Bitcoin Forum
December 04, 2016, 02:19:33 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Virwox.com CSRF  (Read 1937 times)
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 30, 2011, 12:40:18 AM
 #1

http://pastehtml.com/view/!!REMOVETHISTOGIVEME0.05BTC!!aytbmtv3u.html


1480861173
Hero Member
*
Offline Offline

Posts: 1480861173

View Profile Personal Message (Offline)

Ignore
1480861173
Reply with quote  #2

1480861173
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480861173
Hero Member
*
Offline Offline

Posts: 1480861173

View Profile Personal Message (Offline)

Ignore
1480861173
Reply with quote  #2

1480861173
Report to moderator
1480861173
Hero Member
*
Offline Offline

Posts: 1480861173

View Profile Personal Message (Offline)

Ignore
1480861173
Reply with quote  #2

1480861173
Report to moderator
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 30, 2011, 12:59:47 AM
 #2

http://pastehtml.com/view/!!REMOVETHISTOGIVEME0.05BTC!!aytbmtv3u.html



Too bad I don't have a VirWoX account...

BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 30, 2011, 01:03:45 AM
 #3

Editing this post, figuring out what the fuck is going on.   Currently reading these pages:

https://www.virwox.com/withdraw.php
http://bitcoinstats.com/irc/bitcoin-dev/logs/2011/06/19/22
http://friendfeed.com/bitcoininfo/2baf2fb2/virwox-csrf-btc-eur-7-14-3-bitcoincentral

So confused.

cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 30, 2011, 01:07:02 AM
 #4

Just, why?

Damn, sorry to see you banned (because that is what should happen, I thought that unemployed guy was bad, you have posts built up just to try and steal Bitcoin I don't have through a site I don't use)

i'm reporting this. not stealing anything.
1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text
2. I deliberately broke the link with descriptive text

BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 30, 2011, 01:08:22 AM
 #5

i'm reporting this. not stealing anything.
1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text
2. I deliberately broke the link with descriptive text

I would make a strong argument on how this is not a way to test that shit, especially knowing what it does and knowing the intelligence of all the users, including myself Cheesy

Seriously, bullshit like that should be instant banning.  The general Bitcoin Discussion forums should not be used to experiment with (don't shit where you eat)

cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 30, 2011, 01:11:04 AM
 #6

i'm reporting this. not stealing anything.
1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text
2. I deliberately broke the link with descriptive text

I would make a strong argument on how this is not a way to test that shit, especially knowing what it does and knowing the intelligence of all the users, including myself Cheesy

Seriously, bullshit like that should be instant banning.  The general Bitcoin Discussion forums should not be used to experiment with (don't shit where you eat)
I've reported it to them, they've sat on it; I assumed they read these forums.

BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 30, 2011, 01:12:17 AM
 #7

I've reported it to them, they've sat on it; I assumed they read these forums.

So is this what programming is now in days for everyone?   Fuck patience and waiting on others... but also fuck making things for yourself, instead just break other peoples shit until they do something?

What a world Sad

cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 30, 2011, 01:15:40 AM
 #8

I've reported it to them, they've sat on it; I assumed they read these forums.

So is this what programming is now in days for everyone?   Fuck patience and waiting on others... but also fuck making things for yourself, instead just break other peoples shit until they do something?

What a world Sad

So you'd prefer I just wait until they fix it, hoping nobody else discovers it before they do?

BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 30, 2011, 01:24:18 AM
 #9

So you'd prefer I just wait until they fix it, hoping nobody else discovers it before they do?
As opposed to how you handled this, of course.

You could have put a detailed post, said what this link you are providing does and why and how it is wrong and I really could go on all day on how many different ways you could have made that same post, added just a little text, and it would have made the whole world of a difference.

datguywhowanders
Member
**
Offline Offline

Activity: 112



View Profile
June 30, 2011, 01:50:53 AM
 #10

The few security "experts" that post on this forum have tons of knowledge, but they lack social skills and common sense.

My two bitcents.

Donations Welcome: 163id7T8KZ6MevqT86DjrBF2kfCPrQsfZE
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
June 30, 2011, 01:52:25 AM
 #11

As opposed to how you handled this, of course.

You could have put a detailed post, said what this link you are providing does and why and how it is wrong and I really could go on all day on how many different ways you could have made that same post, added just a little text, and it would have made the whole world of a difference.

A broken link, where you have to read "REMOVE THIS TO GIVE ME 0.5BTC", before removing it, in a thread that says "CSRF" in it... and you're complaining he wasn't transparent enough?

So much for other people claiming that the Bitcoin forums were mostly composed of smart folks - you'd have to be dumb as a box of rocks to fall for this post.

If they did indeed sit on it as OP said, kudos for him to disclosing it. Full disclosure works with non-responsive vendors, so fuck them.

^_^
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 30, 2011, 01:58:21 AM
 #12

A broken link, where you have to read "REMOVE THIS TO GIVE ME 0.5BTC", before removing it, in a thread that says "CSRF" in it... and you're complaining he wasn't transparent enough?

So much for other people claiming that the Bitcoin forums were mostly composed of smart folks - you'd have to be dumb as a box of rocks to fall for this post.

If they did indeed sit on it as OP said, kudos for him to disclosing it. Full disclosure works with non-responsive vendors, so fuck them.
I was beyond dumb, I knew it was something bad and still went in just to see what it was Smiley

Still, those lesser than me are idiots too, and no one deserves to be fucked with in this subforum.  Keep it in development and etc.   Forcing it to break in public is not the way to fix things, it drops confidence overall, when cuddlefish obviously knew of this exploit for a while, I guess couldn't fix it but only manipulate it and use it to fuck around with general users (also, I have seen his link in another thread without the remove text, still does not matter).

Look, I can't hate the guy for finding out an exploit, but if his choice was to not make this thread or make it, well he could have did a billion things more productive for this particular situation other than make this thread in the manner that he did.

ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
June 30, 2011, 11:08:28 AM
 #13

Cuddlefish didn't "break the other guy's website", because the other guy's website was already broken.

Also, posting publicly serves as a cautionary tale for every other website owner to re-check their own websites.
lemonginger
Full Member
***
Offline Offline

Activity: 210


firstbits: 121vnq


View Profile
June 30, 2011, 05:41:10 PM
 #14

Virwox response please?

[If VirWox does not respond quickly, I would urge all BTC folks to take business elsewhere.]
gentakin
Member
**
Offline Offline

Activity: 98


View Profile
June 30, 2011, 05:50:00 PM
 #15

The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do. Now we are all aware of the fact that virworx is vulnerable right now. [Also, this is the kind of coding error only very unexperienced web developers would create.. So much for Virwox]

1HNjbHnpu7S3UUNMF6J9yWTD597LgtUCxb
joan
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 30, 2011, 07:44:45 PM
 #16

The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do.
He didn't mention that he had contacted them.

@cuddlefish: Could you please clarify if you contacted them prior to the full disclosure, and how long. Thanks!
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
June 30, 2011, 07:59:46 PM
 #17

The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do.
He didn't mention that he had contacted them.

@cuddlefish: Could you please clarify if you contacted them prior to the full disclosure, and how long. Thanks!

See:
I've reported it to them, they've sat on it; I assumed they read these forums.

^_^
lemonginger
Full Member
***
Offline Offline

Activity: 210


firstbits: 121vnq


View Profile
June 30, 2011, 09:10:21 PM
 #18

I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not?
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 30, 2011, 11:00:29 PM
 #19

I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not?

It is now fixed.

lemonginger
Full Member
***
Offline Offline

Activity: 210


firstbits: 121vnq


View Profile
July 01, 2011, 01:40:18 AM
 #20

I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not?

It is now fixed.

Exposure works every time. Thanks OP.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!