Bitcoin Forum
March 29, 2024, 12:18:33 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: 1 2 [All]
  Print  
Author Topic: MTGox breach - how it really happened  (Read 6528 times)
Andrew Vorobyov (OP)
Hero Member
*****
Offline Offline

Activity: 558
Merit: 500



View Profile
June 19, 2011, 10:32:11 PM
 #1

This is IMHO of course..

First of all MTGox was hacked down around 3 days ago or so - http://forum.bitcoin.org/index.php?topic=19649.0

There are 2 variants:

1. Hackers got access to data in database ONLY through SQL injection - it's "oh my God" scenario.
2. WHOLE box was compromised some how (through unpatched software) - it's "Holy shit" scenario..

Personally I see "oh my God" scenario took place...

They got access to WHOLE db - not only login/passwords.
They found account with MOST BTC on it..
It took them couple of days to crack the password (these guys know what hash means Smiley )
They calculated how far they can push price down and put their bids there...
Then they got logged in with it and pressed "SELL ALL IN" button...
Now they have cheap bitcoins and wait for noise to settle down and cash out.

Ramifications for "oh my God"..

1. Hackers continue to break passwords to top 10 accounts...
2. SQL injection hole is still there and it can happen again EVEN after forced password change.

No "Holy shit" scenario took place..
If it was the case, they would simply send away all coins from account. But I don't think MTGOX will try to hide this.. I mean he is not that stupid to try it...
"The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711714713
Hero Member
*
Offline Offline

Posts: 1711714713

View Profile Personal Message (Offline)

Ignore
1711714713
Reply with quote  #2

1711714713
Report to moderator
Rob P.
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile WWW
June 19, 2011, 11:32:12 PM
 #2

This is IMHO of course..

First of all MTGox was hacked down around 3 days ago or so - http://forum.bitcoin.org/index.php?topic=19649.0

There are 2 variants:

1. Hackers got access to data in database ONLY through SQL injection - it's "oh my God" scenario.
2. WHOLE box was compromised some how (through unpatched software) - it's "Holy shit" scenario..

Personally I see "oh my God" scenario took place...

They got access to WHOLE db - not only login/passwords.
They found account with MOST BTC on it..
It took them couple of days to crack the password (these guys know what hash means Smiley )
They calculated how far they can push price down and put their bids there...
Then they got logged in with it and pressed "SELL ALL IN" button...
Now they have cheap bitcoins and wait for noise to settle down and cash out.

Ramifications for "oh my God"..

1. Hackers continue to break passwords to top 10 accounts...
2. SQL injection hole is still there and it can happen again EVEN after forced password change.

No "Holy shit" scenario took place..
If it was the case, they would simply send away all coins from account. But I don't think MTGOX will try to hide this.. I mean he is not that stupid to try it...

Their Buy order will be rolled back, so they won't get those coins.  They could have only transferred $1000 US out of the account in question.

That said, if you use your Mt. Gox password anywhere associated with the email address or username on the account, you're screwed.
Fortunately my MtGox account name was unique to MtGox, the password was unique (and very strong), and I didn't associate an email address with my account.

There are 61,017 rows in the password file.  That's a crapton of IDs, Emails, and Hashed passwords.  Anyone saying you cannot login with the info is flat out lying.  You can brute force anyone with a weak password in the file, and immediately start attacking their accounts.

They have the file (as do thousands of other wannabees).  They have a LONG time to work on it.  Change all of your passwords associated with your username or email address, especially high-value targets like PayPal, Facebook, eBay, your bank, etc.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1024



View Profile
June 19, 2011, 11:45:54 PM
 #3

There are 61,017 rows in the password file.  That's a crapton of IDs, Emails, and Hashed passwords.  Anyone saying you cannot login with the info is flat out lying.  You can brute force anyone with a weak password in the file, and immediately start attacking their accounts.

But no one knows in advance which ones are strong and which ones are weak, and work spent on one won't help with the next.  Also, you don't necessarily know which accounts carry balances, and which ones don't.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
hoo2jalu
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 19, 2011, 11:59:55 PM
 #4

...
But no one knows in advance which ones are strong and which ones are weak, and work spent on one won't help with the next.  Also, you don't necessarily know which accounts carry balances, and which ones don't.

All potentially revealed in about 2 days for anyone using 8 character passwords or less...
BeeCee1
Member
**
Offline Offline

Activity: 115
Merit: 10


View Profile
June 20, 2011, 12:10:46 AM
 #5

Their Buy order will be rolled back, so they won't get those coins.  They could have only transferred $1000 US out of the account in question.

I think MTG said they transferred $1000 US worth of bitcoin out which makes me wonder if they transferred $1000 worth of $17 a coin bitcoins (about 60) or if they transferred $1000 worth of $0.01 a coin bitcoins out.  I could see an attacker selling enough bitcoins to drive the price way down in order to do a large bitcoin transfer out.
Clipse
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502


View Profile
June 20, 2011, 12:16:22 AM
 #6

Their Buy order will be rolled back, so they won't get those coins.  They could have only transferred $1000 US out of the account in question.

I think MTG said they transferred $1000 US worth of bitcoin out which makes me wonder if they transferred $1000 worth of $17 a coin bitcoins (about 60) or if they transferred $1000 worth of $0.01 a coin bitcoins out.  I could see an attacker selling enough bitcoins to drive the price way down in order to do a large bitcoin transfer out.

This I also feel realisticly happened, considering they drove the price down as fast as possible to about 0.001 then the dust settled and started to rebuild with normal traffic.

They clearly had a plan to use perhaps 50% of the 500k BTC balance to drive the price down, then being able to withdraw most of the other remaining 200k+ at 0.001 per BTC that would cover a million btc even though they prob only had around 250k remaining after selling 250k at heavy loss.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
Rob P.
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile WWW
June 20, 2011, 12:29:22 AM
 #7

There are 61,017 rows in the password file.  That's a crapton of IDs, Emails, and Hashed passwords.  Anyone saying you cannot login with the info is flat out lying.  You can brute force anyone with a weak password in the file, and immediately start attacking their accounts.

But no one knows in advance which ones are strong and which ones are weak, and work spent on one won't help with the next.  Also, you don't necessarily know which accounts carry balances, and which ones don't.

MtGox thinks they do.  Makes me question whether or not that actually have the passwords in cleartext somewhere:

From:  https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

Quote
If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure.

How do they know, in advance, if I used a simple password, without having it in cleartext themselves?

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
imperi
Full Member
***
Offline Offline

Activity: 196
Merit: 101


View Profile
June 20, 2011, 12:30:18 AM
 #8

There are 61,017 rows in the password file.  That's a crapton of IDs, Emails, and Hashed passwords.  Anyone saying you cannot login with the info is flat out lying.  You can brute force anyone with a weak password in the file, and immediately start attacking their accounts.

But no one knows in advance which ones are strong and which ones are weak, and work spent on one won't help with the next.  Also, you don't necessarily know which accounts carry balances, and which ones don't.

MtGox thinks they do.  Makes me question whether or not that actually have the passwords in cleartext somewhere:

From:  https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

Quote
If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure.

How do they know, in advance, if I used a simple password, without having it in cleartext themselves?

It's possible they have them cleartext in a separate database that is disconnected from the website.
finack
Member
**
Offline Offline

Activity: 126
Merit: 10


View Profile
June 20, 2011, 12:36:39 AM
 #9

How do they know, in advance, if I used a simple password, without having it in cleartext themselves?

They don't. When they said that they were probably half out of their minds coping.

The email that was sent a bit later than that says:

Quote
We are working on a
quick resolution and to begin with, your password has been disabled as a
security measure (and you will need to reset it to login again on Mt.Gox).

I'm sure it said that for everyone.
EpicFail
Member
**
Offline Offline

Activity: 94
Merit: 10


View Profile
June 20, 2011, 01:48:53 AM
 #10


How do they know, in advance, if I used a simple password, without having it in cleartext themselves?
Probably by running a basic brute force attack using dictionaries and rainbow tables.

I once worked at a place and we had a security officer who periodically attacked our network passwords and forced us to change those he managed to break. It was pretty annoying of him.
hoo2jalu
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 20, 2011, 02:07:00 AM
 #11

...
I once worked at a place and we had a security officer who periodically attacked our network passwords and forced us to change those he managed to break. It was pretty annoying of him.

I heard this and thought, "Wow, that's pretty conscientious and considerate of him!"

Only annoying if you use weak sauce passwords. Are you full of weak sauce and annoyed?
BeeCee1
Member
**
Offline Offline

Activity: 115
Merit: 10


View Profile
June 20, 2011, 02:10:19 AM
 #12

No "Holy shit" scenario took place..
If it was the case, they would simply send away all coins from account. But I don't think MTGOX will try to hide this.. I mean he is not that stupid to try it...

You're probably right.  If the whole machine was compromised they could have taken the wallet file, no need to transfer coins out, no need to crash the market, and they would have gotten all the coins in it.

I wonder how many bitcoins Mt. Gox keeps in the online wallet and how many they keep offline.  There was that 400k transfer a week ago that everyone assumes was Mt. Gox transferring coins from the online to the offline wallet, hope that is really the case, but the idea that Mt. Gox would have 400k online to transfer all at once is pretty scary too.
Rob P.
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile WWW
June 20, 2011, 12:05:20 PM
 #13

How do they know, in advance, if I used a simple password, without having it in cleartext themselves?

They don't. When they said that they were probably half out of their minds coping.

The email that was sent a bit later than that says:

Quote
We are working on a
quick resolution and to begin with, your password has been disabled as a
security measure (and you will need to reset it to login again on Mt.Gox).

I'm sure it said that for everyone.

That's lovely, except I purposefully didn't attach an email address to my account, because I didn't want them to have it, and I'm glad I did.
However, that means they have no way to allow me to reset my password.

The password file that leaked has over 4000 users with no emails attached, exactly how will that be dealt with?

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1024



View Profile
June 20, 2011, 12:51:44 PM
 #14

That's lovely, except I purposefully didn't attach an email address to my account, because I didn't want them to have it, and I'm glad I did.
However, that means they have no way to allow me to reset my password.

The password file that leaked has over 4000 users with no emails attached, exactly how will that be dealt with?

I think you are going to have to wait and see.  No one on the forums has any idea, but it sounds like they have 4000 reasons to come up with a way to make it work.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
Rob P.
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile WWW
June 20, 2011, 01:14:29 PM
 #15

From reading the latest update:

Quote
[Update - 12:52 GMT] Account recovery page will be up tomorrow morning (Japan time)
We have almost completed the account recovery page and are waiting for result to unit tests and intrusion tests (and more than anything, don't want to put something online and go to sleep just after, best way to get screwed), so the page will be put online tomorrow morning.

It will allow every user to claim ownership of their account based on proof such as deposits, withdraws, password (if complex enough), email or notarized documentation.

Once it is deemed enough users had the chance to get their account back, the exchange will be open again (opening time will be announced at least 24 hours in advance). It will still be possible to file claims for user accounts after this.

So, it appears they are using multiple layers to figure things out.  Meaning I'll hopefully be able to prove my identity if I come from the same last IP address and can verify the last deposits, plus know my existing password.

We'll see...tomorrow.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
Clipse
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502


View Profile
June 20, 2011, 01:26:50 PM
 #16

This whole situation was a shitstorm but I got to salute mtgox for how he actually handled it.

Remember, he could easily have taken the easier route out without having to deal with everyone pissed off at them and simply take all the remaining bitcoins and run.

They clearly know that its not worth screwing the public, its in their interest and our interest to keep things going.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
Bruce Wagner
Sr. Member
****
Offline Offline

Activity: 336
Merit: 252


View Profile
June 20, 2011, 02:08:04 PM
 #17

I think things will become a lot clearer after our live interview at 2pm ET today....  on http://onlyonetv.com
Capitan
Member
**
Offline Offline

Activity: 112
Merit: 10


View Profile
June 20, 2011, 02:50:27 PM
 #18

What kind of modern database is vulnerable to sql injection anyways? And why would they have a silent auditor? Could the auditor have been related to their attempt to get registered with the US Gov. as a MSB? Wouldn't they need to be audited to get registered as such?
grue
Legendary
*
Offline Offline

Activity: 2058
Merit: 1431



View Profile
June 20, 2011, 02:55:32 PM
 #19

What kind of modern database is vulnerable to sql injection anyways? And why would they have a silent auditor? Could the auditor have been related to their attempt to get registered with the US Gov. as a MSB? Wouldn't they need to be audited to get registered as such?

it wasn't sql injection. READ THE UPDATE BEFORE MAKING FALSE CONCLUSIONS.

It is pitch black. You are likely to be eaten by a grue.

Adblock for annoying signature ads | Enhanced Merit UI
fujiwara
Newbie
*
Offline Offline

Activity: 38
Merit: 0


View Profile
June 20, 2011, 03:20:51 PM
 #20

I think things will become a lot clearer after our live interview at 2pm ET today....  on http://onlyonetv.com
Looking forward to it! 2 pm ET sounds like a decent hour in GMT, .. Smiley I guess it will be available as a stream afterwards?
Dobrodav
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
June 20, 2011, 03:43:17 PM
 #21

ET (EST)  -
-5 hours UMC (GMT)

fujiwara
Newbie
*
Offline Offline

Activity: 38
Merit: 0


View Profile
June 20, 2011, 05:16:21 PM
 #22

you can already watch the livestream:

http://onlyonetv.com/?page_id=178

take a seat! Tongue
Pages: 1 2 [All]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!