Bitcoin Forum
November 19, 2024, 02:46:39 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: [Full Disclosure] Live mtgox.com trade matching bug.  (Read 15372 times)
jrmithdobbs (OP)
Newbie
*
Offline Offline

Activity: 67
Merit: 0


View Profile
June 28, 2011, 02:55:41 AM
Last edit: June 28, 2011, 03:08:46 AM by jrmithdobbs
 #1

Step 1: Have USD available for spending on mtgox.com.
Step 2: Put in a buy order large enough to drain your account. Low enough under the current trading price that it will not execute immediately.
Step 3: Withdraw all USD funds.
Step 4: Wait for market to fall enough to meet your order.
Step 5: ...(self explanatory)...

There's a bit of luck in being able to take advantage, obviously.

I would suggest you take the site down asap until this is corrected or publicly show how this order will never execute:

==========
Welcome <username removed> 0.00000000 ฿TC 424.44901
Buying  138468.901  0.01  Active  1384.69  06/26 15:27  cancel
==========

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

At the very least this could be used to influence market conditions if it is only a display bug.

bitcoin-dev: http://sourceforge.net/mailarchive/forum.php?thread_name=C9421AA2-D741-4989-9DA8-395D1F532F52%40jrbobdobbs.org&forum_name=bitcoin-development
f-d: http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081682.html
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 608
Merit: 501


-


View Profile
June 28, 2011, 03:05:34 AM
 #2

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

It will not execute, and I told you it'll be fixed in a couple of hours. Thanks for disclosing this before.
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


Posts: 69


View Profile WWW
June 28, 2011, 03:09:05 AM
 #3

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

It will not execute.


bitbot
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 28, 2011, 03:10:13 AM
 #4

someone explain this

Anonymous BITCOIN Exchange: https://www.TRADEHILL.COM
FooDSt4mP
Full Member
***
Offline Offline

Activity: 182
Merit: 100


View Profile
June 28, 2011, 03:23:11 AM
 #5

someone explain this

The order isn't being removed on withdrawal.  Funds are being checked before it is executed.

As we slide down the banister of life, this is just another splinter in our ass.
GeniuSxBoY
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


View Profile
June 28, 2011, 03:31:58 AM
 #6

Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.

Be humble!
jrmithdobbs (OP)
Newbie
*
Offline Offline

Activity: 67
Merit: 0


View Profile
June 28, 2011, 03:33:22 AM
 #7

Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.


No.

Funds are being checked before it is executed.

Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.
vragnaroda
Newbie
*
Offline Offline

Activity: 40
Merit: 0


View Profile
June 28, 2011, 03:39:30 AM
 #8

Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.


No.

Funds are being checked before it is executed.

Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.

After making yourself look like such an ass, you should really reconsider that.
Herodes
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
June 28, 2011, 03:39:56 AM
 #9

...

You show nothing but hostility totwards mtGox. The only motive I could think of is jealousy. If you think your technical expertice and knowledge is superior to that of MagicalTux's, then please go ahead and create the ultimate exchange. I believe you're already involved with britcoin.co.uk ?

Seriously, acting like you do is of no good for nobody. Why waste your time talking shit and disclosing bugs when mtGox is actually working on it to fix it?

You'll be better off in the long run if you focuse on the things you do, and do them well, instead of talking negatively about other people. I think this says more about you, then it says about MT and mtGox.

I am sure you can mend your ways if you wanted to.
Klestin
Hero Member
*****
Offline Offline

Activity: 493
Merit: 500


View Profile
June 28, 2011, 03:51:41 AM
 #10

Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.
Erm, no it doesn't mean this.  If it's well designed, there is a semaphore or lock to prevent this.  No sense jumping to conclusions based on what is essentially little more than a display bug.
jrmithdobbs (OP)
Newbie
*
Offline Offline

Activity: 67
Merit: 0


View Profile
June 28, 2011, 03:56:07 AM
 #11

After making yourself look like such an ass, you should really reconsider that.

By having MagicalTux confirm that one of the possibilities I explicitly posted was indeed the case? Not following you.

Just so you know this was disclosed to Tux at the same time it was posted. He considers it a problem and is working to fix it.

Hate me all you want.

I still believe that people not disclosing these issues to the public is what led to the last major compromise. Would you rather not be made aware of the issues and blindly assume that everything in the world of bitcoin is perfect?

Additionally. At jgarzik's request I wont be posting these to the bitcoin-dev list going forward. There is talk of a separate bitcoin-vendor-sec (or similarly named) list being created.

Erm, no it doesn't mean this.  If it's well designed, there is a semaphore or lock to prevent this.  No sense jumping to conclusions based on what is essentially little more than a display bug.
You're right, that should say possibly, not actually.
Meatpile
Sr. Member
****
Offline Offline

Activity: 277
Merit: 250


View Profile
June 28, 2011, 03:58:52 AM
 #12

Well as shitty as security issues are.... its quite obvious that once its public, action will be taken.

I think that is a better option than letting a few select people take advantage of it covertly for possibly weeks or months?
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
June 28, 2011, 04:04:41 AM
 #13

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
DrYe5
Sr. Member
****
Offline Offline

Activity: 490
Merit: 250



View Profile
June 28, 2011, 04:07:38 AM
 #14

Close Gox trading.
jrmithdobbs (OP)
Newbie
*
Offline Offline

Activity: 67
Merit: 0


View Profile
June 28, 2011, 04:09:47 AM
 #15

I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.
vragnaroda
Newbie
*
Offline Offline

Activity: 40
Merit: 0


View Profile
June 28, 2011, 04:11:27 AM
 #16

After making yourself look like such an ass, you should really reconsider that.

By having MagicalTux confirm that one of the possibilities I explicitly posted was indeed the case? Not following you.

Just so you know this was disclosed to Tux at the same time it was posted. He considers it a problem and is working to fix it.

Hate me all you want.

I still believe that people not disclosing these issues to the public is what led to the last major compromise. Would you rather not be made aware of the issues and blindly assume that everything in the world of bitcoin is perfect?

Additionally. At jgarzik's request I wont be posting these to the bitcoin-dev list going forward. There is talk of a separate bitcoin-vendor-sec (or similarly named) list being created.

Erm, no it doesn't mean this.  If it's well designed, there is a semaphore or lock to prevent this.  No sense jumping to conclusions based on what is essentially little more than a display bug.
You're right, that should say possibly, not actually.

Um, maybe you missed something:

It will not execute, and I told you it'll be fixed in a couple of hours. Thanks for disclosing this before.

I don't hate you (and please don't mischaracterize what I say). Where is this purported acknowledgment that this was a vulnerability? From what I've seen you've completely overstated the case (and I'm not exactly MagicalTux's biggest fan right now). Yes, you just made yourself look like an ass.
psyborgue
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 28, 2011, 04:13:24 AM
 #17

Yeah, but your "full disclosure" was based on the assumption that the trade would execute.  It wouldn't.  It's a bug, yes, but hardly a showstopper.
jrmithdobbs (OP)
Newbie
*
Offline Offline

Activity: 67
Merit: 0


View Profile
June 28, 2011, 04:24:28 AM
 #18

I don't hate you (and please don't mischaracterize what I say). Where is this purported acknowledgment that this was a vulnerability? From what I've seen you've completely overstated the case (and I'm not exactly MagicalTux's biggest fan right now). Yes, you just made yourself look like an ass.

I could not confirm or deny that similar trades would execute without possibly committing fraud, so did not try. I explicitly stated this and the possibility that it was just a display bug. I posted (to f-d at least, here soon after) as soon as Tux started responding to me. The text was pre-prepared and not modified. Yes he did tell me that it would be fixed while we were talking.
HappyFunnyFoo
Full Member
***
Offline Offline

Activity: 125
Merit: 100


View Profile
June 28, 2011, 04:29:49 AM
 #19

jrmithdobbs,

What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.  You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder if you have even a shred of common sense or intelligence.  I'd ban you from this forum if I was the administrator, and if you did this to a company in America you'd be arrested.  Technically you're aiding in securities / bank fraud.  If you were smart you'd delete this post or just delete your forum account.

Smiley have a nice day.  As much as MtGox has had problems, there's no need to add fuel to the already-large fire that bitcoin adopters are dense, immoral, psychotic libertarian-anarchists with no regard for common sense.

There's an email feature in the mtgox interface where you can report bugs without exposing innocent traders (who will be affected by exploits if the price swings or if one of your 0-days can lead to compromising other people's balances or wallets).
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
June 28, 2011, 04:34:42 AM
 #20

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.
I can agree on full disclosure for big bureaucratic organisations that ignore you when you report a bug.

But honestly, in this case, for a small company like MtGox. I think that makes you a dick. MagicalTux is really taking all problems seriously, and has been working almost 24 hours per day last week to resolve issues while being bombarded with crap from all sides.

You could have given him a chance by just reporting it to his personal mail and bug tracker. What would you prefer if you had built a site yourself?


Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!