Bitcoin Forum
December 05, 2019, 10:45:53 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: heartbleed & bitcointalk.  (Read 2835 times)
pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
April 12, 2014, 09:48:30 AM
Last edit: April 12, 2014, 06:47:18 PM by pekv2
 #1

I could careless any longer scratched out part was bout all hacks in gen, gmail lastpass ect.no pun tend to btctalk Cheesy., but was bitcointalk effected by hearbleed bug, if gmail and lastpass was, I have no doubt bitcointalk.org was too.

If so: explain.
If not explain:

What are your words on this theymos.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1575585953
Hero Member
*
Offline Offline

Posts: 1575585953

View Profile Personal Message (Offline)

Ignore
1575585953
Reply with quote  #2

1575585953
Report to moderator
1575585953
Hero Member
*
Offline Offline

Posts: 1575585953

View Profile Personal Message (Offline)

Ignore
1575585953
Reply with quote  #2

1575585953
Report to moderator
jimmijames73
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500


View Profile
April 12, 2014, 10:32:36 AM
 #2

I could careless any longer, but was bitcointalk effected by hearbleed bug, if gmail and lastpass was, I have no doubt bitcointalk.org was too.

If so: explain.
If not explain:

What are your words on this theymos.

I checked using the following two sites and both came up negative:

http://filippo.io/Heartbleed/#bitcointalk.org
https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org

Though the site may have been previously vulnerable but is now fixed, so theymos will have to confirm.
pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
April 12, 2014, 03:57:55 PM
 #3

Though the site may have been previously vulnerable but is now fixed, so theymos will have to confirm.

This would be great.

I changed my PW here anyhow just in case, and suggest anyone else aswell.
zaseb
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
April 12, 2014, 04:06:22 PM
 #4

This would be great.

I changed my PW here anyhow just in case, and suggest anyone else aswell.

I'm not entirely sure about this, but "the word on the street is" the forum was using an older version of OpenSSL which did not have the heartbeat extension so we were not vulnerable.

The SSL certificate has not been updated either, which would also point to this being the case as theymos would have certainly replaced it should the forum been vulnerable to heartbleed.

Also, just to correct your post, while LastPass was vulnerable to heartbleed the attack was useless as all LastPass data is client-side encrypted, meaning an attacker still could not read your data.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3584
Merit: 7341


View Profile
April 12, 2014, 04:33:42 PM
Last edit: April 12, 2014, 05:16:21 PM by theymos
 #5

It was, but it was fixed hours after the vulnerability was announced. It's very unlikely IMO that the private key was compromised, and an attacker would also need to be able to read traffic between you and the forum to see anything, so a lot of concern isn't necessary IMO. I will still update the TLS keys as soon as I can. (RapidSSL/NameCheap has some technical problems with reissues -- it seems that they always sign the last certificate you sent them when doing a reissue, so you actually need to reissue twice to change the cert, and this takes time.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3584
Merit: 7341


View Profile
April 12, 2014, 05:15:24 PM
 #6

I updated the keys.

It's never a bad idea to change your password, but in this case I don't really think that it's necessary.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
April 12, 2014, 06:46:05 PM
 #7

Good man. Thanks theymos.  Cool
Justin00
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
April 14, 2014, 01:25:09 AM
 #8

ummm I highly advise you look into security issues abit more next time.
I'm not trying to be a dick but a 3rd party could basically see what was in your servers memory... you understand that right ? If a user logged in, a 3rd party could get lucky and see that information. A 3rd party did NOT need the private key to see the unencrypted data.......

To run the exploit you simply had the download the vulnerability checking script written in python and add an extra line to print the 64k worth of data. It was so simple even I was able to get it working and I am in no way a programmer, security expert or developer etc... ( To confirm I never ran the exploit against this site.. i assumed the software was so old there would be no point even bothering to test)

the following scenario was proven to work on many many vulnerable servers.

Alice lives in Australia and logs into her server in the USA via browser/HTTPS
Bob lives in the UK and ran the exploit and the timing was just right, Alice had just logged in
and Bob got back 64k of unencrypted data, which contained Alices password.

This attack did NOT involve MITM or anything like that... you could basically just keep getting 64k of data from the servers memory.. sometimes it might be posts, useless crap and obviously very occasionaly you might get lucky and get passwords. But you DID NOT need to be in the path of the user or server... that is why this was so critical and every other website was concerned and advised people to change passwords, after is fixed.

How do you know someone wasnt doing this exploit for months, but it only went public a few days ago ? Chances are they werent, but how do you now.


The fact you don't think its necessary to change passwords now is very very scary.

You should have a huge alert telling users to change their passwords, as you did with the bitcoin client update.


Seriously.. do you just not give a shit about the users security  Huh??
You only seem concerned with generating revenue from advertisements.



I updated the keys.

It's never a bad idea to change your password, but in this case I don't really think that it's necessary.

Justin00
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
April 14, 2014, 01:36:20 AM
 #9

basically... everyone.. please change your password..
If there was ever a necessary time, its now.....


theymos
Administrator
Legendary
*
Offline Offline

Activity: 3584
Merit: 7341


View Profile
April 14, 2014, 02:12:03 AM
 #10

Hmm... I thought that the leaked memory would only include OpenSSL-specific stuff, but I did some more research and I think you're right: user passwords could have possibly been leaked, though it would have been difficult.

I'll log everyone out and add this info to the header.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
cooldgamer
Legendary
*
Offline Offline

Activity: 1218
Merit: 1003


We are the champions of the night


View Profile WWW
April 14, 2014, 02:17:24 AM
 #11

Hmm... I thought that the leaked memory would only include OpenSSL-specific stuff, but I did some more research and I think you're right: user passwords could have possibly been leaked, though it would have been difficult.

I'll log everyone out and add this info to the header.
Thank god I found this thread, got logged out thought I got/was getting hacked Cheesy

grue
Legendary
*
Offline Offline

Activity: 2058
Merit: 1208



View Profile
April 14, 2014, 02:27:59 AM
 #12

ummm I highly advise you look into security issues abit more next time.
I'm not trying to be a dick but a 3rd party could basically see what was in your servers memory... you understand that right ? If a user logged in, a 3rd party could get lucky and see that information. A 3rd party did NOT need the private key to see the unencrypted data.......

To run the exploit you simply had the download the vulnerability checking script written in python and add an extra line to print the 64k worth of data. It was so simple even I was able to get it working and I am in no way a programmer, security expert or developer etc... ( To confirm I never ran the exploit against this site.. i assumed the software was so old there would be no point even bothering to test)

the following scenario was proven to work on many many vulnerable servers.

Alice lives in Australia and logs into her server in the USA via browser/HTTPS
Bob lives in the UK and ran the exploit and the timing was just right, Alice had just logged in
and Bob got back 64k of unencrypted data, which contained Alices password.

This attack did NOT involve MITM or anything like that... you could basically just keep getting 64k of data from the servers memory.. sometimes it might be posts, useless crap and obviously very occasionaly you might get lucky and get passwords. But you DID NOT need to be in the path of the user or server... that is why this was so critical and every other website was concerned and advised people to change passwords, after is fixed.

How do you know someone wasnt doing this exploit for months, but it only went public a few days ago ? Chances are they werent, but how do you now.


The fact you don't think its necessary to change passwords now is very very scary.

You should have a huge alert telling users to change their passwords, as you did with the bitcoin client update.


Seriously.. do you just not give a shit about the users security  Huh??
You only seem concerned with generating revenue from advertisements.


now you're being disingenuous. the passwords aren't stored in server memory. the passwords aren't stored anywhere, because they're hashed + salted. the most that can be stolen are the hashes.

It is pitch black. You are likely to be eaten by a grue.

Adblock for annoying signature ads | Enhanced Merit UI
Justin00
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
April 14, 2014, 02:44:01 AM
Last edit: April 14, 2014, 02:56:37 AM by Justin00
 #13

Grue... i have tried it. I have seen passwords... other people have tried it, they have seen passwords.
I am not a security researcher or anyting like that...  just a person capable of running the script.

However you are partially correct.. I think my use of "in server memory" was me typing abit to quickly for my own good, without thinking.
anyways it has been documented by actual people who can explain it in exact detail (as oposed to me Sad   ) that yes, passowrds, everything can be captured.
Unless ofcourse you hash the password on the client side first... otherwise the password is sent.. under normal circumstances your protected by HTTPS and obviously people can't pull data from your server.......... until this issue came about.

someone even managed to get the private keys off a server..

http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge


anyways - the msg for users to change passwd has been put up. thank you Smiley

zaseb
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
April 14, 2014, 02:55:01 AM
 #14

now you're being disingenuous. the passwords aren't stored in server memory. the passwords aren't stored anywhere, because they're hashed + salted. the most that can be stolen are the hashes.

You're mistaken. After OpenSSL decrypts data it recieves from the client it temporarily stores it in RAM. You can use heartbleed to get the POST data or part of it when a user logs in if you can time it right. The POST data of course contains the password in plaintext, the hashing is done server-side.

It is difficult to time it right but it does work. However it is incredibly easy to steal session id's using heartbleed as the session id is sent every time a user views a page. An attacker can then use that session id to login as the user.
grue
Legendary
*
Offline Offline

Activity: 2058
Merit: 1208



View Profile
April 14, 2014, 03:52:18 AM
 #15

now you're being disingenuous. the passwords aren't stored in server memory. the passwords aren't stored anywhere, because they're hashed + salted. the most that can be stolen are the hashes.

You're mistaken. After OpenSSL decrypts data it recieves from the client it temporarily stores it in RAM. You can use heartbleed to get the POST data or part of it when a user logs in if you can time it right. The POST data of course contains the password in plaintext, the hashing is done server-side.

It is difficult to time it right but it does work. However it is incredibly easy to steal session id's using heartbleed as the session id is sent every time a user views a page. An attacker can then use that session id to login as the user.
I stand corrected.

It is pitch black. You are likely to be eaten by a grue.

Adblock for annoying signature ads | Enhanced Merit UI
freedomno1
Legendary
*
Offline Offline

Activity: 1624
Merit: 1036


Learning the troll avoidance button :)


View Profile WWW
April 14, 2014, 03:54:33 AM
Last edit: April 14, 2014, 04:58:17 AM by freedomno1
 #16

Hmm... I thought that the leaked memory would only include OpenSSL-specific stuff, but I did some more research and I think you're right: user passwords could have possibly been leaked, though it would have been difficult.

I'll log everyone out and add this info to the header.

OH that explains why I got logged out and roger
Twice lol
Justin00
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
April 14, 2014, 02:04:03 PM
 #17

Feel free to security bounty me for bringing a 5 day old exploit, which you where some what already aware of and fixed, to your attention (ever so politely and delicately, as I always am Smiley ) in slightly more detail as to protect your lovely odd 100,000+ userbase Wink

16m38DJdtcoP4KVNjLLmL6zgdwGidQJYBT

Just kidding.. allthough you have missed my last 32 birthdays and 31 xmas gifts!
 

Hmm... I thought that the leaked memory would only include OpenSSL-specific stuff, but I did some more research and I think you're right: user passwords could have possibly been leaked, though it would have been difficult.

I'll log everyone out and add this info to the header.

pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
April 14, 2014, 09:00:25 PM
 #18

https://lastpass.com/heartbleed/?h=bitcointalk.org%2F

Quote
Site:   bitcointalk.org
Server software:   nginx
Was vulnerable:    Possibly (known use OpenSSL, but might be using a safe version)
SSL Certificate:   Now Safe (created 4 days ago at Apr 10 22:50:11 2014 GMT)
Assessment:   Change your password on this site if your last password change was more than 4 days ago

Thanks for all pitching in their advice and help, from theymos to other members.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!