Bitcoin Forum
December 08, 2019, 12:04:04 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: 'Password reset via email' option used to hack the account?  (Read 335 times)
esmanthra
Sr. Member
****
Offline Offline

Activity: 392
Merit: 469


View Profile
March 09, 2018, 06:17:48 AM
Last edit: October 20, 2018, 05:31:02 AM by esmanthra
Merited by Vadi2323 (1)
 #1

I wonder if someone from staff can clarify this.

The situation

Recently one of our Legendarys was hacked. He created a thread describing what happened (I adduce the translation from Russian below):

Got 2 messages:

  • the link to reset my allegedly 'forgotten' password:
    Quote
    Dear Vadi2323,

    This mail was sent because the 'forgot password' function has been applied to your account. To set a new password click the following link:

    <the link's here>

    IP: 173.224.120.147

    Username: Vadi2323

    Regards,
    The Bitcoin Forum Team.
  • after that - the letter about password change turned up:
    Quote
    Dear Vadi2323,

    Your Bitcoin Forum (bitcointalk.org) password was just changed by IP address 173.224.120.147 via email recovery. If you did not do this, then you should use the forgotten password feature to change your password.

    Regards,
    The Bitcoin Forum Team.

I tried to log in - and password indeed didn't match. Then I changed it myself via forgot password option.

Also I checked the e-mail visit log, but it revealed my IPs only, no 173.224.120.147.

E-mail didn't seem to send messages to any other addresses too.

WTF? Huh Angry


In other words, someone somehow changed his password bypassing the e-mail (since it doesn't look like the e-mail was compromised).
The chronology:

https://ip.bitcointalk.org/?u=https%3A%2F%2Fs8.hostingkartinok.com%2Fuploads%2Fimages%2F2018%2F03%2F622f841b86de505e1fc0c20e7a84eee6.png&t=586&c=3gzXpgExQJ7frA

Moscow time:

20:21 - hacker requested the password reset via e-mail
20:50 - hacker changed the password (as if he was using the e-mail link)
20:55 - I requested the password reset via e-mail
20:56 - I changed the password (definitely using the e-mail link)

Our suppositions

Reset links sent by e-mails are typal. Usually we receive a message including link like that:

https://bitcointalk.org/index.php?action=reminder;sa=setpassword;u=userIDhere;code=someCodeHere

Presumably anyone can set the userIDhere to the ID of target account and get to the targetaccount's 'change password here' page.
The snag is in the last part of the link - the code. I assume that it's supposed to be unique and should be formed by engine for every request. And you can't change the password if the code is wrong.

So for now the only reasonable explanation we have is that someone just brute forced that code. Using some kind of automated tool, for example.

Accordingly the question is: can this be true? Or perhaps some other possibility to change password on the reset-email-stage without e-mail access exists?
1575763444
Hero Member
*
Offline Offline

Posts: 1575763444

View Profile Personal Message (Offline)

Ignore
1575763444
Reply with quote  #2

1575763444
Report to moderator
1575763444
Hero Member
*
Offline Offline

Posts: 1575763444

View Profile Personal Message (Offline)

Ignore
1575763444
Reply with quote  #2

1575763444
Report to moderator
1575763444
Hero Member
*
Offline Offline

Posts: 1575763444

View Profile Personal Message (Offline)

Ignore
1575763444
Reply with quote  #2

1575763444
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1575763444
Hero Member
*
Offline Offline

Posts: 1575763444

View Profile Personal Message (Offline)

Ignore
1575763444
Reply with quote  #2

1575763444
Report to moderator
1575763444
Hero Member
*
Offline Offline

Posts: 1575763444

View Profile Personal Message (Offline)

Ignore
1575763444
Reply with quote  #2

1575763444
Report to moderator
1575763444
Hero Member
*
Offline Offline

Posts: 1575763444

View Profile Personal Message (Offline)

Ignore
1575763444
Reply with quote  #2

1575763444
Report to moderator
JanEmil
Sr. Member
****
Offline Offline

Activity: 798
Merit: 353


I WORK FOR BTC


View Profile WWW
March 09, 2018, 07:50:10 AM
 #2

Older forums are very easy victims of sql injection or URL hacking.
Maybe how. See if you can find a bug. They pay big rewards I have seen.

killyou73
Full Member
***
Offline Offline

Activity: 504
Merit: 185


View Profile
March 09, 2018, 10:35:04 AM
 #3

Maybe he had an easy password
esmanthra
Sr. Member
****
Offline Offline

Activity: 392
Merit: 469


View Profile
March 09, 2018, 10:52:59 AM
 #4

Maybe he had an easy password

According to logs (the screenshot link is above) password was reseted via email. Also it would be odd to request the password reset (thus notifying the user), then spend 30 minutes twiddling one's thumbs and finally change password, obtained somewhere at the beginning. I'd doubt mental faculties of such a hacker.:)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7350


View Profile
March 09, 2018, 12:11:46 PM
 #5

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
F8N00
Full Member
***
Offline Offline

Activity: 233
Merit: 100


19/11/2018 - Capitulation !!!!


View Profile
March 10, 2018, 04:39:12 PM
 #6

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

Why don't we have confirmation email before the password can be changed?
Vadi2323
Legendary
*
Offline Offline

Activity: 1526
Merit: 1123


💰🎮⚽😏


View Profile
March 10, 2018, 05:23:45 PM
 #7

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1582
Merit: 1358


https://bit.ly/2FR9nyn - free python tutorials


View Profile
March 10, 2018, 05:42:13 PM
 #8

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

Who is your email provider, maybe one of their staff intercepted it?

Also, just because an IP isn't in an email security log doesn't always mean it wasn't accessed by it. Mistakes can happen by the mail servers.

You're quite lucky your account was recoverable so quickly.

Vadi2323
Legendary
*
Offline Offline

Activity: 1526
Merit: 1123


💰🎮⚽😏


View Profile
March 10, 2018, 06:12:20 PM
 #9

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

Who is your email provider, maybe one of their staff intercepted it?

Also, just because an IP isn't in an email security log doesn't always mean it wasn't accessed by it. Mistakes can happen by the mail servers.

You're quite lucky your account was recoverable so quickly.

The problem is in that security of my PC has been compramized.

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1582
Merit: 1358


https://bit.ly/2FR9nyn - free python tutorials


View Profile
March 10, 2018, 10:43:57 PM
 #10

~

The problem is in that security of my PC has been compramized.

I wouldn't have expected there to be someone with particular interest in Bitcoint talk accounts to produce a virus to steal them - means we all have to be even more cautious when browsing/downloading cyrpto related information now.
I'm guessing this is soemthing that wouldn't show up on any antimalware services (you could certainly try to uninstall the software and try to change it in your firewall settings or just reinstall your OS - which is probably recommended although I assume you already know and are running through these already).

Vadi2323
Legendary
*
Offline Offline

Activity: 1526
Merit: 1123


💰🎮⚽😏


View Profile
March 12, 2018, 07:53:53 PM
 #11

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

swogerino
Legendary
*
Offline Offline

Activity: 1540
Merit: 1029


https://bitcoin.watfordfc.com


View Profile
March 12, 2018, 08:11:25 PM
 #12

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

  ▄▄█████▄▄███████▄▄
███████████
     ▀▀███▄
█████████████        ▀██▄
█████████████          ██▄
███████████            ██▄
██▀▀█████▀▀              ██
██                       ██
██                       ██
▀██                     ██▀
▀██                   ██▀
 ▀██▄               ▄██▀
   ▀███▄▄       ▄▄███▀
      ▀▀█████████▀▀
███████   INDUSTRY LEADING CRYPTO SPORTSBOOK   ███████
MULTI
CURRENCY
ONLINE
  CASINO   
DAILY PRICE
BOOSTS
FAST & SECURE
PAYMENTS
█████████████████████████
███████▀▀       ▀▀███████
████▀   ▄ ▀███▀ ▄   ▀████
███  ▄████▄ ▀ ▄████▄  ███
██  ▄ ▀███▀ ▄ ▀███▀ ▄  ██
█  ▄██ ▀▀ ▄███▄ ▀▀ ██▄  █
█  █▀ ▄█ ███████ █▄ ▀█  █
█   ▄███▄ █████ ▄███▄   █
██  ████▀ ▄▄▄▄▄ ▀████  ██
███  ▀ ▄ ▀█████▀ ▄ ▀  ███
████▄  ▀▀▄ ███ ▄▀▀  ▄████
███████▄▄       ▄▄███████
█████████████████████████
█████████████████████████
███████▀▀ █████ ▀▀███████
████▀    ▄█████▄    ▀████
█████▄▄█▀▀ ▄▄▄ ▀▀█▄▄█████
██▀███▀ ▄███▀███▄ ▀███▀██
█   █ ▄██▀     ▀██▄ █   █
█   █ ██         ██ █   █
█   █ ▀██▄▄█ █▄▄██▀ █   █
██▄███▄ ▀██▄▄▄██▀ ▄███▄██
█████▀▀█▄▄ ▀▀▀ ▄▄█▀▀█████
████▄    ▀█████▀    ▄████
███████▄▄ █████ ▄▄███████
█████████████████████████
.
.REGISTER NOW!.
Ms Emi
Jr. Member
*
Offline Offline

Activity: 109
Merit: 1

Complete transparency on your charitable donations


View Profile
March 12, 2018, 08:14:16 PM
 #13

That's why Gmail recommend a high and some combo password for your email, and try to set your settings on the highest privacy and secured settings as possible like, if your email had been opened to a computer they need a code send to your mobile phone to ensure it's you, I do that especially I'm traveling and need to check my email on shops to open big file that can't be open on my phone.

G i f t c o i n  ♥  Small change. Big impact.
ICO: 20th March 2018 (https://www.giftcoin.org/)
Vadi2323
Legendary
*
Offline Offline

Activity: 1526
Merit: 1123


💰🎮⚽😏


View Profile
March 12, 2018, 08:17:28 PM
 #14

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stolen as the password. Sad

swogerino
Legendary
*
Offline Offline

Activity: 1540
Merit: 1029


https://bitcoin.watfordfc.com


View Profile
March 12, 2018, 08:23:15 PM
 #15

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stole as the password.  Sad

I doubt that the hacker hacked your email and computer a long time ago,I believe he did so only lately when he was able to change your password. The 2FA should be setup when you setup the email and not after the hacker has power over your computer. Anyway now you remind me that this thing should be set up in a Linux environment where hacking is more difficult than Windows.


  ▄▄█████▄▄███████▄▄
███████████
     ▀▀███▄
█████████████        ▀██▄
█████████████          ██▄
███████████            ██▄
██▀▀█████▀▀              ██
██                       ██
██                       ██
▀██                     ██▀
▀██                   ██▀
 ▀██▄               ▄██▀
   ▀███▄▄       ▄▄███▀
      ▀▀█████████▀▀
███████   INDUSTRY LEADING CRYPTO SPORTSBOOK   ███████
MULTI
CURRENCY
ONLINE
  CASINO   
DAILY PRICE
BOOSTS
FAST & SECURE
PAYMENTS
█████████████████████████
███████▀▀       ▀▀███████
████▀   ▄ ▀███▀ ▄   ▀████
███  ▄████▄ ▀ ▄████▄  ███
██  ▄ ▀███▀ ▄ ▀███▀ ▄  ██
█  ▄██ ▀▀ ▄███▄ ▀▀ ██▄  █
█  █▀ ▄█ ███████ █▄ ▀█  █
█   ▄███▄ █████ ▄███▄   █
██  ████▀ ▄▄▄▄▄ ▀████  ██
███  ▀ ▄ ▀█████▀ ▄ ▀  ███
████▄  ▀▀▄ ███ ▄▀▀  ▄████
███████▄▄       ▄▄███████
█████████████████████████
█████████████████████████
███████▀▀ █████ ▀▀███████
████▀    ▄█████▄    ▀████
█████▄▄█▀▀ ▄▄▄ ▀▀█▄▄█████
██▀███▀ ▄███▀███▄ ▀███▀██
█   █ ▄██▀     ▀██▄ █   █
█   █ ██         ██ █   █
█   █ ▀██▄▄█ █▄▄██▀ █   █
██▄███▄ ▀██▄▄▄██▀ ▄███▄██
█████▀▀█▄▄ ▀▀▀ ▄▄█▀▀█████
████▄    ▀█████▀    ▄████
███████▄▄ █████ ▄▄███████
█████████████████████████
.
.REGISTER NOW!.
Vadi2323
Legendary
*
Offline Offline

Activity: 1526
Merit: 1123


💰🎮⚽😏


View Profile
March 12, 2018, 09:23:25 PM
 #16

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stole as the password.  Sad

I doubt that the hacker hacked your email and computer a long time ago,I believe he did so only lately when he was able to change your password. The 2FA should be setup when you setup the email and not after the hacker has power over your computer. Anyway now you remind me that this thing should be set up in a Linux environment where hacking is more difficult than Windows.

Please read with a translator the article https://xakep.ru/2015/04/07/195-routers/ It is difficult for me to explain in English. I am not a native American.


seven2smoke1
Full Member
***
Offline Offline

Activity: 546
Merit: 128


View Profile
March 12, 2018, 09:48:57 PM
 #17

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

Why don't we have confirmation email before the password can be changed?
I don't know why this step of confirming is just bypassed, which it's too important because once a hacker login into your account, you will be 100% hacked without any verification with the email. I hope that, theymos will consider this step as soon as possible.
Vadi2323
Legendary
*
Offline Offline

Activity: 1526
Merit: 1123


💰🎮⚽😏


View Profile
March 16, 2018, 07:13:29 AM
Last edit: March 16, 2018, 01:58:52 PM by Vadi2323
 #18

I rarely download and run executable files. Basically, only updates. I decided to see what I downloaded in the last 3 months. Of the downloads were only Core and VirtualBox. I decided to check with Virustotal.

A curious result for VirtualBox showed Baidu for the last 2 downloads: Win32.Trojan.WisdomEyes.16070401.950 ...

https://www.virustotal.com/#/file/bbd74e2d9717285863578ff728c16b411c88d1d0b63e3fd456cd09d2131635b3/detection

https://www.virustotal.com/#/file/da7bbcc9806a3f574f1faed5381c6e116b10a7bbb4779913d5446e49fe08fd7d/detection

Quote
Win32.Trojan.WisdomEyes
This Trojan is aimed at the Windows platform. This malicious code collects all the files in the user's Desktop folder, compresses them and sends them to the remote server. In addition, it takes screenshots, steals data from the clipboard and performs Keylogging. Malicious programs also try to contact via email to register an infection. To survive a system reboot, the malware creates a Run entry key and creates its own copy on the disk.

Is there anybody who uses these versions of VirtualBox? Smiley

I downloaded from the official website on March 3 and January 17. VirtualBox carefully displays windows with links to updates.

P. S. I trust Oracle more then Baidu.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!