it accepted POST requests without verifying they originated from a session connected to Bitfunder
The system does indeed check for sessions. The user must have had a recent and still active session.
-Ukyo
Two different things.
It DID check that there was an active session (NOT what I said).
It did NOT check that the request originated from that session (what I DID say).
As long as the user is logged in, the session is active. Cross-browser or not, it IS being submitted by the active session as the session details are provided.
As you state, it made sure there was an Active session, and it does indeed verify that active session is the one making the POST. What it does not check is if it was a cross site script using that session that was left open by the user, a trojen that runs in the background with hidden browser being used load pages, get proper per-page security tokens, and make requests, etc.
Once the desktop is hacked there are limitations to what can be done. It is not hard to use a background trojan to intercept 2-factor keys either at setup times. This can effect any site.
I have seen many "bot" trojans for games etc that pretend to be the end user and will use active logged in sessions to browse, load pages, even play games for them.
Even banks (I use citibank) now even require you, once logged in, to submit additional security question answers to be able to do most things for this reason.
I am working to add a new level of security that while it may be a bit controversial, will be fully optional, but give one of the most secure methods of protection.
Keep in mind, generating a code per page might stop a cross-browser attack, effectively becoming a per-page 2-factor, but it wont stop infections from generating on and using it.
With this said, you will also see per-page key generation within a few days that all submits will be required to adhere to. Triple checking the functionality on all posts and making sure no other problems are created, and it works exactly as intended are the current main focus right now.
On a side note, I can say that many users (less than 25 users) who were hit with transfers, had one time no-bad-password logins from different ips, who did transfers. We have seen a large user/email/pass list attempt on both bitfunder and weexchange from a botnet which we put some protections in place from. Ultimately, all we can do is try to recognize and ban/block those ips, as well as slow them down, and inform any recognized accounts that they are in danger. We had seen thousands of login attempts that mostly did not work, for accounts that never existed on either site.
-Ukyo
