Bitcoin Forum
December 02, 2016, 06:28:06 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Fake Bitcoins?  (Read 13897 times)
Anonymous
Guest

August 13, 2011, 01:27:00 AM
 #1

So, I understand that MyBitcoin was killed by someone who sent fake bitcoins, and confirmed them once somehow, and then made a withdraw of those coins. Of course those coins did not exist, so he actually withdrew other user's coins. My question is what are the technical details on this type of attack. I wanted to know how it is done, solely out of curiosity.

Thanks,
Joey.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480703286
Hero Member
*
Offline Offline

Posts: 1480703286

View Profile Personal Message (Offline)

Ignore
1480703286
Reply with quote  #2

1480703286
Report to moderator
1480703286
Hero Member
*
Offline Offline

Posts: 1480703286

View Profile Personal Message (Offline)

Ignore
1480703286
Reply with quote  #2

1480703286
Report to moderator
1480703286
Hero Member
*
Offline Offline

Posts: 1480703286

View Profile Personal Message (Offline)

Ignore
1480703286
Reply with quote  #2

1480703286
Report to moderator
Crypt_Current
Hero Member
*****
Offline Offline

Activity: 686


Shame on everything; regret nothing.


View Profile
August 13, 2011, 01:29:34 AM
 #2

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::

10% off at CampBX for LIFE:  https://campbx.com/main.php?r=C9a5izBQ5vq  ----  Authorized BitVoucher MEGA reseller (& BTC donations appreciated):  https://bitvoucher.co/affl/1HkvK8o8WWDpCTSQGnek7DH9gT1LWeV5s3/
LTC:  LRL6vb6XBRrEEifB73DiEiYZ9vbRy99H41  NMC:  NGb2spdTGpWj8THCPyCainaXenwDhAW1ZT
Anonymous
Guest

August 13, 2011, 01:30:57 AM
 #3

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::
I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)
Anonymous
Guest

August 13, 2011, 01:34:22 AM
 #4

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::
I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)

What I am trying to do is perform this exploit on my own site and find a way to prevent it. I need to perform the exploit in the first place to see what actually occurs on my site.
the joint
Legendary
*
Offline Offline

Activity: 1792



View Profile
August 13, 2011, 01:37:03 AM
 #5

Lol, solely out of curiosity my ass.

Anonymous
Guest

August 13, 2011, 01:42:55 AM
 #6

Look. My intentions are sincere. To test this exploit out on my own e-wallet (bitcoin debit cards). I am not trying to hack anyone. Please only respond if you want to help me perform the exploit on my own site (do not attempt it yourself  Smiley), I believe I have it soundproof, but I want to protect the coins from the people who hacked mybitcoin and others. I need to test it myself, and find a way to prevent it.
the joint
Legendary
*
Offline Offline

Activity: 1792



View Profile
August 13, 2011, 01:44:14 AM
 #7

I don't know how to program, unfortunately, or I'd probably hack everything  Grin

Serith
Sr. Member
****
Offline Offline

Activity: 269


View Profile
August 13, 2011, 01:50:47 AM
 #8

Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.

Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
Anonymous
Guest

August 13, 2011, 01:55:22 AM
 #9

Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.

Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
Alright. So the source code sends the coins, but how did he force a single confirm on the transaction. Did he exploit something having to do with mining. What happened there?
BitVapes
Full Member
***
Offline Offline

Activity: 140


BitVapes.com


View Profile WWW
August 13, 2011, 05:05:16 AM
 #10

Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.

Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
Alright. So the source code sends the coins, but how did he force a single confirm on the transaction. Did he exploit something having to do with mining. What happened there?

honestly I don't know either, but I believe Theymos who originally posted about the possibility of such an attack said it would be trivial for anyone who can mine two blocks in a row.   So I assume yes it did have something to do with mining, I presume the attacker was a large miner and was able to mine two blocks in a row, adding his transactions of 'fake bitcoins' to the blockchain.  Eventually the 'real' blockchain took back over and his blocks weren't a part of the real blockchain anymore.

as long as you don't accept transactions from 1 confirmation, you should be safe from this attack.  The more confirmations, the more sure you can be that the transaction can't be reversed

Buy Electronic Cigarettes with Bitcoin @ http://bitvapes.com
koin
Legendary
*
Offline Offline

Activity: 874


View Profile
August 13, 2011, 09:42:21 AM
 #11

So I assume yes it did have something to do with mining, I presume the attacker was a large miner and was able to mine two blocks in a row, adding his transactions of 'fake bitcoins' to the blockchain.  Eventually the 'real' blockchain took back over and his blocks weren't a part of the real blockchain anymore.

the problem is, apparently, that nobody can find these supposed double spends on any reorgs: http://bitcointalk.org/index.php?topic=34770.msg434895#msg434895
BTCrow
Sr. Member
****
Offline Offline

Activity: 243


BTCrow.com


View Profile WWW
August 13, 2011, 04:27:12 PM
 #12

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::
I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)

You don't need to exploit to patch ... Simply wait 6 confirmation when people send funds into your wallet before releasing anything (goods / other currency etc) and you won't have the mybitcoin problem.

Anonymous
Guest

August 13, 2011, 04:48:18 PM
 #13

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::
I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)

You don't need to exploit to patch ... Simply wait 6 confirmation when people send funds into your wallet before releasing anything (goods / other currency etc) and you won't have the mybitcoin problem.

Do you think it is safe to allow people to use their bitcoins at 4 confirmations. Because I am an e-wallet, people want to use their coins the second they get them. Of course I cannot do that, but is 4 sufficient. Can someone really fake 4 whole confirmations?
jackjack
Hero Member
*****
Offline Offline

Activity: 868


May Bitcoin be touched by his Noodly Appendage


View Profile
August 13, 2011, 04:53:30 PM
 #14

Nobody can fake blocks, they can mine them in a row
I think even 3 confirmations should be enough

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
Anonymous
Guest

August 13, 2011, 04:59:16 PM
 #15

Nobody can fake blocks, they can mine them in a row


Sorry, that is what I meant to say. Fake Confirmations, by mining blocks in a row.
I think even 3 confirmations should be enough
Okay. I'll be on the safe side and give no access to coins from transactions without 4 or more transactions.

Thanks,
Joey
zellfaze
Full Member
***
Offline Offline

Activity: 142


Security Enthusiast


View Profile WWW
August 14, 2011, 05:08:09 PM
 #16

So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?

Even if his intentions were not sincere, security through obscurity is a terrible terrible practice.  Despicable.

macintosh264: For every confirmation it gets that much harder for an attacker to (temporarily) create fake bitcoins.  1 Confirmation means that the transaction is in 1 block in the block chain, 2 confirmations means it is in 2 blocks, 3 means 3, etc.  In a nutshell what happened with MyBitCoin is that an attacker was able to mine a invalid block, then before the block was thrown out for being invalid mine another invalid block.  In these invalid blocks it showed him depositing bitcoins to MyBitCoin.   Because MyBitCoin only waited for 1 confirmation, it assumed that these were valid transactions and allowed him to withdraw the bitcoins.  The withdrawn bitcoins were included in the actual real block-chain and therefore remained valid even after the deposits from the fake blocks were thrown out.

If you wait for 1 confirmation an attacker has to mine 2 fake blocks in a row to trick you.  If you wait for 2 confirmations, they have to mine 3.  If you wait for 3 confirmations, they have to mine 4. Etc.

Every confirmation you wait for makes it exponentially more unlikely that you are being tricked.  Remember that a block is mined about once every 10 minutes, so it would take a great deal of computing power (and luck) to successfully stay ahead of the network for a significant amount of time to pull one of these attacks off.

With that in mind, 4 confirmations should be plenty.  3 would probably be plenty even.

A+, CCENT, CCNA
Security Enthusiast
PHP Coder

Not that I expect anyone to, but should you like my post, please donate:
Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
willphase
Hero Member
*****
Offline Offline

Activity: 770


View Profile
August 14, 2011, 05:55:43 PM
 #17

So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?

Even if his intentions were not sincere, security through obscurity is a terrible terrible practice.  Despicable.

without having access to the source for mybitcoin it's impossible to know what mistakes they made.  They've admitted only that they were not waiting for the required number of confirmations before crediting account balance.  There are also rumours that they were not even waiting for the transactions to appear in a block at all and merely marking them confirmed when they saw a new block, but I can't honestly believe anyone would code anything that bad.

If you don't like 'security through obscurity' - I recommend you start using one of the open sources exchanges based on intersango e.g. https://intersango.us/ rather than mtgox...

Will

indio007
Full Member
***
Offline Offline

Activity: 210


View Profile
August 14, 2011, 06:00:33 PM
 #18

Wasn't Mtgox a fake bitcoin hack too? Not to the bitcoin client but to the trading program?
zellfaze
Full Member
***
Offline Offline

Activity: 142


Security Enthusiast


View Profile WWW
August 14, 2011, 06:05:55 PM
 #19

So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?

Even if his intentions were not sincere, security through obscurity is a terrible terrible practice.  Despicable.

without having access to the source for mybitcoin it's impossible to know what mistakes they made.  They've admitted only that they were not waiting for the required number of confirmations before crediting account balance.  There are also rumours that they were not even waiting for the transactions to appear in a block at all and merely marking them confirmed when they saw a new block, but I can't honestly believe anyone would code anything that bad.

If you don't like 'security through obscurity' - I recommend you start using one of the open sources exchanges based on intersango e.g. https://intersango.us/ rather than mtgox...

Will

My point was simply that it seemed no one wanted to give the guy a straight answer.  And I have an account on intersango.us actually. Tongue

My understanding of the Mt.Gox hack is that it was indeed a fake bitcoin hack also, but done in a different way.  Although to be entirely honest, I'm not sure how exactly; Mt.Gox didn't really give us a straight answer (they changed their story a few times if I remember correctly).

A+, CCENT, CCNA
Security Enthusiast
PHP Coder

Not that I expect anyone to, but should you like my post, please donate:
Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
August 14, 2011, 06:11:59 PM
 #20

You should stop saying "what happened with mybitcoin" because in all honesty YOU DON'T KNOW!

All we can do is throw around suspicions. All we have is the dude saying that someone faked transactions with their shopping cart interface, but i bet he would prefer to say that if he wanted to run away with the coins.

Even if that was what happened, i bet the error was with mybitcoin and had nothing to do with the blockchain.

If you account for some informer that dropped by #bitcoin-police, it was because of a bug mybitcoin had in their code that wasn't calculating stuff right.

Like i said, all suppositions, no answers! Wink

Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!