Virwox.com CSRF

[cuddlefish]

http://pastehtml.com/view/!!REMOVETHISTOGIVEME0.05BTC!!aytbmtv3u.html

[Chick]

http://pastehtml.com/view/!!REMOVETHISTOGIVEME0.05BTC!!aytbmtv3u.html

Too bad I don't have a VirWoX account...

[BitcoinPorn]

Editing this post, figuring out what the fuck is going on.   Currently reading these pages:

https://www.virwox.com/withdraw.php
http://bitcoinstats.com/irc/bitcoin-dev/logs/2011/06/19/22
http://friendfeed.com/bitcoininfo/2baf2fb2/virwox-csrf-btc-eur-7-14-3-bitcoincentral

So confused.

[cuddlefish]

Just, why?

Damn, sorry to see you banned (because that is what should happen, I thought that unemployed guy was bad, you have posts built up just to try and steal Bitcoin I don't have through a site I don't use)

i'm reporting this. not stealing anything.
1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text
2. I deliberately broke the link with descriptive text

[BitcoinPorn]

i'm reporting this. not stealing anything.
1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text
2. I deliberately broke the link with descriptive text

I would make a strong argument on how this is not a way to test that shit, especially knowing what it does and knowing the intelligence of all the users, including myself

Seriously, bullshit like that should be instant banning.  The general Bitcoin Discussion forums should not be used to experiment with (don't shit where you eat)

[cuddlefish]

i'm reporting this. not stealing anything.
1. It's only 0.05 BTC that comes to me IF you manually remove the link-breaking text
2. I deliberately broke the link with descriptive text

I would make a strong argument on how this is not a way to test that shit, especially knowing what it does and knowing the intelligence of all the users, including myself

Seriously, bullshit like that should be instant banning.  The general Bitcoin Discussion forums should not be used to experiment with (don't shit where you eat)

I've reported it to them, they've sat on it; I assumed they read these forums.

[BitcoinPorn]

I've reported it to them, they've sat on it; I assumed they read these forums.

So is this what programming is now in days for everyone?   Fuck patience and waiting on others... but also fuck making things for yourself, instead just break other peoples shit until they do something?

What a world

[cuddlefish]

I've reported it to them, they've sat on it; I assumed they read these forums.

So is this what programming is now in days for everyone?   Fuck patience and waiting on others... but also fuck making things for yourself, instead just break other peoples shit until they do something?

What a world

So you'd prefer I just wait until they fix it, hoping nobody else discovers it before they do?

[BitcoinPorn]

So you'd prefer I just wait until they fix it, hoping nobody else discovers it before they do?

As opposed to how you handled this, of course.

You could have put a detailed post, said what this link you are providing does and why and how it is wrong and I really could go on all day on how many different ways you could have made that same post, added just a little text, and it would have made the whole world of a difference.

[datguywhowanders]

The few security "experts" that post on this forum have tons of knowledge, but they lack social skills and common sense.

My two bitcents.

[elggawf]

As opposed to how you handled this, of course.

You could have put a detailed post, said what this link you are providing does and why and how it is wrong and I really could go on all day on how many different ways you could have made that same post, added just a little text, and it would have made the whole world of a difference.

A broken link, where you have to read "REMOVE THIS TO GIVE ME 0.5BTC", before removing it, in a thread that says "CSRF" in it... and you're complaining he wasn't transparent enough?

So much for other people claiming that the Bitcoin forums were mostly composed of smart folks - you'd have to be dumb as a box of rocks to fall for this post.

If they did indeed sit on it as OP said, kudos for him to disclosing it. Full disclosure works with non-responsive vendors, so fuck them.

[BitcoinPorn]

A broken link, where you have to read "REMOVE THIS TO GIVE ME 0.5BTC", before removing it, in a thread that says "CSRF" in it... and you're complaining he wasn't transparent enough?

So much for other people claiming that the Bitcoin forums were mostly composed of smart folks - you'd have to be dumb as a box of rocks to fall for this post.

If they did indeed sit on it as OP said, kudos for him to disclosing it. Full disclosure works with non-responsive vendors, so fuck them.

I was beyond dumb, I knew it was something bad and still went in just to see what it was

Still, those lesser than me are idiots too, and no one deserves to be fucked with in this subforum.  Keep it in development and etc.   Forcing it to break in public is not the way to fix things, it drops confidence overall, when cuddlefish obviously knew of this exploit for a while, I guess couldn't fix it but only manipulate it and use it to fuck around with general users (also, I have seen his link in another thread without the remove text, still does not matter).

Look, I can't hate the guy for finding out an exploit, but if his choice was to not make this thread or make it, well he could have did a billion things more productive for this particular situation other than make this thread in the manner that he did.

[ribuck]

Cuddlefish didn't "break the other guy's website", because the other guy's website was already broken.

Also, posting publicly serves as a cautionary tale for every other website owner to re-check their own websites.

[lemonginger]

Virwox response please?

[If VirWox does not respond quickly, I would urge all BTC folks to take business elsewhere.]

[gentakin]

The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do. Now we are all aware of the fact that virworx is vulnerable right now. [Also, this is the kind of coding error only very unexperienced web developers would create.. So much for Virwox]

[joan]

The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do.

He didn't mention that he had contacted them.

@cuddlefish: Could you please clarify if you contacted them prior to the full disclosure, and how long. Thanks!

[elggawf]

The only responsible thing to do after they didn't respond to his report was to make the vulnerability public. So this was the right thing do.

He didn't mention that he had contacted them.

@cuddlefish: Could you please clarify if you contacted them prior to the full disclosure, and how long. Thanks!

See:

I've reported it to them, they've sat on it; I assumed they read these forums.

[lemonginger]

I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not?

[cuddlefish]

I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not?

It is now fixed.

[lemonginger]

I contacted them, they said they "fixed it promptly" after being contacted by OP. Can someone confirm that it is fixed or not?

It is now fixed.

Exposure works every time. Thanks OP.