Bitcoin Forum
December 08, 2016, 10:34:15 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Mt. Gox: If your coins were stolen, please write here  (Read 20151 times)
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 617


Working on new MtGox features


View Profile WWW
June 18, 2011, 07:55:40 AM
 #1

Ok, we've been seeing a "lot" of cases recently.

So far I have 10 known cases of people whose coins were stolen (someone logged in on the account using their password, traded USD for BTC, withdrew all the BTC). Considering we have now over 60000 accounts (2 months ago we had 10 times less), this seems to be a problem coming mainly from users.

Problem is many have been posting in various places (forums, reddit, twitter, irc, etc) causing a lot of fear among users when the problem is still fairly limited.

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

By the way we are working on adding an extra feature: a withdraw password. If you define one (on the settings screen) you will have to enter this password too. Should be available by monday.



Now, we cannot recover the funds, however we can try to track those and locate to which account they were sent. I guess that if your account was compromised you first sent an email to info@mtgox.com asking for your account to be blocked until investigation, providing as much information as you can as for the problem.

Please post here your ticket number that was assigned to you when you created this if you want priority handling. Please read the following FAQ before.


FAQ

My history disappears along all my coins and monies

You have not logged in with your usual login. Please make sure you are using the right account.

My coins were traded for USD, or my USD were traded for coins, I never entered any order

You had an open order that couldn't be filled because you didn't have enough funds. When you added funds (or coins) your order could be filled, and was filled.


Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481236455
Hero Member
*
Offline Offline

Posts: 1481236455

View Profile Personal Message (Offline)

Ignore
1481236455
Reply with quote  #2

1481236455
Report to moderator
koin
Legendary
*
Offline Offline

Activity: 874


View Profile
June 18, 2011, 08:07:11 AM
 #2

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

Now, we cannot recover the funds, however we can try to track those and locate to which account they were sent.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 617


Working on new MtGox features


View Profile WWW
June 18, 2011, 08:24:07 AM
 #3

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994

There was indeed a CSRF vulnerability in the "change email" and "send funds" features, however we verified the logs of the webserver and could confirm neither were ever exploited, except by the people who discovered it.

Both are now fixed.

anatolikostis
Legendary
*
Offline Offline

Activity: 1736



View Profile
June 18, 2011, 10:30:37 AM
 #4

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994

There was indeed a CSRF vulnerability in the "change email" and "send funds" features, however we verified the logs of the webserver and could confirm neither were ever exploited, except by the people who discovered it.

Both are now fixed.
You know about my case very well MARK - I`m still waiting for my stolen 13.4 BTC...
leepfrog
Full Member
***
Offline Offline

Activity: 140

Hopity Hopity Hop


View Profile
June 18, 2011, 12:03:14 PM
 #5

What do you have to say about this here:

http://securityforthemasses.blogspot.com/2011/06/mt-gox-db-purportedly-for-sale.html

-----Crypto--Investor----Family--Guy-----All--Around--Winner----
Man From The Future
Full Member
***
Offline Offline

Activity: 126


View Profile
June 18, 2011, 12:08:51 PM
 #6

Copy in case that disappears:

Quote
Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: auto36299386@hushmail.com

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte
Grant
Full Member
***
Offline Offline

Activity: 168



View Profile
June 18, 2011, 12:19:05 PM
 #7

Copy in case that disappears:

Quote
Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: auto36299386@hushmail.com

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte

I call that a fake/scam attempt. If it was true, this "hacker" would first have emptied as many accounts as possible before selling it. My account remains untouched and so do accounts of most others, only a small % of the people got "exploited".

zpinto
Jr. Member
*
Offline Offline

Activity: 58


View Profile
June 18, 2011, 12:31:13 PM
 #8

Ok, due to that, i tried to change my password in MTGox and it doesnt let me... wtf?
Man From The Future
Full Member
***
Offline Offline

Activity: 126


View Profile
June 18, 2011, 12:46:50 PM
 #9

Seeing the database doesn't mean having write access.
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 617


Working on new MtGox features


View Profile WWW
June 18, 2011, 01:14:11 PM
 #10


Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD

MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 617


Working on new MtGox features


View Profile WWW
June 18, 2011, 01:39:42 PM
 #11

You know about my case very well MARK - I`m still waiting for my stolen 13.4 BTC...

As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then.

As a reminder we assume no responsibility should your funds be stolen by someone using your own password.

smackdaddy
Jr. Member
*
Offline Offline

Activity: 45


View Profile
June 18, 2011, 01:46:36 PM
 #12


Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD

Well, to be fair, if you have the hashed values, it takes very little effort to bruteforce a large number of passwords. Especially if you use tables.

Your statement makes me nervous about the state of overall security at mtgox....relying on hashed passwords was a failing paradigm over a decade ago.

Sukrim
Legendary
*
Offline Offline

Activity: 1848


View Profile
June 18, 2011, 01:48:16 PM
 #13

That's what salt is for! Roll Eyes

Just read it up on Wikipedia...

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
smackdaddy
Jr. Member
*
Offline Offline

Activity: 45


View Profile
June 18, 2011, 01:52:10 PM
 #14

That's what salt is for! Roll Eyes

Just read it up on Wikipedia...

Uhm, I think you need to read up on it. Salting helps defend against table lookups but does not strongly protect against brute force.


joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 18, 2011, 01:53:37 PM
 #15

MagicalTux, a few cases can already be found here: http://forum.bitcoin.org/index.php?topic=18050.0
It also has some information regarding passwords strengths and operating systems that people used etc.

Also, have you received my PM about the CSS history sniffing vulnerability?


Copy in case that disappears:

Quote
Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: auto36299386@hushmail.com

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte

I call that a fake/scam attempt. If it was true, this "hacker" would first have emptied as many accounts as possible before selling it. My account remains untouched and so do accounts of most others, only a small % of the people got "exploited".
If the easiest way of "laundering" stolen money would be the exact site you compromised (Mt. Gox) I can imagine that someone does not want to go through the trouble of laundering everything, and would rather sell off the entire database in one hit and have others deal with that. Not to mention selling the database to multiple people.


Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD
Hashes (even salted) can be bruteforced. Especially if someone has for example already set up Bitcoin mining rigs, he would have considerable power to use on bruteforcing passwords, not to mention things like Amazon AWS (or other cloud computing services) that can be used to very quickly crack hashes.


Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
Man From The Future
Full Member
***
Offline Offline

Activity: 126


View Profile
June 18, 2011, 02:14:00 PM
 #16

The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

Sad
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 18, 2011, 02:23:24 PM
 #17

The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

Sad
Where was MD5 mentioned?

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
jondecker76
Full Member
***
Offline Offline

Activity: 238


View Profile
June 18, 2011, 03:07:12 PM
 #18

I had 20 BTC stolen from my account, I didn't find out until 2 days later.

Here, I added 20 BTC to do some trading:
Quote
06/13/11 09:34   Add BTC   1AbvTGGyKKQDezsnaYDAhJDNPkZYv7aM9z   20   0   20.199   0.059

Within a single day, it had been transferred out (unknown to me)
Quote
06/14/11 15:45   Withdraw BTC   17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC    -20.19   0   0.009   0.059

I sent an email from your website reporting the problem, here is the automated reply:
Quote
## Please do not write below this line ##
Ticket #1605: I was hacked

Your request (#1605) has been received, and will be reviewed by our support staff.

Our help desk is experiencing unusually high traffic currently. We regret to inform you that you will experience some delays (currently 48-72 hrs) in us getting back to you.

We sincerely apologize for the inconvenience and are working on all fronts to improve our response times.

To review the status of the request and add additional comments, follow the link below:
http://support.mtgox.com/tickets/1605


Jondecker76, Jun-17 22:02 (JST):

I've seen it a lot on the forums as well and never thought it could happen to me, but today I logged in to my account to find that my balance of 20 BTC is gone.

here is a the copy and paste from my account history:
06/14/11 15:45 Withdraw BTC 17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC -20.19 0 0.009 0.059


I truly believe you guys have a security problem on your end Sad

I feel that it is MtGox's responsibility to own up to losses from multiple users.  You can confirm yourself that my original report to you was received before there was any mention of a confirmed vulnerability.

RollerBot Advanced Trading Platform
https://bitcointalk.org/index.php?topic=447727.0
BTC Donations for development: 1H36oTJsi3adFh68wwzz95tPP2xoAoTmhC
Man From The Future
Full Member
***
Offline Offline

Activity: 126


View Profile
June 18, 2011, 03:36:31 PM
 #19

The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

Sad
Where was MD5 mentioned?

It must be in the thread ocnfirming the existence of the CSRF vulnerability.
Noitev
Hero Member
*****
Offline Offline

Activity: 672


Goodbye Blue Monday!


View Profile
June 18, 2011, 04:17:10 PM
 #20

That's what salt is for! Roll Eyes

Just read it up on Wikipedia...

Uhm, I think you need to read up on it. Salting helps defend against table lookups but does not strongly protect against brute force.



if you put enough salt in a md5, itll take thousands of years until you can crack it, ive tried
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!