Anonymous
Guest
|
|
August 13, 2011, 01:27:00 AM |
|
So, I understand that MyBitcoin was killed by someone who sent fake bitcoins, and confirmed them once somehow, and then made a withdraw of those coins. Of course those coins did not exist, so he actually withdrew other user's coins. My question is what are the technical details on this type of attack. I wanted to know how it is done, solely out of curiosity.
Thanks, Joey.
|
|
|
|
Crypt_Current
|
|
August 13, 2011, 01:29:34 AM |
|
I wanted to know how it is done, solely out of curiosity. Snake: "Wallet Inspector! Hand over your wallets!" Suckers: "OK sir, I believe this is all in order..." :::hands over wallets:::
|
|
|
|
Anonymous
Guest
|
|
August 13, 2011, 01:30:57 AM |
|
I wanted to know how it is done, solely out of curiosity. Snake: "Wallet Inspector! Hand over your wallets!" Suckers: "OK sir, I believe this is all in order..." :::hands over wallets::: I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)
|
|
|
|
Anonymous
Guest
|
|
August 13, 2011, 01:34:22 AM |
|
I wanted to know how it is done, solely out of curiosity. Snake: "Wallet Inspector! Hand over your wallets!" Suckers: "OK sir, I believe this is all in order..." :::hands over wallets::: I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net) What I am trying to do is perform this exploit on my own site and find a way to prevent it. I need to perform the exploit in the first place to see what actually occurs on my site.
|
|
|
|
the joint
Legendary
Offline
Activity: 1834
Merit: 1020
|
|
August 13, 2011, 01:37:03 AM |
|
Lol, solely out of curiosity my ass.
|
|
|
|
Anonymous
Guest
|
|
August 13, 2011, 01:42:55 AM |
|
Look. My intentions are sincere. To test this exploit out on my own e-wallet (bitcoin debit cards). I am not trying to hack anyone. Please only respond if you want to help me perform the exploit on my own site (do not attempt it yourself ), I believe I have it soundproof, but I want to protect the coins from the people who hacked mybitcoin and others. I need to test it myself, and find a way to prevent it.
|
|
|
|
the joint
Legendary
Offline
Activity: 1834
Merit: 1020
|
|
August 13, 2011, 01:44:14 AM |
|
I don't know how to program, unfortunately, or I'd probably hack everything
|
|
|
|
Serith
|
|
August 13, 2011, 01:50:47 AM |
|
Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.
Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
|
|
|
|
Anonymous
Guest
|
|
August 13, 2011, 01:55:22 AM |
|
Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.
Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
Alright. So the source code sends the coins, but how did he force a single confirm on the transaction. Did he exploit something having to do with mining. What happened there?
|
|
|
|
BitVapes
Full Member
Offline
Activity: 140
Merit: 100
BitVapes.com
|
|
August 13, 2011, 05:05:16 AM |
|
Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.
Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
Alright. So the source code sends the coins, but how did he force a single confirm on the transaction. Did he exploit something having to do with mining. What happened there? honestly I don't know either, but I believe Theymos who originally posted about the possibility of such an attack said it would be trivial for anyone who can mine two blocks in a row. So I assume yes it did have something to do with mining, I presume the attacker was a large miner and was able to mine two blocks in a row, adding his transactions of 'fake bitcoins' to the blockchain. Eventually the 'real' blockchain took back over and his blocks weren't a part of the real blockchain anymore. as long as you don't accept transactions from 1 confirmation, you should be safe from this attack. The more confirmations, the more sure you can be that the transaction can't be reversed
|
|
|
|
koin
Legendary
Offline
Activity: 873
Merit: 1000
|
|
August 13, 2011, 09:42:21 AM |
|
So I assume yes it did have something to do with mining, I presume the attacker was a large miner and was able to mine two blocks in a row, adding his transactions of 'fake bitcoins' to the blockchain. Eventually the 'real' blockchain took back over and his blocks weren't a part of the real blockchain anymore. the problem is, apparently, that nobody can find these supposed double spends on any reorgs: http://bitcointalk.org/index.php?topic=34770.msg434895#msg434895
|
|
|
|
BTCrow
|
|
August 13, 2011, 04:27:12 PM |
|
I wanted to know how it is done, solely out of curiosity. Snake: "Wallet Inspector! Hand over your wallets!" Suckers: "OK sir, I believe this is all in order..." :::hands over wallets::: I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net) You don't need to exploit to patch ... Simply wait 6 confirmation when people send funds into your wallet before releasing anything (goods / other currency etc) and you won't have the mybitcoin problem.
|
|
|
|
Anonymous
Guest
|
|
August 13, 2011, 04:48:18 PM |
|
I wanted to know how it is done, solely out of curiosity. Snake: "Wallet Inspector! Hand over your wallets!" Suckers: "OK sir, I believe this is all in order..." :::hands over wallets::: I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net) You don't need to exploit to patch ... Simply wait 6 confirmation when people send funds into your wallet before releasing anything (goods / other currency etc) and you won't have the mybitcoin problem. Do you think it is safe to allow people to use their bitcoins at 4 confirmations. Because I am an e-wallet, people want to use their coins the second they get them. Of course I cannot do that, but is 4 sufficient. Can someone really fake 4 whole confirmations?
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
|
|
August 13, 2011, 04:53:30 PM |
|
Nobody can fake blocks, they can mine them in a row I think even 3 confirmations should be enough
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
Anonymous
Guest
|
|
August 13, 2011, 04:59:16 PM |
|
Nobody can fake blocks, they can mine them in a row
Sorry, that is what I meant to say. Fake Confirmations, by mining blocks in a row. I think even 3 confirmations should be enough
Okay. I'll be on the safe side and give no access to coins from transactions without 4 or more transactions. Thanks, Joey
|
|
|
|
zellfaze
Full Member
Offline
Activity: 141
Merit: 101
Security Enthusiast
|
|
August 14, 2011, 05:08:09 PM |
|
So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?
Even if his intentions were not sincere, security through obscurity is a terrible terrible practice. Despicable.
macintosh264: For every confirmation it gets that much harder for an attacker to (temporarily) create fake bitcoins. 1 Confirmation means that the transaction is in 1 block in the block chain, 2 confirmations means it is in 2 blocks, 3 means 3, etc. In a nutshell what happened with MyBitCoin is that an attacker was able to mine a invalid block, then before the block was thrown out for being invalid mine another invalid block. In these invalid blocks it showed him depositing bitcoins to MyBitCoin. Because MyBitCoin only waited for 1 confirmation, it assumed that these were valid transactions and allowed him to withdraw the bitcoins. The withdrawn bitcoins were included in the actual real block-chain and therefore remained valid even after the deposits from the fake blocks were thrown out.
If you wait for 1 confirmation an attacker has to mine 2 fake blocks in a row to trick you. If you wait for 2 confirmations, they have to mine 3. If you wait for 3 confirmations, they have to mine 4. Etc.
Every confirmation you wait for makes it exponentially more unlikely that you are being tricked. Remember that a block is mined about once every 10 minutes, so it would take a great deal of computing power (and luck) to successfully stay ahead of the network for a significant amount of time to pull one of these attacks off.
With that in mind, 4 confirmations should be plenty. 3 would probably be plenty even.
|
A+, CCENT, CCNA Security Enthusiast PHP Coder
Not that I expect anyone to, but should you like my post, please donate: Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
|
|
|
willphase
|
|
August 14, 2011, 05:55:43 PM |
|
So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?
Even if his intentions were not sincere, security through obscurity is a terrible terrible practice. Despicable.
without having access to the source for mybitcoin it's impossible to know what mistakes they made. They've admitted only that they were not waiting for the required number of confirmations before crediting account balance. There are also rumours that they were not even waiting for the transactions to appear in a block at all and merely marking them confirmed when they saw a new block, but I can't honestly believe anyone would code anything that bad. If you don't like 'security through obscurity' - I recommend you start using one of the open sources exchanges based on intersango e.g. https://intersango.us/ rather than mtgox... Will
|
|
|
|
indio007
|
|
August 14, 2011, 06:00:33 PM |
|
Wasn't Mtgox a fake bitcoin hack too? Not to the bitcoin client but to the trading program?
|
|
|
|
zellfaze
Full Member
Offline
Activity: 141
Merit: 101
Security Enthusiast
|
|
August 14, 2011, 06:05:55 PM |
|
So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?
Even if his intentions were not sincere, security through obscurity is a terrible terrible practice. Despicable.
without having access to the source for mybitcoin it's impossible to know what mistakes they made. They've admitted only that they were not waiting for the required number of confirmations before crediting account balance. There are also rumours that they were not even waiting for the transactions to appear in a block at all and merely marking them confirmed when they saw a new block, but I can't honestly believe anyone would code anything that bad. If you don't like 'security through obscurity' - I recommend you start using one of the open sources exchanges based on intersango e.g. https://intersango.us/ rather than mtgox... Will My point was simply that it seemed no one wanted to give the guy a straight answer. And I have an account on intersango.us actually. My understanding of the Mt.Gox hack is that it was indeed a fake bitcoin hack also, but done in a different way. Although to be entirely honest, I'm not sure how exactly; Mt.Gox didn't really give us a straight answer (they changed their story a few times if I remember correctly).
|
A+, CCENT, CCNA Security Enthusiast PHP Coder
Not that I expect anyone to, but should you like my post, please donate: Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
August 14, 2011, 06:11:59 PM |
|
You should stop saying "what happened with mybitcoin" because in all honesty YOU DON'T KNOW! All we can do is throw around suspicions. All we have is the dude saying that someone faked transactions with their shopping cart interface, but i bet he would prefer to say that if he wanted to run away with the coins. Even if that was what happened, i bet the error was with mybitcoin and had nothing to do with the blockchain. If you account for some informer that dropped by #bitcoin-police, it was because of a bug mybitcoin had in their code that wasn't calculating stuff right. Like i said, all suppositions, no answers!
|
|
|
|
|