Bitcoin Forum
December 04, 2016, 03:50:42 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: MTGox security was flawed  (Read 1027 times)
harmen
Newbie
*
Offline Offline

Activity: 1


View Profile
June 20, 2011, 11:37:11 AM
 #1

MTGox security was flawed: the API instructions where send using cleartext passwords in the URL.

With such security sense it was a matter of time.

Some unusual tips for creating very strong and very easily to remember passwords from grc.com:

https://www.grc.com/%5Chaystack.htm

It is not about randomness, it is about length and potential complexity.

Cheers!
1480823442
Hero Member
*
Offline Offline

Posts: 1480823442

View Profile Personal Message (Offline)

Ignore
1480823442
Reply with quote  #2

1480823442
Report to moderator
1480823442
Hero Member
*
Offline Offline

Posts: 1480823442

View Profile Personal Message (Offline)

Ignore
1480823442
Reply with quote  #2

1480823442
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
adamncsu
Newbie
*
Offline Offline

Activity: 6


View Profile
June 20, 2011, 01:48:43 PM
 #2

thanks. there can never be too many posts about password security. so many people are under-educated in the subject.
ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
June 20, 2011, 03:26:18 PM
 #3

...the API instructions where send using cleartext passwords in the URL...
Over https.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
June 20, 2011, 03:28:32 PM
 #4

...the API instructions where send using cleartext passwords in the URL...
Over https.

HTTPS Doesn't mean squat.
dan_a
Jr. Member
*
Offline Offline

Activity: 48


View Profile
June 20, 2011, 03:39:22 PM
 #5

...the API instructions where send using cleartext passwords in the URL...
Over https.

HTTPS Doesn't mean squat.

That attack will only work if you have control of a network between MTGOX and their customers.
zzyyxx
Newbie
*
Offline Offline

Activity: 12


View Profile
June 20, 2011, 04:03:28 PM
 #6

http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115

am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect?
vampire
Hero Member
*****
Offline Offline

Activity: 574



View Profile
June 20, 2011, 04:07:03 PM
 #7

Mt. Gox looked like an amateur site, for some reason I question why should an auditor get a copy of their database?
EyeRis
Jr. Member
*
Offline Offline

Activity: 39



View Profile WWW
June 20, 2011, 04:14:36 PM
 #8

...the API instructions where send using cleartext passwords in the URL...
Over https.

So that means the data is encrypted the URL is not.

http://eyerishacking.blogspot.com/
BTC address: 1D8BYFgQDd1tuARbCrsSiNmXs84CvUMUni
dan_a
Jr. Member
*
Offline Offline

Activity: 48


View Profile
June 20, 2011, 04:20:36 PM
 #9

http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115

am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect?

There's been a big jump in interest in bitcoin in a very short time - it's not surprising that some sites would go up and down as they sort out an appropriate level of hosting.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
June 20, 2011, 05:41:57 PM
 #10

This attack does not apply as long as you browse completely over HTTPS. So just bookmark the https://www.mtgox.com/ url, use only that bookmark, and you'll be fine.

Quote
So that means the data is encrypted the URL is not.
HTTPS encrypts also the URL and other request details.
I agree, to my understanding HTTPS sends a signal that we are doing a secure connection(with no data besides IP) and then after the key's have been exchanged it will then proceed to send necessary data after a secure connection has been established.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!