Reports of MtGox being hacked ARE REAL (Fixed)

[Disposition]

my php curl attempts stopped working a few hours ago, any explanation for this?

seconded, I actually think the server is just being hammered or something, apparently I just got through a few second ago and printed me some data, I wrote a script to ping it every 15 minutes, thought it was up but I guess not.

[1714189076]

1714189076

[1714189076]

1714189076

[mikey5287]

this is why I don't keep bitcoin/money in MtGox.
I alway do my business quick, get in and out.

Hell the wallet I sent all my coins to, I only boot when I want to trade.  Well after waiting for the block download.

[proudhon]

This is why we need two-factor authentication ASAP.  I think MagicalTux said it was being worked on right now.  I hope so.

[bitoption]

Bitoption was hit with CSRF attacks today as well; no successes, though.

Re: Curl and Mt. Gox, I believe they changed their SSL Cert recently. My linux boxes didn't have a good CA chain to their authority, and resisted all attempts to add the chain in. Eventually I just imported the direct Gox one and marked it trusted. Curl finally shut up at that point.

[joepie91]

I have sent MagicalTux a PM about a CSS history sniffing vulnerability and haven't had a response yet.

[jondecker76]

What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)

[MiningBuddy]

What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)

From IRC several hours ago

09:01   MagicalTux      • thermal: we checked the logs, the CSRF found by phantomcircuit was never exploited

Doesn't look like it.

[killerstorm]

(I don't blame MagicalTux, since he didn't write the code.)

But he has "PHP can do ANYTHING!" in his motto which suggests that he knows some stuff about web dev. (I haven't seen non web-dev fans of PHP so far.)

And I think any decent web developer should be well aware of CSRF.

It takes approximately a minute to check whether your site has CSRF vulnerability. Then it takes approximately a minute to fix this (via referer check, which is less than perfect, but will work).

So, no, being 'alone' is not an excuse. It takes just two fucking minutes to secure your site. If you cannot find two minutes then you shouldn't be in business.

If you don't know web stuff very well then, well, pay somebody who can secure it.

There are NO excuses for for-profit enterprises.

[ius]

Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.

Even if you protect your private keys and passwords carefully it appears you could be compromised on MtGox. People expect an exchange to be secure, and that's completely reasonable (quote from MtGox frontpage: "Safe and Easy"). Security should be the number one priority for such operations - you'd rather be unable to trade due to a non-security-related bug rather than lose all of yours coins, right?

Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.

It should have been prevented (not caught) during development. But the few bits of MtGox history I picked up learnt me that MtGox was sold and is based on a code base once used for a completely different trading purpose. I hope the current maintainer(s?) aren't the same ones who wrote the insecure code. Neglecting security to "keep things running" doesn't sound like proper practise to me, regardless.

What I find encouraging about this situation, as some others have mentioned:

- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)

By who? Especially your second point shouldn't have been the responsibility of the users. In case of a security incident I expect full (and pre-emptive) transparency about the issue, it's impact and mitigation. Look at LastPass, think they did a pretty good job recently.. I haven't seen MtGox do anything like that at all.

As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank

So you're basically saying regulations and audits are pointless, backed up by a single example. Go tell your bank how they can save some cash..

I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.

We're not.
-The reference bitcoin client currently stores keys in plaintext, which is a huge vulnerability considering 'the average user' needs lots of handholding to remain secure (0.4 should at least protect you from clueless adversaries).
- Exchanges aren't as secure as they should be - CSRF vulnerabilties were reported in multiple exchanges.

Bottom line: I believe MtGox is operating understaffed on a outdated, re-used and potentially inherently insecure code base. The very least they could do is get some auditing done and hire some competent developers to fix found issues.

[genjix]

1. Britcoin was never hacked.
2. We have all the funds there.
3. A team of 4 is working fulltime on the code: https://gitorious.org/intersango/

[Batouzo]

So they are taking my cookies? NOZ!

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

This is exactly why I tell everyone to setup separate account for such jobs: e.g. separate firefox/browser profile used ONLY to access say mtgox.com

btw.: Trololololo

[Batouzo]

THIS HAS BEEN FIXED.

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


<tcatm> workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode

<tcatm> phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password

So an JS based exploit?

Personally I always disliked the JS usage in there.
There is a reason most banks do not do JS or at least allow to not use it.

Such site should be imo a pure simple and spartan XHTML site, no fancy JS.  And users should be adviced to turn off JS in the browser profile used for this site.
Would be glad to see such change in future in mtgox.

[tcatm]

So an JS based exploit?

Nope, the bug was not related to JavaScript.

[joepie91]

THIS HAS BEEN FIXED.

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


<tcatm> workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode

<tcatm> phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password

So an JS based exploit?

Personally I always disliked the JS usage in there.
There is a reason most banks do not do JS or at least allow to not use it.

Such site should be imo a pure simple and spartan XHTML site, no fancy JS.  And users should be adviced to turn off JS in the browser profile used for this site.
Would be glad to see such change in future in mtgox.

JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.

[makomk]

so as I understand it you're only vulnerable if you're compromised by another site already?  Why dont you clearly state what actions can make you vulnerable instead of making people think that mtgox has a virus on it or something (which is what most 'regular' people woul infer from this)

Nope, you were vulnerable just by visiting a malicious site whilst logged into Mt Gox - or even just an otherwise-trustworthy site with a malicious ad on it, in theory. The problem was with Mt Gox. They failed to verify that form data sumitted from your browser telling the site to do stuff was actually submitted by you rather than from some random evil webpage you've visited. This is a well known type of security issue and the methods of preventing it are also well-known.

So an JS based exploit?

Javascript makes CSRF slightly easier to exploit but not much. If you had Javascript disabled the malicious website would have to trick you into clicking a button on the page in order to hack you, but the button could be named and styled and presented however they wanted. (Also, as joepie91 says, it doesn't matter whether Mt Gox itself used Javascript or not.)

[Vandroiy]

So, just to get this right:

We found a massive security hole. Multiple people claim to have money stolen. MtGox writes a line on IRC stating the hole was not exploited, and we remain with multiple users who claim to not have been paid the money owed by MtGox?

I'd like this examined in detail. If my money ever disappears in such a fashion, I will be on the next plane to Japan to figure out in person what the fuck happened.

Just saying, this isn't a SONY-class incident leaking personal data, we have money vanishing according to some people, and just found a potential cause of it.

[jondecker76]

I'm also disgusted by the fact that many of us are missing money, the exploit was found, yet a single person announces on IRC that according to his logs, the exploit never happened.  I for one will never use MtGox again, and would suggest the same for others. There are other markets out there now..

I remember when Deepbit was hacked some time ago and some people lost bitcoins.  They fixed the problem by requiring email validation of receiving address change, owned up to the mistake and paid money back.  Thats what you do as an honest business

[Ricochet]

I'll admit, as soon as multiple people started claiming they were being hacked, I bought up as many bitcoins as I could with my remaining MtGoxUSD and got the coins out of there ASAP.  It will be a long time before I trust the website enough to use it regularly again.

This is why we need two-factor authentication ASAP.  I think MagicalTux said it was being worked on right now.  I hope so.

Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.

[Grant]

Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.

I'd prefer hardware two-factor auth. tbh. (anything on the internet has vurnabilities) Something like Vasco Go3 http://www.vasco.com/products/digipass/digipass_go_range/digipass_go3.aspx And would be more than willing to fund a onetime fee for it.

[cuddlefish]

Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.

I'd prefer hardware two-factor auth. tbh. (anything on the internet has vurnabilities) Something like Vasco Go3 http://www.vasco.com/products/digipass/digipass_go_range/digipass_go3.aspx And would be more than willing to fund a onetime fee for it.

myopenid works with RSA tokens