Bitcoin Forum
December 03, 2016, 11:57:16 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: What if the hacker had write access to the database?  (Read 1245 times)
fujiwara
Jr. Member
*
Offline Offline

Activity: 38


View Profile
June 21, 2011, 07:51:21 PM
 #1

I know there's already lots of threads about the incident, but I haven't read anything there about the following scenario:

Just imagine the hacker was (somehow, don't ask me how) able to actually EDIT the content of the Mt. Gox database? I just CAN'T believe someone really has 500k btc there. What if they've been just added seconds before the attack - just out of nothing. Afaik, technically spoken, these aren't bitcoins, they're just some numbers in a database. The Deposit/withdrawal process of bitcoins is another story (and usually the correct source of the db's content).

I'm thinking about this scenario because if it was true, there would be no other option than rollback the trades - unless Mt. Gox would be willing to turn btc into FIAT money. They would be short of btc actually and couldn't stand a bank run.

What do you guys think about this? Is it completely impossible a hacker gained write access to the Mt. Gox database? I'm not trying to spread a conspiracy theory, I'm just wondering no one is talking about the possibility of this happening.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480809436
Hero Member
*
Offline Offline

Posts: 1480809436

View Profile Personal Message (Offline)

Ignore
1480809436
Reply with quote  #2

1480809436
Report to moderator
1480809436
Hero Member
*
Offline Offline

Posts: 1480809436

View Profile Personal Message (Offline)

Ignore
1480809436
Reply with quote  #2

1480809436
Report to moderator
TraderTimm
Legendary
*
Offline Offline

Activity: 1652



View Profile
June 21, 2011, 07:55:59 PM
 #2

Nothing against you personally, I just think all Mt. Gox threads should die in a fire, unless they are official reopening statements.

As for the database, restore from backup prior to the incident, solved.

fortitudinem multis - catenum regit omnia
dinker
Member
**
Offline Offline

Activity: 102



View Profile
June 21, 2011, 07:59:08 PM
 #3

He would draw you a very nice picture.

Help Me Help You Donations:
14kP6tNtrz3woESs9nEE5aDB81QTybGyyZ
vrotaru
Jr. Member
*
Offline Offline

Activity: 35


View Profile
June 21, 2011, 08:09:05 PM
 #4

[20:51:52] <PovAddict> https://mtgox.com/claim?token=foo'%20OR%201='1&email=test@example.com
[20:52:07] <jrmithdobbs> LO FUCKIN L
[20:52:17] <jrmithdobbs> ya, i buy it considering how the other sqli and csrfs worked Sad
[20:53:25] <PovAddict> so he says you can use that sqli (or another) to set how much money your account has, then withdraw it
[20:54:17] <jrmithdobbs> you know time frame on when it would have been done? I know one sqli was disclosed/patched on the 16th
[20:54:37] <PovAddict> I have no idea if this was ever exploited
[20:55:37] <PovAddict> this guy who told me about the vulns was scared of even publishing them, let alone exploit them...
[20:56:22] <PovAddict> speaking about mybitcoin exploits:
[20:56:23] <PovAddict> <PovAddict> well, you know what to do... if they don't react [to your private report] in a reasonable amount of time... >Smiley
[20:56:25] <PovAddict> <xxxx> i don't even know what the acceptable disclosure path is, when you're talking about what is, in effect, a bank.
[20:56:46] <jrmithdobbs> he patched the csrf in mybitcoin over the weekend quietly
[20:57:10] <jrmithdobbs> i publically disclosed csrfs in clearcoin (was going to disclose mybitcoin too but he patched while i was putting together email)
[20:57:36] <jrmithdobbs> at this point? the correct disclosure method is the normal full disclosure lists, the bitcoin-development list, and the forums. silmutaneously.
[21:00:13] <PovAddict> http://stuff.povaddict.com.ar/mtgox-xss.txt here's another fun one
[21:01:03] <jrmithdobbs> that doesn't load for me
[21:01:19] <jrmithdobbs> does now, nm
[21:02:53] <jrmithdobbs> that's csrf not xss ;P
[21:03:13] <PovAddict> it's both
[21:03:30] <PovAddict> you're taken to a page that executes your injected Javascript
[21:04:15] <jrmithdobbs> you've just explained what happened.
[21:05:02] <jrmithdobbs> thats the same sqli ius disclosed and got patched on the 16th. whoever crashed the market notice it got patched. used the account he had deposited funds into. crashed the market in an attempt to get it out of the exchange by having btc lowered in value
[21:05:51] <jrmithdobbs> jesus christ. fuck magicaltux. lieing and/or incompetennt asshat.

http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20110620/dc3e0783/attachment-0003.obj
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 21, 2011, 08:14:59 PM
 #5

Well, what if the hacker had ice cream?
TonyHoyle
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 21, 2011, 08:18:05 PM
 #6


I *really* hope that's not true, for the sake of everyone that just reset their passwords...
speeder
Hero Member
*****
Offline Offline

Activity: 546



View Profile
June 21, 2011, 08:18:34 PM
 #7

jrmithdobbs has been attacking mtgox since a long time ago, before any information was available.

I am not sure anything to do with him can be trusted on mtgox matter.

fujiwara
Jr. Member
*
Offline Offline

Activity: 38


View Profile
June 21, 2011, 08:29:24 PM
 #8

thank you vrotaru, that's the kind of stuff I was looking for, .. how can we be sure it wasn't something like this?
ius
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 21, 2011, 08:49:31 PM
 #9


I *really* hope that's not true, for the sake of everyone that just reset their passwords...


That was reported (and fixed) on the 16th. Users were however not informed about the vulnerability. Two days later the database leaked..

PGP: 0xCC06E446 Bitcoin: 19kdfgW1KXQgV7SCLEPAojtHxN9xotGkGH
vrotaru
Jr. Member
*
Offline Offline

Activity: 35


View Profile
June 21, 2011, 08:50:31 PM
 #10

@fujiwara

I've read this thread: http://forum.bitcoin.org/index.php?topic=20437.0 some 12 hours ago. Still impressed. Oh, and I'm the wrong person to ask "how can we be sure that it wasn't something like this?"

MagicalTux is.
fujiwara
Jr. Member
*
Offline Offline

Activity: 38


View Profile
June 21, 2011, 09:10:03 PM
 #11

missed that thread, sorry. it's very interesting indeed...
http://forum.bitcoin.org/index.php?topic=20437.0

let's move...

ADMIN: pls close this thread.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!