Was your exchange account or online wallet hacked? - Possible explanation

[not.you]

I just want to mention to people a possible exploit that some people may be encountering.  I hear people talk about how their account at this or that exchange was hacked or how their wallet at blockchain.info was hacked.  And some of them say they had 2FA and didn’t share passwords between accounts or sites and had complex passwords and such. 

Java is not supposed to be able to interact with other web pages when one page kicks off an applet.  However exploits that let java do exactly that are in no way new.  There is a reason Java has to be updated constantly.  In the past, exploits like this have been used to make your webmail account from another browser tab send malicious links to all of your contacts.

If you are already logged in to an exchange or to an online wallet and you go to a malicious page in another tab that has a java applet that uses a zero day cross domain exploit then that applet could conceivably access all of your other open web pages.  If this happens, the exploit does not need your account info, or 2FA info because you already provided it when you logged in.  All it has to do is initiate transactions through your browser without you seeing them.  Java exploits that escape the java sandbox and interact at the OS level could also do the same thing and have also been discovered repeatedly in java’s long history.

This would also explain why most of these same hack threads also say they can’t find any malware after the hack.  Once the browser is closed java is closed too.  No malware would be left to be found.

Food for thought.

[rammy2k2]

nope, never

[manobra]

+1

[not.you]

Interesting reactions.  I have not seen it in relation to bitcoin stuff but I know with absolute certainty that the scenario I proposed above is possible so "nope, never" is wishful thinking (at best).  I have observed in the capacity of my work on multiple occasions,  java applets that downloaded and ran executable files in windows, so if that is possible then what I have suggested above is possible.  Believe whatever you like though.

Here is a version history for the current JRE (SE 7).

Release               Release Date                                     Highlights

Java SE 7                     2011-07-28 Initial release. HotSpot VM 21
Java SE 7 Update 1        2011-10-18 20 security fixes, other bug fixes
Java SE 7 Update 2        2011-12-12 No security fixes; HotSpot VM 22; reliability and performance improvements; support for Solaris 11 and Firefox 5 and later; JavaFX included with Java SE JDK, improvements for web-deployed applications
Java SE 7 Update 3        2012-02-14 14 security fixes
Java SE 7 Update 4        2012-04-26 No security updates; HotSpot VM 23; JDK Support for Mac OS X
Java SE 7 Update 5        2012-06-12 14 security fixes
Java SE 7 Update 6        2012-08-14 JavaFX and Java Access Bridge included in Java SE JDK and JRE installation, JavaFX support for touch-enabled monitors and touch pads, JavaFX support for Linux, JDK and JRE Support for Mac OS X, JDK for Linux on ARM
Java SE 7 Update 7        2012-08-30 4 security fixes
Java SE 7 Update 9        2012-10-16 30 security vulnerabilities fixes
Java SE 7 Update 10      2012-12-11 New security features, such as the ability to disable any Java application from running in the browser and new dialogs to warn you when the JRE is insecure, and bug fixes
Java SE 7 Update 11      2013-01-13 Olson Data 2012i, bugfix for problems with registration of plugin on systems with Stand-alone version of JavaFX Installed, security fixes for CVE-2013-0422; the default security level for Java applets and web start applications has been increased from "Medium" to "High"
Java SE 7 Update 13      2013-02-01 50 security fixes
Java SE 7 Update 15      2013-02-19 5 security fixes
Java SE 7 Update 17      2013-03-04 2 security fixes
Java SE 7 Update 21      2013-04-16 Multiple changes including 42 security fixes, a new Server JRE that doesn't include the plug-in, and the JDK for Linux on ARM
Java SE 7 Update 25      2013-06-18 Multiple changes including 40 security fixes
Java SE 7 Update 40      2013-09-10 New security features, hardfloat ARM, Java Mission Control and Retina Display support
Java SE 7 Update 45      2013-10-15 51 security fixes, Protections against unauthorized redistribution of Java applications, Restore security prompts, JAXP changes, TimeZone.setDefault change.
Java SE 7 Update 51      2014-01-14 36 security fixes

But as I say, believe what you like.  As an experiment you could always go find a version of JRE 6 and then surf as many sketchy sites as you can find that use java and see how much malware you accumulate.  And bitcoin related malware is becoming more common.

I also think some of these hacks are due to people downloading smart phone apps that have hidden malicious intent.  My understanding is that most people don't pay much attention to the rights an app asks for when it is installed.  So if you have a malicious app on your phone and you log into a bitcoin exchange or wallet, it wouldn't surprise me to hear that your coins got swiped.