MtGox account compromised

[davout]

Yes it is.

However, this kind of URL is easily used in CSRF exploits.

[ShadowOfHarbringer]

Code:

https://mtgox.com/users/login?username=my_login&password=my_password

MTGOX! WAKEUP!!!

OMG, this is serious.
These are security basics...

[bitcool]

Code:

https://mtgox.com/users/login?username=my_login&password=my_password

MTGOX! WAKEUP!!!

but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?

[LZ]

I hope so. I got it in my address bar while I pressed the Login button.

[davout]

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...

And you seem not to have a clue about them

[carp]

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...

And you seem not to have a clue about them

Heh nice. However... it does at least LOOK bad, and that will always be enough to make someone sound the alarms once in a while. I would highly encourage cleaning that up, if only to look a little more... "professional", but also to avoid freaking people out.

[LZ]

Maybe you should contact mtgox before spreading FUD like this.

Yeah, you are right. Sorry for that. It just looks quite scary.

[casascius]

Maybe you should contact mtgox before spreading FUD like this.

Yeah, you are right. Sorry for that. It just looks quite scary.

I did notice this several days ago - mentioned the same thing in an e-mail to Jed - because I observed this in my address bar.  Jed replied that indeed the site indeed uses POST, but I indeed still see this in my address bar.

Is it secure?  Well... depends.  Sure, it goes over HTTPS.  But what about any toolbar that looks at your URL's and silently sends them somewhere (common).  Even IE in its most basic configuration sends URL's you visit to Microsoft for the purpose of "smart screen" filtering.  Also it sits in your browser history, and can be seen by later users of the machine if they type the beginning of the URL.  So that is why indeed it's a concern.  I have only observed this within IE, if I use for example Safari, I don't see this.

If you're seeing this, and I'm seeing it too, then it's a problem, and not FUD.

Also a concern is the password retrieval feature.  Anyone who can read your e-mail can access your account and there is no apparent way to control this.

[LZ]

I saw it using Firefox, but did not see it within Chrome. Seems that WebKit does not show it.

[casascius]

Code:

https://mtgox.com/users/login?username=my_login&password=my_password

MTGOX! WAKEUP!!!

but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?

Worth noting is that the variables on the query string are "username" and "password", which differ from the variable names passed in the call to $.post ("name" and "pass").  The $.post call is then apparently unrelated to the problem.  (I confirmed that I see "username" and "password" in my address bar as well).

This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.

As a workaround, would adding method="POST" to the form help?  (currently it is not specified, it relies on onsubmit returning false, but if this is misunderstood by some browsers, at least an accidental POST would be far cleaner than an accidental GET which I understand is the default?)

[bitcool]

This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.

Thanks. Every once in a while, I need to be reminded there's a browser called "IE" that people still use, sorry.

[ShadowOfHarbringer]

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...

And you seem not to have a clue about them

Because you seem to have said so of course...

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.

[davout]

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.

so, why are you coming back, and edit your posts if you don't care ?

[Nefario]

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.

so, why are you coming back, and edit your posts if you don't care ?

point 1, explanation
point 2, fuck you thats why! 

[ShadowOfHarbringer]

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.

so, why are you coming back, and edit your posts if you don't care ?

You are putting things on my keyboard that i din't write.
I never said that i don't care HERE. Perhaps i didn't care in some other thread.

PS.
SERIOUSLY dude. What is your problem ? Just to remind you - it was you who started insulting me.
We could have a polite conversation but no - you like shitfight better.

[LZ]

Is there any reason for this dispute? Shake hands with each other, okay?

[bitcool]

hey, I wish I can afford one like this too: (everybody with bitcoin seems to have one)



just kidding.

[foof]

Is this thread still alive?
I've seen this just now.
I would like to ask what is a dictionary attack. If that is what I know, it is really unlikely that it could have happened.

Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Over the network, with SSL authentication (that's overhead) I don't think the attacker could really try more than 1000 passwords per second; after that it becomes a bandwidth and CPU attack against mtgox resulting in DoS. even at this speed it would take an average of 10 years of continuous attempts to crack one single password, and nobody noticing anything in the meantime. I don't see this likely *at all*.

A different thing is if the attacker was able to download the file of hashed passwords by first hacking the mtgox website database with mysql injection. After that he could perform the dictionary attack locally on his PC (as opposed to over the network). At this point 3 words sticked together becomes feasible and 4 words is so-so. Also, I read people speaking about rainbow attacks: again, these are feasible only if the attacker could download the hashed passwords file.

But at this point one wonders, if the hacker is able to hack the DB and download the hashed passwords file from the website, why isn't he able to just login to the victim's account or change the victim's password to something known to him?

So I don't really see this clear. How did this attack really happen?

The people who got their account hacked (who hopefully changed their password by now) would they be willing to disclose their old password so we have an idea of how weak that was, and how could this hack actually happen?

[Dude65535]

Generally a dictionary attack would be done with a pregenerated list of common passwords sorted by frequency of use.

[carp]

Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Well kinda. Firstly, stringing words together isn't the most common of things people do. Shit, even I use one word dictionary passwords in some places. Common is a dictironary word, word with numbers at the end, more likely than not all lower case.... some words are more common than others... in any case, there are optimizations that reduce effective keyspace.

Also, hashes can have collisions. Technically, you don't need to guess THE password, just something that hashes to the same value (unlikely but, no way to rule out collisions). Then there is the number of accounts. Maybe instead of scanning one account for all possible good passwords, you just try lots of different accounts in the set of bad ones?

Remember, even the HBGary hacks, a security company, BOTH founder and CEO had 6 char, all lower case passwords with numbers at the end (or so the claim goes).

All that said, I am skeptical of dictionary attacks. More likely attacks, to my mind? Well, again back tot he HBGary hack... same password on multiple accounts anyone? I almost garauntee that you go to ANY forum on the net, including this one, post a link to a site you own, with some reason to register, and you will get a list of usernames and passwords that are probably valid on other sites.

Do it here, and the chances they work on mtgox.... well.... you get the picture.