Reports of MtGox being hacked ARE REAL (Fixed)

[kwukduck]

Damn it...! I knew it wasn't any of my systems that got compromised..!

[1715059945]

1715059945

[1715059945]

1715059945

[gigabytecoin]

That would make sense, my account was hacked and the only places I used my password was mtgox, tradehill, and deepbit.

You entrust a BRAND NEW SITE (tradehill) with your regular password you use for "everything" related to bitcoins??

What's wrong with you?

[imperi]

That would make sense, my account was hacked and the only places I used my password was mtgox, tradehill, and deepbit.

You entrust a BRAND NEW SITE (tradehill) with your regular password you use for "everything" related to bitcoins??

What's wrong with you?

My favorite part is that they blame the websites.

[JackSparrow]

I'm also disgusted by the fact that many of us are missing money, the exploit was found, yet a single person announces on IRC that according to his logs, the exploit never happened.  I for one will never use MtGox again, and would suggest the same for others. There are other markets out there now..

I remember when Deepbit was hacked some time ago and some people lost bitcoins.  They fixed the problem by requiring email validation of receiving address change, owned up to the mistake and paid money back.  Thats what you do as an honest business

+1

A good friend of mine lost about 20 btc.

[kwukduck]

I sent a reply to my original ticket, requesting them to take responsibility for recent incidents. This was their response:

Hi,

We have evidence the problems found by phantomcircuit have never been exploited by anyone, and we have further evidence someone logged in on your account using your password. We cannot take liability for a case which is clearly not linked to any problems on our side.
Thanks,
Mark
MtGox.com Team

Judge for yourself, i'm done using MtGox...

[Batouzo]

JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.

Well it has everything to do with possibility to disable JS in browser, which users might want to do.

Even as makomk JS was not necessity for THIS attack (just making it a bit easier by autosubmiting), overall it's better if users can turn off all JS. And say Flash (I recall some bitcoin sites, not cantors probably but at least stats pages - require it).

[willphase]

might be worth adding a captcha to any form of transaction via the web on mtgox?

Will

[joepie91]

JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.

Well it has everything to do with possibility to disable JS in browser, which users might want to do.

Even as makomk JS was not necessity for THIS attack (just making it a bit easier by autosubmiting), overall it's better if users can turn off all JS. And say Flash (I recall some bitcoin sites, not cantors probably but at least stats pages - require it).

Javascript is a legitimate technology that is pretty much a basic cornerstone of the web as it is now. You can't just take that away. A way better option would probably be if browsers by default protect against CSRF attacks, like they do with XSS now.

[freequant]

I sent a reply to my original ticket, requesting them to take responsibility for recent incidents. This was their response:

Hi,

We have evidence the problems found by phantomcircuit have never been exploited by anyone, and we have further evidence someone logged in on your account using your password. We cannot take liability for a case which is clearly not linked to any problems on our side.
Thanks,
Mark
MtGox.com Team

Judge for yourself, i'm done using MtGox...

On logical grounds, this cannot be true because a XSRF vulnerability can only be found and confirmed by exploiting it, and several people already confirmed they have tried the exploit before and after it was fixed. The statement that the vuln was never exploited is therefore false.

In addition, I seriously doubt that a developer that was careless enough to trust a session token without checking the referal url could think of logging it. And if MtGox did not log the referal url of the http requests of each transaction, they cannot possibly claim that they know the flaw was not exploited.

If you have been stolen money from your MtGox account prior to the fix of this exploit, the least you are in right of demanding is the full log showing your transactions as well as the one where your funds were stollen. If the log does not contain any referal urls, or they are not from mtgox domain, or the ips used were only yours, then there really is something fishy.

Surely, the logs can be rewritten to make it  seem like the transaction was requested from another IP. Just to make sure it is not the case, some people who have NOT been hacked but have done multiple transactions from the same IP should claim that their account got hacked and ask the   logs just to ascertain that there is only their IP there and there is no log rewritting going on.

Another VERY important thing if you got stollen from your MtGox account but they refuse to be liable for it: MAKE A COPY OF YOUR BROWSER CACHE now and have it checked by a web developer you trust. If you were victim of XSRF the code of the forged request is likely still in your browser's cache where it can be found with a simple grep for the mtgox domain name.

[Batouzo]

What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)

From IRC several hours ago

09:01   MagicalTux      • thermal: we checked the logs, the CSRF found by phantomcircuit was never exploited

Doesn't look like it.

They could had just used MySQL injection instead (the 2nd bug as people say in forums) - the database of all users+passwords(weak hash) is leaked.

[dr.bitcoin]

I have been following a few threads on the MtGox incident and I must say I am appaled by what I read!

The facts are:
1. someone patched together an exchange reusing insecure code that was developed for a completely diferent purpose.
2. someone else bought it later and made some improvements (nothing really significant though).
3. being one of the first, and for the lack of a better exchange, MtGox became big
4. MtGox started to generate profits of about $50,000/day or $70,000 on a really good day.
5. MtGox got hacked, the market has crashed, some people lost money and bitcoins, most people lost value (BTC going down etc.)
6. It is obvious that this could have been prevented given the significant profits made by MtGox. it was not.

What people say:
1. it's OK, this is the wild west and we're still building a country here.
2. he's one man, what would you expect?
3. well, as bad as it is, MtGox is trying really hard to fix it
4. etc.

Guys, why don't you try to pull something like this in the real world, on your own customers?
What do you think would happen?

IMHO, this kind of money should not be left in the hands of some kid who thinks he knows about computers.
Simply because there's always another computer-savvy  kid around the corner...