[20:51:52] <PovAddict>
https://mtgox.com/claim?token=foo'%20OR%201='1&email=test@example.com[20:52:07] <jrmithdobbs> LO FUCKIN L
[20:52:17] <jrmithdobbs> ya, i buy it considering how the other sqli and csrfs worked
[20:53:25] <PovAddict> so he says you can use that sqli (or another) to set how much money your account has, then withdraw it
[20:54:17] <jrmithdobbs> you know time frame on when it would have been done? I know one sqli was disclosed/patched on the 16th
[20:54:37] <PovAddict> I have no idea if this was ever exploited
[20:55:37] <PovAddict> this guy who told me about the vulns was scared of even publishing them, let alone exploit them...
[20:56:22] <PovAddict> speaking about mybitcoin exploits:
[20:56:23] <PovAddict> <PovAddict> well, you know what to do... if they don't react [to your private report] in a reasonable amount of time... >
[20:56:25] <PovAddict> <xxxx> i don't even know what the acceptable disclosure path is, when you're talking about what is, in effect, a bank.
[20:56:46] <jrmithdobbs> he patched the csrf in mybitcoin over the weekend quietly
[20:57:10] <jrmithdobbs> i publically disclosed csrfs in clearcoin (was going to disclose mybitcoin too but he patched while i was putting together email)
[20:57:36] <jrmithdobbs> at this point? the correct disclosure method is the normal full disclosure lists, the bitcoin-development list, and the forums. silmutaneously.
[21:00:13] <PovAddict>
http://stuff.povaddict.com.ar/mtgox-xss.txt here's another fun one
[21:01:03] <jrmithdobbs> that doesn't load for me
[21:01:19] <jrmithdobbs> does now, nm
[21:02:53] <jrmithdobbs> that's csrf not xss ;P
[21:03:13] <PovAddict> it's both
[21:03:30] <PovAddict> you're taken to a page that executes your injected Javascript
[21:04:15] <jrmithdobbs> you've just explained what happened.
[21:05:02] <jrmithdobbs> thats the same sqli ius disclosed and got patched on the 16th. whoever crashed the market notice it got patched. used the account he had deposited funds into. crashed the market in an attempt to get it out of the exchange by having btc lowered in value
[21:05:51] <jrmithdobbs> jesus christ. fuck magicaltux. lieing and/or incompetennt asshat.
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20110620/dc3e0783/attachment-0003.obj
