LocalBitcoins.com exploit!

[tclo]

Localbitcoins is one of the few places where I can pick up some BTC with Paypal (at a premium of course) . I hope this doesn't affect traders...

Of course it's going to affect everyone. I don't even feel comfortable using the site now that I just lost about $300+ in bitcoin. It could have been much worse too because I had about 11 BTC on there just a  couple of hours earlier.  Thank goodness I sold most of it before then.

[melon]

did the site offer 2fa on ind. user accounts?... ive never used the site but was eventually thinking of trying it...I think i'll wait!

[tclo]

did the site offer 2fa on ind. user accounts?... ive never used the site but was eventually thinking of trying it...I think i'll wait!

Yes I had 2 factor enabled on my other acct, but not on this one. I hadn't gotten around to putting it on this one which turned out to be a big mistake.  But it wasn't even a problem with someone hacking my password or anything else...it was a flaw with the LBC site.   Although I should have enabled it and just costly bit of laziness there.

[DannyHamilton]

Many lost over 5 BTC. not sure how much is true but most of the posters there are decent sellers.

Have you personally lost anything?

I expect to be out 4.7 bitcoins depending on how they resolve the issue.

Turns out I lost nothing.

They re-enabled the withdrawals, and I was able to pull out my 4.7 BTC.

The last claim I saw, they stated that they would restore all accounts that lost bitcoins to the hack/scam.

[mrkent]

Turns out I lost nothing.

They re-enabled the withdrawals, and I was able to pull out my 4.7 BTC.

The last claim I saw, they stated that they would restore all accounts that lost bitcoins to the hack/scam.

Where did you see that?

Anyone interested in joining a bailout fund in exchange for equity with localbitcoins? I've been interested in their equity for a while now, but they've never needed funding until perhaps now. It's been generally an excellent service but lately, they've been pushing out new features very fast. Even some simple UI changes can do the site a lot of good.

[spiccioli]

Turns out I lost nothing.

Same for me, I pulled out my 2.4 BTCs, but I've been idle for weeks on localbitcoins, so I did not read anything from the site.

spiccioli

[sturle]

a simple HTML with JavaScript that steals the current user's bitcoins from their on-site wallet.

over 1000 BTC stolen already.
https://blockchain.info/address/1EfEy1Ms6swbnfsL3VfLiY3asf9dhDCoCu

Most of those transactions date back to June or earlier.  Is the bug that old?

[willphase]

a simple HTML with JavaScript that steals the current user's bitcoins from their on-site wallet.

over 1000 BTC stolen already.
https://blockchain.info/address/1EfEy1Ms6swbnfsL3VfLiY3asf9dhDCoCu

Most of those transactions date back to June or earlier.  Is the bug that old?

The address in the script is actually 12PLw9HYoK6BguB1w4QcNBKzmRANJ5bj2c - so it looks like less than 100 has been stolen.  The bug was a plain XSS, localbitcoins seemed to correctly use a CSRF token, but since this wasn't CSRF (the javascript was running in the context of localbitcoins.com) it didn't help.

The solution (in retrospect, so not particularly helpful, but perhaps others will learn from this) is do what Google does, and put all unsanitised user content (e.g. attachments, forums anything that user can control) into a separate domain - e.g. google use the domain googleusercontent.com for all gmail attachments, then even if an attacker is able to get javascript running it has no access to the real site due to same origin policy.

Will

[Itcher]

Over and over and over and over again ... I come to the conclusion, that the overwhelming proportion of bitcoin-users and bitcoin-startups do simply miss the basic mental requirements to deal with something like money. Events like this make me missing my good old banker, who is completely incompetent to give any advice but knows how not to rise conflict with the law and give me the security my money stays even when the it-system fails.

Bitcoin has a long long way to go.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Tell me: who of you has any idea how money-business works? Who of you has any degree in economics? Who of you has ever seen a bank-office from the inside?

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

[herzmeister]

localbitcoins.com have optional 2FA but that goes only for logon, and not for withdrawals; you're already logged on when that happens.

a simple HTML with JavaScript that steals the current user's bitcoins from their on-site wallet.

over 1000 BTC stolen already.
https://blockchain.info/address/1EfEy1Ms6swbnfsL3VfLiY3asf9dhDCoCu

Most of those transactions date back to June or earlier.  Is the bug that old?

sorry, false report then it seems; although i believe the damage is way over 80 BTC if you skim over their forums.

[GoldSilverBitcoin]

Regardless, the community should create alternative websites. Perhaps a coder could even pool on the p2p listings across multiple websites.

[sturle]

sorry, false report then it seems; although i believe the damage is way over 80 BTC if you skim over their forums.

I see some people yelling and calling their lawyers.  People who have enough BTC in an online wallet to pay a lawyer to do anything meaningful about this are incompetent in the first place.  Fees for decent lawyer start at at least 4 BTC an hour, and this involves dealings with a foreign company (most likely).  I wasn't affected, but if I was I would certainly sit back and see how it turned out before calling anyone.  A couple of weeks of trading fees is enough to reimburse all users.  Stupid USAnians seem to cling to their lawyers every time something unexpected happens.

[Nemesis]

Over and over and over and over again ... I come to the conclusion, that the overwhelming proportion of bitcoin-users and bitcoin-startups do simply miss the basic mental requirements to deal with something like money. Events like this make me missing my good old banker, who is completely incompetent to give any advice but knows how not to rise conflict with the law and give me the security my money stays even when the it-system fails.

Bitcoin has a long long way to go.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Tell me: who of you has any idea how money-business works? Who of you has any degree in economics? Who of you has ever seen a bank-office from the inside?

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

What an idiot.

Most online banking in US is unsecured without 2FA. Many experts have spoken regarding this. In Europe, many banks give their customers a card reader as a form of 2FA when doing online banking.

Banks dont give you your money back if your online banking password is compromised ( go read the damn fine print). Your gold old bankers have given you a false sense of security.

Same with creditcare "smart" chip, they use it to protect merchants NOT the card holders. Anyone can pick up your card, and somehow guess your PIN (believe it or not, many ppl use their birthdate as PIN) and they can go shopping spree. In the good old days without smart chips, merchant has to check the signature on the back of your card for every single transaction.

Yeah those are experts!

[Itcher]

Over and over and over and over again ... I come to the conclusion, that the overwhelming proportion of bitcoin-users and bitcoin-startups do simply miss the basic mental requirements to deal with something like money. Events like this make me missing my good old banker, who is completely incompetent to give any advice but knows how not to rise conflict with the law and give me the security my money stays even when the it-system fails.

Bitcoin has a long long way to go.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Tell me: who of you has any idea how money-business works? Who of you has any degree in economics? Who of you has ever seen a bank-office from the inside?

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

What an idiot.

Most online banking in US is unsecured without 2FA. Many experts have spoken regarding this. In Europe, many banks give their customers a card reader as a form of 2FA when doing online banking.

Every bank-accont I used for the last ten years uses simple 2fa by sms.

Banks dont give you your money back if your online banking password is compromised ( go read the damn fine print). Your gold old bankers have given you a false sense of security.

They use 2fa. I don't know what's your point.

Same with creditcare "smart" chip, they use it to protect merchants NOT the card holders. Anyone can pick up your card, and somehow guess your PIN (believe it or not, many ppl use their birthdate as PIN) and they can go shopping spree. In the good old days without smart chips, merchant has to check the signature on the back of your card for every single transaction.

If someone uses his birthday as a pin nobody can't help him. And even in this case: One call to your bank (most offer emergency-lines), and the card is closed. Most cards have a transaction limit of 1.500 / day, so the damage is reduced. Often the transaction isn't processed at this moment and will never processed, or it can be chargebacked. My ec was stolen several times and I didn't loose a cent.

Also: every bank has insurances. If their it failes, the insurances gives the customers account. If there are proovable fraudulent transaction, the insurances pay. And so on.

The only risk I know are this stupid shops which accept ec by signature. But even in this case, if someone shops for thousands of euros: if you can prove it was not your signature than the insurance will pay. And you will be able to proove, cause every shop needs to save the bills. If it doesn't, its insurancy has to pay.

In Bitcointalk nearly every day I find a thread about fraud or scam, someone who looses his account on a wallet due to hackers or stupidity. If both happens with a bank in most cases they get their money back. Here I have seen nearly no case that anybody could help them to get their money back. No chance. Who has your private key can transact your money to his adress and there's absoltely no chance you get it ever back.

blockchain.info ist the onliest case I know which replaced the amount, out of their own money. This is the way it has to be, this gives me hope.

The problem is not the code. Bitcoins code is by far better then bankers code. The problem is the organization respectively the lack of professionel organisation. I hope it will come, but by now bitcoin is the most user-unfriendly kind of money ever existed.

My totally incompetent banker offers me a insurance-system and a banking-system and a law-system which was made to protect me as a consumer.

I don't say bitcoin won't have this. I hope it will.

[BitAddict]

My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

People keep putting Coins into online wallets whose security they don't know crap about!  WHEN WILL PEOPLE LEARN?

You need to leave the bitcoins in the wallet if you want to sell them. Exactly the same if you want to sell them in another marketplace like Mt.Gox or Bitstamp.
If you don't want to use this services you need to sell privately without scrow... and I believe more a company than the average private seller... How did you buy your bitcoins, sir?

[justusranvier]

The problem is not the code. Bitcoins code is by far better then bankers code. The problem is the organization respectively the lack of professionel organisation. I hope it will come, but by now bitcoin is the most user-unfriendly kind of money ever existed.

My totally incompetent banker offers me a insurance-system and a banking-system and a law-system which was made to protect me as a consumer.

I don't say bitcoin won't have this. I hope it will.

I expect a system which provides those services will exist within six months.

[Itcher]

The problem is not the code. Bitcoins code is by far better then bankers code. The problem is the organization respectively the lack of professionel organisation. I hope it will come, but by now bitcoin is the most user-unfriendly kind of money ever existed.

My totally incompetent banker offers me a insurance-system and a banking-system and a law-system which was made to protect me as a consumer.

I don't say bitcoin won't have this. I hope it will.

I expect a system which provides those servers will exist within six months.

You're joking?

Such systems need years to eat through regulation-walls, they need billions in the background to make insurance profitable, and they need years of organizing and planning and so on. There is no shortcut.

There are miles between this and every actuall company involved in bitcoin atm.

we'll see it in years. Maybe. If the interest in bitcoins survives.

[tclo]

I got this from LBC and they were true to their word:

"Hi,

As you all probably know, there was a security exploit on LocalBitcoins.com document uploads allowing one user to steal wallet funds with a specially crafted file.

You are being contacted for the reimbursement. We will pay reimbursements automatically for those users who have enabled two-factor authentication since the incident.

If you don't have two-factor authentication enabled and still want the reimbursement right away, just reply to this email. You can also request the reimbursement directly to some other bitcoin address.

For the rest we will reserve some time, so that people can enable two-factor protection. You can enable two-factor even without a smartphone with desktop applications and feature phone apps. See more info about the two-factor authentication here https://localbitcoins.com/guides/security#two-factor

Sincerest apologies for the incident.

- Jeremias Kangas / LocalBitcoins.com"

I enabled two factor and the stolen BTC are back in my acct now.

[justusranvier]

Such systems need years to eat through regulation-walls, they need billions in the background to make insurance profitable, and they need years of organizing and planning and so on. There is no shortcut.

We'll see.

BTW, I consider dealing with regulation-walls to be a waste of time and resources. Limiting Bitcoin business models to only the ones sanctioned by governments is like inventing the automobile but artificially restricting it to horse-drawn carriage speeds.

[escrow.ms]

They should enable email based authentication or at least security questions for bitcoin withdrawals.