'Password reset via email' option used to hack the account?

[esmanthra]

I wonder if someone from staff can clarify this.

The situation

Recently one of our Legendarys was hacked. He created a thread describing what happened (I adduce the translation from Russian below):

Got 2 messages:

• the link to reset my allegedly 'forgotten' password:

  Dear Vadi2323,
  
  This mail was sent because the 'forgot password' function has been applied to your account. To set a new password click the following link:
  
  <the link's here>
  
  IP: 173.224.120.147
  
  Username: Vadi2323
  
  Regards,
  The Bitcoin Forum Team.

• after that - the letter about password change turned up:
  

  Dear Vadi2323,
  
  Your Bitcoin Forum (bitcointalk.org) password was just changed by IP address 173.224.120.147 via email recovery. If you did not do this, then you should use the forgotten password feature to change your password.
  
  Regards,
  The Bitcoin Forum Team.

I tried to log in - and password indeed didn't match. Then I changed it myself via forgot password option.

Also I checked the e-mail visit log, but it revealed my IPs only, no 173.224.120.147.

E-mail didn't seem to send messages to any other addresses too.

WTF?

In other words, someone somehow changed his password bypassing the e-mail (since it doesn't look like the e-mail was compromised).
The chronology:

https://ip.bitcointalk.org/?u=https%3A%2F%2Fs8.hostingkartinok.com%2Fuploads%2Fimages%2F2018%2F03%2F622f841b86de505e1fc0c20e7a84eee6.png&t=586&c=3gzXpgExQJ7frA

Moscow time:

20:21 - hacker requested the password reset via e-mail
20:50 - hacker changed the password (as if he was using the e-mail link)
20:55 - I requested the password reset via e-mail
20:56 - I changed the password (definitely using the e-mail link)

Our suppositions

Reset links sent by e-mails are typal. Usually we receive a message including link like that:

https://bitcointalk.org/index.php?action=reminder;sa=setpassword;u=userIDhere;code=someCodeHere

Presumably anyone can set the userIDhere to the ID of target account and get to the targetaccount's 'change password here' page.
The snag is in the last part of the link - the code. I assume that it's supposed to be unique and should be formed by engine for every request. And you can't change the password if the code is wrong.

So for now the only reasonable explanation we have is that someone just brute forced that code. Using some kind of automated tool, for example.

Accordingly the question is: can this be true? Or perhaps some other possibility to change password on the reset-email-stage without e-mail access exists?

[1713535319]

1713535319

[1713535319]

1713535319

[1713535319]

1713535319

[1713535319]

1713535319

[JanEmil]

Older forums are very easy victims of sql injection or URL hacking.
Maybe how. See if you can find a bug. They pay big rewards I have seen.

[killyou73]

Maybe he had an easy password

[esmanthra]

Maybe he had an easy password

According to logs (the screenshot link is above) password was reseted via email. Also it would be odd to request the password reset (thus notifying the user), then spend 30 minutes twiddling one's thumbs and finally change password, obtained somewhere at the beginning. I'd doubt mental faculties of such a hacker.:)

[theymos]

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

[F8N00]

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

Why don't we have confirmation email before the password can be changed?

[Vadi2323]

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

[jackg]

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

Who is your email provider, maybe one of their staff intercepted it?

Also, just because an IP isn't in an email security log doesn't always mean it wasn't accessed by it. Mistakes can happen by the mail servers.

You're quite lucky your account was recoverable so quickly.

[Vadi2323]

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

Who is your email provider, maybe one of their staff intercepted it?

Also, just because an IP isn't in an email security log doesn't always mean it wasn't accessed by it. Mistakes can happen by the mail servers.

You're quite lucky your account was recoverable so quickly.

The problem is in that security of my PC has been compramized.

[jackg]

~

The problem is in that security of my PC has been compramized.

I wouldn't have expected there to be someone with particular interest in Bitcoint talk accounts to produce a virus to steal them - means we all have to be even more cautious when browsing/downloading cyrpto related information now.
I'm guessing this is soemthing that wouldn't show up on any antimalware services (you could certainly try to uninstall the software and try to change it in your firewall settings or just reinstall your OS - which is probably recommended although I assume you already know and are running through these already).

[Vadi2323]

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

[swogerino]

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

[Ms Emi]

That's why Gmail recommend a high and some combo password for your email, and try to set your settings on the highest privacy and secured settings as possible like, if your email had been opened to a computer they need a code send to your mobile phone to ensure it's you, I do that especially I'm traveling and need to check my email on shops to open big file that can't be open on my phone.

[Vadi2323]

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stolen as the password. 

[swogerino]

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stole as the password. 

I doubt that the hacker hacked your email and computer a long time ago,I believe he did so only lately when he was able to change your password. The 2FA should be setup when you setup the email and not after the hacker has power over your computer. Anyway now you remind me that this thing should be set up in a Linux environment where hacking is more difficult than Windows.

[Vadi2323]

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stole as the password.  

I doubt that the hacker hacked your email and computer a long time ago,I believe he did so only lately when he was able to change your password. The 2FA should be setup when you setup the email and not after the hacker has power over your computer. Anyway now you remind me that this thing should be set up in a Linux environment where hacking is more difficult than Windows.

Please read with a translator the article https://xakep.ru/2015/04/07/195-routers/ It is difficult for me to explain in English. I am not a native American.

[seven2smoke1]

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

Why don't we have confirmation email before the password can be changed?

I don't know why this step of confirming is just bypassed, which it's too important because once a hacker login into your account, you will be 100% hacked without any verification with the email. I hope that, theymos will consider this step as soon as possible.

[Vadi2323]

I rarely download and run executable files. Basically, only updates. I decided to see what I downloaded in the last 3 months. Of the downloads were only Core and VirtualBox. I decided to check with Virustotal.

A curious result for VirtualBox showed Baidu for the last 2 downloads: Win32.Trojan.WisdomEyes.16070401.950 ...

https://www.virustotal.com/#/file/bbd74e2d9717285863578ff728c16b411c88d1d0b63e3fd456cd09d2131635b3/detection

https://www.virustotal.com/#/file/da7bbcc9806a3f574f1faed5381c6e116b10a7bbb4779913d5446e49fe08fd7d/detection

Win32.Trojan.WisdomEyes
This Trojan is aimed at the Windows platform. This malicious code collects all the files in the user's Desktop folder, compresses them and sends them to the remote server. In addition, it takes screenshots, steals data from the clipboard and performs Keylogging. Malicious programs also try to contact via email to register an infection. To survive a system reboot, the malware creates a Run entry key and creates its own copy on the disk.

Is there anybody who uses these versions of VirtualBox?

I downloaded from the official website on March 3 and January 17. VirtualBox carefully displays windows with links to updates.

P. S. I trust Oracle more then Baidu.