Bitcoin Forum
November 16, 2024, 04:08:54 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 [8] 9 »  All
  Print  
Author Topic: MtGox account compromised  (Read 110457 times)
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
February 07, 2011, 09:34:01 PM
 #141

Yes it is.

However, this kind of URL is easily used in CSRF exploits.

ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


Bringing Legendary Har® to you since 1952


View Profile
February 08, 2011, 12:08:19 AM
 #142

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!

OMG, this is serious.
These are security basics...

bitcool
Legendary
*
Offline Offline

Activity: 1441
Merit: 1000

Live and enjoy experiments


View Profile
February 08, 2011, 05:21:55 AM
 #143

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!
but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?
LZ
Legendary
*
Offline Offline

Activity: 1722
Merit: 1072


P2P Cryptocurrency


View Profile
February 08, 2011, 08:28:05 AM
 #144

I hope so. I got it in my address bar while I pressed the Login button.

My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
February 08, 2011, 10:52:22 AM
 #145

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley

carp
Member
**
Offline Offline

Activity: 82
Merit: 10


View Profile
February 08, 2011, 12:56:49 PM
 #146

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley

Heh nice. However... it does at least LOOK bad, and that will always be enough to make someone sound the alarms once in a while. I would highly encourage cleaning that up, if only to look a little more... "professional", but also to avoid freaking people out.

LZ
Legendary
*
Offline Offline

Activity: 1722
Merit: 1072


P2P Cryptocurrency


View Profile
February 08, 2011, 08:28:12 PM
 #147

Maybe you should contact mtgox before spreading FUD like this.
Yeah, you are right. Sorry for that. It just looks quite scary.

My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 09, 2011, 01:13:43 AM
 #148

Maybe you should contact mtgox before spreading FUD like this.
Yeah, you are right. Sorry for that. It just looks quite scary.

I did notice this several days ago - mentioned the same thing in an e-mail to Jed - because I observed this in my address bar.  Jed replied that indeed the site indeed uses POST, but I indeed still see this in my address bar.

Is it secure?  Well... depends.  Sure, it goes over HTTPS.  But what about any toolbar that looks at your URL's and silently sends them somewhere (common).  Even IE in its most basic configuration sends URL's you visit to Microsoft for the purpose of "smart screen" filtering.  Also it sits in your browser history, and can be seen by later users of the machine if they type the beginning of the URL.  So that is why indeed it's a concern.  I have only observed this within IE, if I use for example Safari, I don't see this.

If you're seeing this, and I'm seeing it too, then it's a problem, and not FUD.

Also a concern is the password retrieval feature.  Anyone who can read your e-mail can access your account and there is no apparent way to control this.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
LZ
Legendary
*
Offline Offline

Activity: 1722
Merit: 1072


P2P Cryptocurrency


View Profile
February 09, 2011, 06:18:44 PM
 #149

I saw it using Firefox, but did not see it within Chrome. Seems that WebKit does not show it.

My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 09, 2011, 06:34:26 PM
 #150

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!
but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?

Worth noting is that the variables on the query string are "username" and "password", which differ from the variable names passed in the call to $.post ("name" and "pass").  The $.post call is then apparently unrelated to the problem.  (I confirmed that I see "username" and "password" in my address bar as well).

This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.

As a workaround, would adding method="POST" to the form help?  (currently it is not specified, it relies on onsubmit returning false, but if this is misunderstood by some browsers, at least an accidental POST would be far cleaner than an accidental GET which I understand is the default?)

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
bitcool
Legendary
*
Offline Offline

Activity: 1441
Merit: 1000

Live and enjoy experiments


View Profile
February 09, 2011, 10:09:55 PM
 #151

This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.
Thanks. Every once in a while, I need to be reminded there's a browser called "IE" that people still use, sorry.
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


Bringing Legendary Har® to you since 1952


View Profile
February 11, 2011, 06:44:50 PM
 #152

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley

Because you seem to have said so of course...

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.

davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
February 11, 2011, 06:56:42 PM
 #153

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley

Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
February 11, 2011, 07:06:10 PM
 #154

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley

point 1, explanation
point 2, fuck you thats why!  Cheesy

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


Bringing Legendary Har® to you since 1952


View Profile
February 11, 2011, 09:15:31 PM
 #155

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley

You are putting things on my keyboard that i din't write.
I never said that i don't care HERE. Perhaps i didn't care in some other thread.

PS.
SERIOUSLY dude. What is your problem ? Just to remind you - it was you who started insulting me.
We could have a polite conversation but no - you like shitfight better.

LZ
Legendary
*
Offline Offline

Activity: 1722
Merit: 1072


P2P Cryptocurrency


View Profile
February 11, 2011, 09:38:42 PM
 #156

Is there any reason for this dispute? Shake hands with each other, okay?

My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
bitcool
Legendary
*
Offline Offline

Activity: 1441
Merit: 1000

Live and enjoy experiments


View Profile
February 11, 2011, 10:20:55 PM
 #157

hey, I wish I can afford one like this too: (everybody with bitcoin seems to have one)



just kidding.
foof
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
March 06, 2011, 02:52:57 AM
 #158

Is this thread still alive?
I've seen this just now.
I would like to ask what is a dictionary attack. If that is what I know, it is really unlikely that it could have happened.

Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Over the network, with SSL authentication (that's overhead) I don't think the attacker could really try more than 1000 passwords per second; after that it becomes a bandwidth and CPU attack against mtgox resulting in DoS. even at this speed it would take an average of 10 years of continuous attempts to crack one single password, and nobody noticing anything in the meantime. I don't see this likely *at all*.

A different thing is if the attacker was able to download the file of hashed passwords by first hacking the mtgox website database with mysql injection. After that he could perform the dictionary attack locally on his PC (as opposed to over the network). At this point 3 words sticked together becomes feasible and 4 words is so-so. Also, I read people speaking about rainbow attacks: again, these are feasible only if the attacker could download the hashed passwords file.

But at this point one wonders, if the hacker is able to hack the DB and download the hashed passwords file from the website, why isn't he able to just login to the victim's account or change the victim's password to something known to him?

So I don't really see this clear. How did this attack really happen?

The people who got their account hacked (who hopefully changed their password by now) would they be willing to disclose their old password so we have an idea of how weak that was, and how could this hack actually happen?
Dude65535
Full Member
***
Offline Offline

Activity: 126
Merit: 101


View Profile
March 06, 2011, 03:29:09 AM
 #159

Generally a dictionary attack would be done with a pregenerated list of common passwords sorted by frequency of use.

1DCj8ZwGZXQqQhgv6eUEnWgsxo8BTMj3mT
carp
Member
**
Offline Offline

Activity: 82
Merit: 10


View Profile
March 06, 2011, 07:32:21 AM
 #160

Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Well kinda. Firstly, stringing words together isn't the most common of things people do. Shit, even I use one word dictionary passwords in some places. Common is a dictironary word, word with numbers at the end, more likely than not all lower case.... some words are more common than others... in any case, there are optimizations that reduce effective keyspace.

Also, hashes can have collisions. Technically, you don't need to guess THE password, just something that hashes to the same value (unlikely but, no way to rule out collisions). Then there is the number of accounts. Maybe instead of scanning one account for all possible good passwords, you just try lots of different accounts in the set of bad ones?

Remember, even the HBGary hacks, a security company, BOTH founder and CEO had 6 char, all lower case passwords with numbers at the end (or so the claim goes).

All that said, I am skeptical of dictionary attacks. More likely attacks, to my mind? Well, again back tot he HBGary hack... same password on multiple accounts anyone? I almost garauntee that you go to ANY forum on the net, including this one, post a link to a site you own, with some reason to register, and you will get a list of usernames and passwords that are probably valid on other sites.

Do it here, and the chances they work on mtgox.... well.... you get the picture.
Pages: « 1 2 3 4 5 6 7 [8] 9 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!