Bitcoin Forum
May 06, 2024, 01:17:40 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Other > Beginners & Help > MTGox security was flawed
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: MTGox security was flawed  (Read 1278 times)
harmen (OP)
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
June 20, 2011, 11:37:11 AM
 #1
MTGox security was flawed: the API instructions where send using cleartext passwords in the URL.

With such security sense it was a matter of time.

Some unusual tips for creating very strong and very easily to remember passwords from grc.com:

https://www.grc.com/%5Chaystack.htm

It is not about randomness, it is about length and potential complexity.

Cheers!
1715001460
Hero Member
*
Offline Offline

Posts: 1715001460

View Profile Personal Message (Offline)

Ignore
1715001460
1715001460
Reply with quote  #2
1715001460
Report to moderator
1715001460
Hero Member
*
Offline Offline

Posts: 1715001460

View Profile Personal Message (Offline)

Ignore
1715001460
1715001460
Reply with quote  #2
1715001460
Report to moderator
"Bitcoin: mining our own business since 2009" -- Pieter Wuille
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1715001460
Hero Member
*
Offline Offline

Posts: 1715001460

View Profile Personal Message (Offline)

Ignore
1715001460
1715001460
Reply with quote  #2
1715001460
Report to moderator
1715001460
Hero Member
*
Offline Offline

Posts: 1715001460

View Profile Personal Message (Offline)

Ignore
1715001460
1715001460
Reply with quote  #2
1715001460
Report to moderator
1715001460
Hero Member
*
Offline Offline

Posts: 1715001460

View Profile Personal Message (Offline)

Ignore
1715001460
1715001460
Reply with quote  #2
1715001460
Report to moderator
adamncsu
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
June 20, 2011, 01:48:43 PM
 #2
thanks. there can never be too many posts about password security. so many people are under-educated in the subject.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1039


View Profile
June 20, 2011, 03:26:18 PM
 #3
Quote from: harmen on June 20, 2011, 11:37:11 AM
...the API instructions where send using cleartext passwords in the URL...
Over https.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
June 20, 2011, 03:28:32 PM
 #4
Quote from: ribuck on June 20, 2011, 03:26:18 PM
Quote from: harmen on June 20, 2011, 11:37:11 AM
...the API instructions where send using cleartext passwords in the URL...
Over https.

HTTPS Doesn't mean squat.
dan_a
Newbie
*
Offline Offline

Activity: 48
Merit: 0


View Profile
June 20, 2011, 03:39:22 PM
 #5
Quote from: SomeoneWeird on June 20, 2011, 03:28:32 PM
Quote from: ribuck on June 20, 2011, 03:26:18 PM
Quote from: harmen on June 20, 2011, 11:37:11 AM
...the API instructions where send using cleartext passwords in the URL...
Over https.

HTTPS Doesn't mean squat.

That attack will only work if you have control of a network between MTGOX and their customers.
zzyyxx
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
June 20, 2011, 04:03:28 PM
 #6
http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115

am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect?
vampire
Hero Member
*****
Offline Offline

Activity: 574
Merit: 500



View Profile
June 20, 2011, 04:07:03 PM
 #7
Mt. Gox looked like an amateur site, for some reason I question why should an auditor get a copy of their database?
EyeRis
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 20, 2011, 04:14:36 PM
 #8
Quote from: ribuck on June 20, 2011, 03:26:18 PM
Quote from: harmen on June 20, 2011, 11:37:11 AM
...the API instructions where send using cleartext passwords in the URL...
Over https.

So that means the data is encrypted the URL is not.
dan_a
Newbie
*
Offline Offline

Activity: 48
Merit: 0


View Profile
June 20, 2011, 04:20:36 PM
 #9
Quote from: zzyyxx on June 20, 2011, 04:03:28 PM
http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115

am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect?

There's been a big jump in interest in bitcoin in a very short time - it's not surprising that some sites would go up and down as they sort out an appropriate level of hosting.
Xenland
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
June 20, 2011, 05:41:57 PM
 #10
Quote from: Srpska on June 20, 2011, 05:35:55 PM
Quote from: SomeoneWeird on June 20, 2011, 03:28:32 PM
HTTPS Doesn't mean squat.
This attack does not apply as long as you browse completely over HTTPS. So just bookmark the https://www.mtgox.com/ url, use only that bookmark, and you'll be fine.

Quote
So that means the data is encrypted the URL is not.
HTTPS encrypts also the URL and other request details.
I agree, to my understanding HTTPS sends a signal that we are doing a secure connection(with no data besides IP) and then after the key's have been exchanged it will then proceed to send necessary data after a secure connection has been established.
Pages: [1]
  Print  
Bitcoin Forum > Other > Beginners & Help > MTGox security was flawed
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!