Bitcoin Forum
November 27, 2021, 12:41:15 PM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: CVE-2014-0160 is putting bitcoin sites at risk  (Read 935 times)
Dusty
Hero Member
*****
Offline Offline

Activity: 731
Merit: 500


Libertas a calumnia


View Profile WWW
April 08, 2014, 09:19:57 AM
 #1

At the time of writing bitstamp (!!!) , btcchina, bitfinex and probably others are still vulnerable.

Probably bitstamp and btcchina are at fault because of incapsula.

http://heartbleed.com/

http://filippo.io/Heartbleed/

Articoli bitcoin: Il portico dipinto
1638016875
Hero Member
*
Offline Offline

Posts: 1638016875

View Profile Personal Message (Offline)

Ignore
1638016875
Reply with quote  #2

1638016875
Report to moderator
1638016875
Hero Member
*
Offline Offline

Posts: 1638016875

View Profile Personal Message (Offline)

Ignore
1638016875
Reply with quote  #2

1638016875
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1638016875
Hero Member
*
Offline Offline

Posts: 1638016875

View Profile Personal Message (Offline)

Ignore
1638016875
Reply with quote  #2

1638016875
Report to moderator
1638016875
Hero Member
*
Offline Offline

Posts: 1638016875

View Profile Personal Message (Offline)

Ignore
1638016875
Reply with quote  #2

1638016875
Report to moderator
Rannasha
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


View Profile
April 08, 2014, 12:26:48 PM
 #2

Bitstamp currently disabled logins. They posted this on their website:
Quote
Dear Bitstamp clients,

After reported vulnerabilities in OpenSSL, we applied necessary patches to our system. Incapsula, our DDOS mitigation provider is still working patching their system.

In order to provide required security, both system need to be patched. We are in constant contact with Incapsula and are working with them to complete necessary procedures. Until then Bitstamp has decided to temporally deactivate:

-account registration,
-account login
-and all virtual currency withdrawal functions

We will keep you updated on the progress.

Thank you for understanding.

Best regards
Bitstamp team

BitFinex sent an email to its users earlier today:
Quote
Hello Rannasha,

As you may be aware, yesterday a vulnerability affecting latest versions of OpenSSL used by Bitfinex was discovered.

While this vulnerability has now been fixed, we strongly encourage you to change your password as soon as possible and enable/re-enable OTP authentication in your Bitfinex account.

Withdrawals will be disabled for 10 hours to let you the time to change your information.

We will update you about the situation in the coming hours.

Regards,
The Bitfinex Team
https://www.bitfinex.com/
nibor
Sr. Member
****
Offline Offline

Activity: 436
Merit: 285


View Profile
April 08, 2014, 09:39:03 PM
 #3

That has got to be bug of the century... if not ever.

Implies that for 2 years since code was released anyone running a server using openssl 1.0.1 (upto 1.0.1f inclusive) an attacker could silently (i.e. no logging or trail) download the ssl private key off the server. And then if they could intercept any ssl traffic between server and client they could then decrypt that data (again silently leaving no trace). And could have been doing that for 2 years.

Or have I got the wrong end of the stick here?

This implies that every users need to change every password on every site that was using 1.0.1?

Refs:
https://heartbleed.com/
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3;hp=0d7717fc9c83dafab8153cbd5e2180e6e04cc802
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit
BitcoinHoarder
Full Member
***
Offline Offline

Activity: 144
Merit: 100


View Profile
April 09, 2014, 03:48:28 PM
 #4

That has got to be bug of the century... if not ever.

Implies that for 2 years since code was released anyone running a server using openssl 1.0.1 (upto 1.0.1f inclusive) an attacker could silently (i.e. no logging or trail) download the ssl private key off the server. And then if they could intercept any ssl traffic between server and client they could then decrypt that data (again silently leaving no trace). And could have been doing that for 2 years.

Or have I got the wrong end of the stick here?

This implies that every users need to change every password on every site that was using 1.0.1?

Refs:
https://heartbleed.com/
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3;hp=0d7717fc9c83dafab8153cbd5e2180e6e04cc802
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit


You are correct, and there are many other ways to exploit the server memory.  For example, it has been shown (and I tested it on my own servers) that you can dump the HTTP headers (no trace left!) and extract session IDs.  You can then trivially use that session id to masquerade as a logged in user.  It's REALLY easy.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!