Bitcoin Forum
March 29, 2024, 11:25:29 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: MTGox security was flawed  (Read 1272 times)
harmen (OP)
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
June 20, 2011, 11:37:11 AM
 #1

MTGox security was flawed: the API instructions where send using cleartext passwords in the URL.

With such security sense it was a matter of time.

Some unusual tips for creating very strong and very easily to remember passwords from grc.com:

https://www.grc.com/%5Chaystack.htm

It is not about randomness, it is about length and potential complexity.

Cheers!
1711711529
Hero Member
*
Offline Offline

Posts: 1711711529

View Profile Personal Message (Offline)

Ignore
1711711529
Reply with quote  #2

1711711529
Report to moderator
1711711529
Hero Member
*
Offline Offline

Posts: 1711711529

View Profile Personal Message (Offline)

Ignore
1711711529
Reply with quote  #2

1711711529
Report to moderator
The forum strives to allow free discussion of any ideas. All policies are built around this principle. This doesn't mean you can post garbage, though: posts should actually contain ideas, and these ideas should be argued reasonably.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711711529
Hero Member
*
Offline Offline

Posts: 1711711529

View Profile Personal Message (Offline)

Ignore
1711711529
Reply with quote  #2

1711711529
Report to moderator
1711711529
Hero Member
*
Offline Offline

Posts: 1711711529

View Profile Personal Message (Offline)

Ignore
1711711529
Reply with quote  #2

1711711529
Report to moderator
adamncsu
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
June 20, 2011, 01:48:43 PM
 #2

thanks. there can never be too many posts about password security. so many people are under-educated in the subject.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1039


View Profile
June 20, 2011, 03:26:18 PM
 #3

...the API instructions where send using cleartext passwords in the URL...
Over https.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
June 20, 2011, 03:28:32 PM
 #4

...the API instructions where send using cleartext passwords in the URL...
Over https.

HTTPS Doesn't mean squat.
dan_a
Newbie
*
Offline Offline

Activity: 48
Merit: 0


View Profile
June 20, 2011, 03:39:22 PM
 #5

...the API instructions where send using cleartext passwords in the URL...
Over https.

HTTPS Doesn't mean squat.

That attack will only work if you have control of a network between MTGOX and their customers.
zzyyxx
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
June 20, 2011, 04:03:28 PM
 #6

http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115

am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect?
vampire
Hero Member
*****
Offline Offline

Activity: 574
Merit: 500



View Profile
June 20, 2011, 04:07:03 PM
 #7

Mt. Gox looked like an amateur site, for some reason I question why should an auditor get a copy of their database?
EyeRis
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 20, 2011, 04:14:36 PM
 #8

...the API instructions where send using cleartext passwords in the URL...
Over https.

So that means the data is encrypted the URL is not.
dan_a
Newbie
*
Offline Offline

Activity: 48
Merit: 0


View Profile
June 20, 2011, 04:20:36 PM
 #9

http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115

am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect?

There's been a big jump in interest in bitcoin in a very short time - it's not surprising that some sites would go up and down as they sort out an appropriate level of hosting.
Xenland
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
June 20, 2011, 05:41:57 PM
 #10

This attack does not apply as long as you browse completely over HTTPS. So just bookmark the https://www.mtgox.com/ url, use only that bookmark, and you'll be fine.

Quote
So that means the data is encrypted the URL is not.
HTTPS encrypts also the URL and other request details.
I agree, to my understanding HTTPS sends a signal that we are doing a secure connection(with no data besides IP) and then after the key's have been exchanged it will then proceed to send necessary data after a secure connection has been established.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!