after a period of inactivity.  I noticed that one morning when I hopped on my computer, I did not have to log in - I was still logged in from the night before.

The fact that tradehill doesn't log you out has no impact on your security, IF tradehill properly implemented security measures to prevent CSRF

[cuddlefish]

Mtgox is not the only CSRF'able site.
http://forum.bitcoin.org/index.php?topic=18020.0

[Capitan]

Is there a firefox plugin that will

So they are taking my cookies? NOZ!

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

Nope.avi.
CSRF != XSS.

XSS = put my javascript on your site

CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript

how can this be dealt on a client side besides what's been mentioned above, is there a method to detect/disable both vulnerabilities without turning off cookies and js?

Is there a firefox plugin that will make each tab have it's own session? That would take care of the problem.

[Capitan]

The noscript add-on says it has "limited" CSRF protection. I'm not sure what that means.

[Capitan]

in my understanding any web site is vulnerable to such attack? is this correct?

Not correctly-designed ones.

(I don't blame MagicalTux, since he didn't write the code.)

Could you or anyone please point me where one can read how it can be dealt with on a server side?

That info is on the wiki page for CSRF. Basically the server side needs to put a unique token on each page and check for the presence of it on postback. Also doing an HTTP Referrer check helps a lot. There are other things as well but those are the main two.

[Horkabork]

Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.

EDIT: It's fixed by MagicalTux. Sounds like it was just a website bug, not a security thing.

[iCEBREAKER]

Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.

Yep, same here.

I demand that strong feelings be expressed, and highly recommend a general panic.  Mass hysteria is our only option!

[Desu]

Man, I saw this shit coming after the crash earlier this week. Then poor Allinvains Hacks...:[
No worries all protected her, Still lovin Them BTC.

[imperi]

Man, I saw this shit coming after the crash earlier this week. Then poor Allinvains Hacks...:[
No worries all protected her, Still lovin Them BTC.

I think it's a guy, just with a girly name.

[beeph]

so as I understand it you're only vulnerable if you're compromised by another site already?  Why dont you clearly state what actions can make you vulnerable instead of making people think that mtgox has a virus on it or something (which is what most 'regular' people woul infer from this)

[goldbit]

Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.

Same problem here.
I am extremely nervous right now. I hope it is just a glitch at Mt Gox.

Can anyone confirm it?

[mouse]

I believe that this type of attack is when the session token is stored as a cookie AND the server doesn't check the referrer. The normal method is to store a new session token on each post to the client, which gets sebmitted back each time (so its stored in the users webpage, not in a cookie).

This is just from memory, but if its true, then, honestly, I have no faith at all in any website that fell for this. This issue would fall under 'basic' security and has probably been around for years. Sure it might be plugged now, but what else isn't?

[dr.bitcoin]

Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)

People, there's a reason for which bank have IT departments, security officers, response teams etc.

We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...

[dr.bitcoin]

mouse, you are pretty much correct.

[cottoneyeJoe]

Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)

People, there's a reason for which bank have IT departments, security officers, response teams etc.

We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...

Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.

Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.

What I find encouraging about this situation, as some others have mentioned:

- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)
- the hole was apparently closed pretty damn fast once Mt.Gox became aware/verified it

As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank

"Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique...cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

from http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access

..and those details came to light many many months after the event.

I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.

Stay with the state regulated banks and fiat currencies if you want perceived safety of regulators and so called experts looking out for you. Be prepared to take more than a modicum of self-responsibility out here, however.

Bravo, bitcoin community!

[Horkabork]

The login issue is fixed for me and it looks like several others. It sounds like it was unrelated to the security stuff.

Kudos to MagicalTux for fixing the login issue almost as soon as he heard of it.

[charliesheen]

my php curl attempts stopped working a few hours ago, any explanation for this?

[Grant]

Both bugs are fixed now. I have just verified it.

I still feel kinda paranoid about logging in without a verification from mtgox.

I panic withdrew 50% of my funds yesterday after seeing this thread. (something i had originally planned to use for trading)