MTGOX learns a lesson on cyber security, so should you

[mjoz]

Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database.  Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. 

To my knowledge they have not said if the database compromise lead to the hacked account.  It seems very likely though, with access to the password hash weak passwords can be easily dictionary/bruteforced.  Why anyone with 500k bitcoins would have a weak password leaves me guessing though.  This is a lesson everyone can learn from though, if your password is not long, random, and mixed with letters, symbols and numbers you're at risk.

What is even more scary is it appears that the e-mail accounts on the list are now being attacked.  If someone compromises your e-mail box your generally screwed as they can then reset passwords other websites with lax security like MTGOX.

[1715635067]

1715635067

[hiipii]

It really is aggrivating seeing such a security sensitive sight being comprimised with an sql injection. This stuff was covered when I took an introductory web class.

[fascistmuffin]

"' RIGHT JOIN TABLE USERS; --

Dammit, didn't work.

[Bittie]

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

[mmavipc]

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

are you talking about this http://freebitcoins.appspot.com/recent_sends ?

[agedet]

MtGox sucks, gonna see if Tradehill is any better.  Used code TH-R15720 when signing up to get reduced fees.

[Bittie]

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

are you talking about this http://freebitcoins.appspot.com/recent_sends ?

Yes.. See how they list all the IP's?
Perfect for port attacks + sniffing as you know the IP will have a coin client + wallet..

[rcsheets]

In their defense, they didn't start up with a million dollar budget and man years of development time. It was a hobby project that got out of hand quickly.

You don't need a million dollars to store passwords properly. See http://codahale.com/how-to-safely-store-a-password/ for example. The software libraries for doing this correctly are free.

[tnkflx]

Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database.  Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. 

You are probably referring to this:
http://seclists.org/fulldisclosure/2011/Jun/417 and http://seclists.org/fulldisclosure/2011/Jun/418?

[TerraHertz]

Bitcoin. Bringing hackers, naive users and serious money together, since 2011

What could possibly go wrong?

[Sannyasi]

ignorance......

yay i have another post to get out of the newb section.... then i can waste my time on topics that i give a shit about

LET THE TROLLS FEED ON EACH OTHER!