[ATTN] Clarification of Mt Gox Compromised Accounts and Major Bitcoin Sell-Off

[BitcoinPorn]

https://mtgox.com/press_release_20110630.html

CLARIFICATION OF MT. GOX COMPROMISED ACCOUNTS AND MAJOR BITCOIN SELL-OFF

Dear members of the press and Bitcoin community,


I. Background

March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd was required to pay the previous owner a percentage of commissions. In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.

II. Bitcoin Sell-Off

On June 20th at approximately 3:00am JST (Japan Time), an unknown person logged in to the compromised admin account, and with the permissions of that account was able to arbitrarily assign himself a large number of Bitcoins, which he subsequently sold on the exchange, driving the price from $17.50 to $0.01 within the span of 30 minutes. With the price low, the thief was able to make a larger withdrawal (approximately 2000 BTC) before our security measures stopped further action.

We would like to note that the Bitcoins sold were not taken from other users’ accounts—they were simply numbers with no wallet backing. For a brief period, the number of Bitcoins in the Mt. Gox exchange vastly outnumbered the Bitcoins in our wallet. Normally, this should be impossible. Unfortunately, the 2000 BTC withdrawn did have real wallet backing and they will be replaced at Mt. Gox’s expense. Again, apart from the compromised admin account, no individual user’s account was manipulated in any way. All BTC and cash balances remain intact.

Given the relatively small amount of damage considering what was potentially possible, we have to question what the true motives of the attacker were. Perhaps the attack simply was not well-orchestrated but the possibility exists that the attacker was more interested in making a statement, hurting Mt. Gox’s reputation, or hurting the public image of Bitcoins in general than he was in any monetary gain.

III. Database Breach

Late last week we discovered a SQL injection vulnerability in the mtgox.com code that we suspect is responsible for allowing an attacker to gain read-only access to the Mt. Gox user database. The information retrieved from that database included plain text email addresses and usernames, unsalted MD5 passwords on accounts that had not logged in since prior to the Mt. Gox ownership transfer, and salted MD5 passwords on those accounts created or logged in to post-ownership transfer. We speculate that the credentials of the compromised admin account responsible for the market crash were obtained from this database. The password would have been hashed but it may not have been strong enough to prevent cracking.

Regrettably, we can confirm that our list of emails, usernames and hashed passwords has been released on the Internet. Our users and the public should know that these hashed passwords can be cracked, and many of our users’ more simple passwords have been cracked. This event highlights the importance of having a strong password, which we will now be enforcing. We strongly encourage all our users to immediately change the passwords of any other accounts that now or previously shared a password with their Mt. Gox account, if they have not done so already.

IV. Present Steps

We have been working tirelessly with other service providers in order to mitigate the potential damage to our users caused by the security breach. We’ve been informing our users to be especially cautious of Bitcoin-related phishing attempts at the email addresses associated with their Mt. Gox accounts. Users should continue to be especially observant of indicators of account compromise with other services—especially email and financial services.

We would like to give a special thanks to the Google team who were extremely proactive about flagging and temporarily locking customer accounts that appeared in our stolen user list. Their quick response no doubt significantly reduced unauthorized account access to Gmail addresses associated with Mt. Gox user accounts.

We’ve been actively researching the origin of the attack that led to the compromise of Mt. Gox’s previous owner’s admin account; however, our priority has been getting the Mt. Gox service back online and getting people access to their funds. We were finally able to simultaneously relaunch the service and launch our new site, with greatly improved security and back end, on June 26th, 2011.

V. Future Steps

The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing and soon will have an option for users to enable a withdraw password that will be separate from their login passwords. Other security measures such as one-time password keys are planned for release very soon as well.

The recent successful attacks on huge institutions like Sony and Citibank remind us that nobody is impenetrable. We are now operating under the presumption that another security breach will happen at some point in the future and we are implementing layers of fail-safe mechanisms to greatly limit the amount of damage possible. Of course, we’re doing our best to make sure those fail-safe mechanisms are never necessary.

While we are making great strides with the advancement of our security, we should remind our users that they too play an important role in securing their accounts. Please use a long password—the standard is not whether a person could guess it but rather whether a computer could guess it—and computers can guess pretty fast. Please do not share passwords across services—where passwords are shared, a compromise at one service means a compromise at all services. Help us help you.

VI. Apology

The truth is that Mt. Gox was unprepared for Bitcoin’s explosive growth. Our dated system was built as a hobby when Bitcoins were worth pennies a piece. It was not built to be a Fort Knox capable of securely handling millions of dollars in transactions each day.
We can attempt to blame the owner of the compromised account for the recent events but at the end of the day the responsibility to secure the site and protect our users rests with us. The admin account responsible had more permissions than necessary, and our security triggers were not as tight as they could have been.

Since the change of ownership, we have actively been patching holes while at the same time building a new Bitcoin exchange from the ground up. Going forward, we are certain that the launch of the new site will exceed the rightful expectations our users have of the service. We only hope that we can once again earn the trust of the Bitcoin community. In the meantime, we sincerely appreciate the patience all our users have shown.

We’ve got a backlog of emails we’re catching up on now but if you have any questions or comments about the recent security breaches and events, Mt. Gox in general, its founder or Bitcoin, please do not hesitate to contact us. We’re reading every message and we’ll get back to you as soon as we can.


Mark Karpeles - CEO
Tibanne Co. Ltd.

https://mtgox.com/press_release_20110630.html

[1715124528]

1715124528

[1715124528]

1715124528

[1715124528]

1715124528

[1715124528]

1715124528

[1715124528]

1715124528

[1715124528]

1715124528

[rebuilder]

So the mystery auditor was Jed...

[dacoinminster]

I'm glad they posted this. I trust them a lot more after seeing this. The only thing missing is the exact number of coins stolen and the address they were sent to. I can't imagine why they didn't make that public.

[chihlidog]

THIS is what I've wanted to hear from them. Nutting up and taking responsibility is a big step. Good job, guys, and I can honestly say that I wish you well.

[BubbleBoy]

What they really need is layered security:
 - a distinct authentication machine that is accessible via a narrow API; no "select * from users" !
 - a distinct trading machine that takes in trading requests, responsible for making the market and tracks the BTC/$ ownership of every user in the system; narrow API: enter buy and sell orders, receive callbacks when they are completed
 - distinct withdrawal machines that make actual bank and bitcoin transactions
 - a front-end machine that runs the PHP interface and is responsible for the user interface

Each interface is logged and monitored, and does not allow someone who attacks the front-end machine to access the rest of the system. The backend machines are firewalled and not accessible by other means than the narrowly defined interface.

As long as they are using a single system running a home-brewed PHP + Mysql application, parametrized queries will not prevent the next breakin.

[Glorious House of Barry]

This is more or less what I've figured all along (although it's interesting to hear that the admin account could just grant himself arbitrary bitcoins; I reckoned instead that somebody had used an admin account to collect bitcoins together from other accounts).

Many thanks to the person, obviously a native English speaker, that actually crafted the press release.

Can we move on now please?

[Tasty Champa]

Now to get everything back in working order like it was before all this mess.

[MeSarah]

Being forthcoming does help. I may be a little less critical of MtGox now but they still have a long way to go to regain my trust. But this is a step in the right direction. Thanks OP for posting the MtGox statement.

[airdata]

Being forthcoming does help. I may be a little less critical of MtGox now but they still have a long way to go to regain my trust. But this is a step in the right direction. Thanks OP for posting the MtGox statement.

Yep.  Good stuff.

[Bunghole]

So what about Kevin?

[DamienBlack]

Hmm.. interesting. I'm surprised to hear that they did have an SQL vulnerability. I thought that the "admin" account is what leaked the database.

And to everyone insisting on no rollback, I hope you can see now that it was necessary. I always assumed it was.

[ius]

Aha, the long-awaited clarification. Turns out the majority of speculations were correct after all.

Still, existence of the SQL injection vulnerability should've been disclosed two weeks ago(!), instead of dodging all speculations.

[RodeoX]

Some degree of withholding information to be expected when you are compromised. Gox may have been concerned that immediately releasing all they knew could aid the people who did this.

[Maged]

Has anybody checked whether jed's password was one that's been publicly leaked yet? I'm interested in how strong it was...

[Nescio]

This is more or less what I've figured all along (although it's interesting to hear that the admin account could just grant himself arbitrary bitcoins; I reckoned instead that somebody had used an admin account to collect bitcoins together from other accounts).

Those are quite possibly the same thing. The blurb is, perhaps intentionally, unclear on the exact details. Where it says "was able to arbitrarily assign himself a large number of Bitcoins" it could be that that large number is the total number of Bitcoins in the system, which would effectively be a pooling of all user balances (not necessarily zeroing out user balances, just a sum/view).

If there are no safeguards to limit admins to a balance that is actually backed, then an attacker could 'create' 50 million BTC and sell as long as there are buy orders. This would of course have to be rolled back.

"We would like to note that the Bitcoins sold were not taken from other users’ accounts—they were simply numbers with no wallet backing." doesn't specify whether there are internal safeguards against going over the backed limit, but it makes it possible.

BTW, saying the withdrawal was prevented by unspecified security measures could mean they had an on-line wallet that was used for small or expected day-to-day withdrawals and perhaps their off-line wallet was accessed once every 24 hours to move funds back and forth as necessary. But the full withdrawal could just as well have been prevented by panic sells and opportunistic buys quickly driving the price up (0.50 USD/BTC for a withdrawal of 2000 BTC with a $1000 limit).

[mewantsbitcoins]

All this "Clarification" BS is fine and dandy, but my account was compromised(or atleast Mt.gox would like me think so) and I can't figure out how. This I know from the logs provided by Mt.gox:

That is not my IP.

While my password was not the most secure, I don't believe it could have been cracked in the short amount of time attackers had. You are welcome to try to crack it:

Code:

5987,mewantsbitcoins,mewantsbitcoins@gmail.com,$1$atDbQTre$lG10yR6hXfmGcdZAZTL.Z1

Out of curiosity I put JTR to work but after 12 hours no luck yet.

You may say that my computer might have been compromised and someone got my password from a keylogger. While I can't be 100% certain, I am fairly confident it wasn't. I work in IT and know few things about IT security. Plus, if that were true and my computer indeed got compromised, my other accounts would have been accessed too, which is not the case.
Note: I don't reuse passwords, so it could not have been a password from another account. This is a one time password and I used it only on one computer. My OS is not Windows.

In general, I have to say - things don't add up from where I stand. If someone gained admin level user account why would they go to the lengths of SQLi to get the database?

I can think of two scenarios where such things would be possible and none of them are compatible with this "Clarification" story.

On an unrelated note, I bought hosting from https://www.kalyhost.com/ which belongs to Mark Karpeles. The server has been down for more than two weeks now and I can't get a response from him despite sending several emails.

To sum up, I've drawn my conclusions, but was highly surprised to see people going back to Mt.gox and trading like nothing has happened. This is EXTREMELY greedy and incompetent individual trying to manage huge amounts of money. It will end up in tears eventually and you'll have no one to blame but yourself.


And before you ask for my tradehill reference code, I don't have one - I think they are shit too. My advice is to stay away from people who can't afford a dedicated server.

[PCRon]

Has anybody checked whether jed's password was one that's been publicly leaked yet? I'm interested in how strong it was...

If it was not publicly leaked, that would be of interest.  I would like to know where the BTC went, and what about Keven?

[jed]

mewantsbitcoins:
Your password was probably brute forced from the user dump like mine was. Mine wasn't super simple either.
> If someone gained admin level user account why would they go to the lengths of SQLi to get the database?
My account still had admin access. They were able to get my account password because of the SQLi

I'm sure Mark is very busy with mtgox so has been neglecting Kalyhost.

Mistakes were obviously made but I don't think Mark is being greedy or incompetent here. He needs to hire more people and he knows this. But which if you have ever tried to do you know takes time which he doesn't have much of these days.

[mewantsbitcoins]

Your password was probably brute forced from the user dump like mine was. Mine wasn't super simple either.

I call this BS. My hash is up there - go and try to brute force it. I guess I'll see you in several years/decades.

> If someone gained admin level user account why would they go to the lengths of SQLi to get the database?
My account still had admin access. They were able to get my account password because of the SQLi

Mt.gox says they he doesn't know:

In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.

Mistakes were obviously made but I don't think Mark is being greedy or incompetent here. He needs to hire more people and he knows this. But which if you have ever tried to do you know takes time which he doesn't have much of these days.

No, it doesn't if you offer adequate reward, hence greedy.

The server has been down for more than two weeks now and I can't get a response from him despite sending several emails

Hence, incompetent.
A monkey can restart server and fire away an email.

And for the conspiracy theorists: could it just be that mt.gox's and your bots

Code:

413,Gox Bot,,$1$my2/Mvxi$kC7BKl1xKgYlbadc/GHSN1
6177,BotBot,jed@mtgox.com,$1$Xqluv5Eq$nkN99S/5DRqbNqUii3oEF1

were "assigning these simply numbers"

We would like to note that the Bitcoins sold were not taken from other users’ accounts—they were simply numbers with no wallet backing. For a brief period, the number of Bitcoins in the Mt. Gox exchange vastly outnumbered the Bitcoins in our wallet.

to themselves for us to enjoy this remarkable growth period? It is fairly easy to make profit when you have access to all the data, isn't it?
Just sayin

[ius]

mewantsbitcoins:
Your password was probably brute forced from the user dump like mine was. Mine wasn't super simple either.
> If someone gained admin level user account why would they go to the lengths of SQLi to get the database?
My account still had admin access. They were able to get my account password because of the SQLi

I'm sure Mark is very busy with mtgox so has been neglecting Kalyhost.

Mistakes were obviously made but I don't think Mark is being greedy or incompetent here. He needs to hire more people and he knows this. But which if you have ever tried to do you know takes time which he doesn't have much of these days.

Why did you still have an account with administrator privileges? Auditing? Why did it still grant additional privileges with respect to being able to modify account balances?

Some degree of withholding information to be expected when you are compromised. Gox may have been concerned that immediately releasing all they knew could aid the people who did this.

Absolute nonesense. If you discover a vulnerability it's your duty to inform your users, doesn't matter whether you are actually compromised or not - there's a risk and you should inform people about it.