Bitcoin Forum
December 13, 2024, 11:40:47 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Localbitcoins Update  (Read 3265 times)
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 04:45:30 AM
 #1

    Multiple reports that withdraws have been frozen and do not leave the "pending" state. (3:52pm EST)

    Staff posted an update on the blog -> http://localbitcoins.blogspot.com/2014/04/initial-response-regarding.html They make the claim that the effected users do not have 2nd factor enabled. (4:22pm EST)

    Staff have corrected their post recognizing that they have confirmed three cases of people with 2nd factor having funds stolen. They do say that these incidents are not affecting a large number of users. (4:30 EST)

    Staff confirm that withdraws may be delayed while this mess is sorted out. (4:38 EST)

    At a conference call on the issue, all affected traders in attendance reported LocalBitcoins has not yet provided ANY reply to support tickets. (8:00pm EST)

    Incidents of this form of attack appear to have started ~48 hours ago, coins appear to be withdrawn to a foreign address, despite 2FA. (8:34pm EST)

    Withdraws have been totally frozen for more than an hour now. (9:38pm EST)


Any fellow Localbitcoiners on here? I do have currently Active listing(s). Just wondering whats the best course of action?

Apparently attempting to Withdraw renders you susceptible to XSS attack.
bryant.coleman
Legendary
*
Offline Offline

Activity: 3780
Merit: 1219


View Profile
April 18, 2014, 05:18:57 AM
 #2

^^^ I have just logged in to my localbitcoins.com account. Nothing unfamiliar. But I had withdrawn all my coins 2 months ago and I don't have any more coins in my account. The other sell / buy listings are visible.
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 05:40:19 AM
 #3

^^^ I have just logged in to my localbitcoins.com account. Nothing unfamiliar. But I had withdrawn all my coins 2 months ago and I don't have any more coins in my account. The other sell / buy listings are visible.

Very good of you to check, cheers Bry

Hopefully it's nothing too serious - Although more folks on their forum are reporting missing coins with 2FA enabled - Worrying  Undecided
chandan123
Full Member
***
Offline Offline

Activity: 212
Merit: 100

Hi


View Profile WWW
April 18, 2014, 05:54:30 AM
 #4

so its best not to withdraw the coins from localbitcoins now ?

FreeLite.co.in
All FOR SALE Wink
BitTalk.com   FreeBTC    FreeCasino.in   Name.co.in  LiteCo.in  IndiaCo.in
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 06:11:23 AM
 #5

so its best not to withdraw the coins from localbitcoins now ?

Sorry can't be of much help Chandan, still trying to find out more - Withdrawals are possibly affected by JavaScript, some folks have recommended that you disable if you are going to attempt a withdrawal?

I contacted another Seller friend of mine, for now we are both leaving are listings active until Localbitcoins Team make another update.

Localbitcoins team have pretty solid history, and have always been expedient fixing any issues.
bryant.coleman
Legendary
*
Offline Offline

Activity: 3780
Merit: 1219


View Profile
April 18, 2014, 06:29:23 AM
 #6

Although more folks on their forum are reporting missing coins with 2FA enabled - Worrying  Undecided

According to Localbitcoins admins, only 3 people with 2FA lost their coins. Is the real number more than this? If it is so, then this incident reminds me of Mt Gox. The Gox people had also claimed initially that the breach was not serious.
Light
Hero Member
*****
Offline Offline

Activity: 742
Merit: 502


Circa 2010


View Profile
April 18, 2014, 06:32:50 AM
 #7

According to Localbitcoins admins, only 3 people with 2FA lost their coins. Is the real number more than this? If it is so, then this incident reminds me of Mt Gox. The Gox people had also claimed initially that the breach was not serious.

Any business operation would initially claim the problem not to be serious otherwise there'd be mass panic. In both situations (serious and non-serious) it would be best to claim a reduced degree of severity simply because it is true if it is non-serious and if its not it buys you time to fix or steal before people begin suspecting and panic withdrawing and finding it doesn't work.
chandan123
Full Member
***
Offline Offline

Activity: 212
Merit: 100

Hi


View Profile WWW
April 18, 2014, 07:22:21 AM
 #8

Sorry can't be of much help Chandan, still trying to find out more - Withdrawals are possibly affected by JavaScript, some folks have recommended that you disable if you are going to attempt a withdrawal?

I contacted another Seller friend of mine, for now we are both leaving are listings active until Localbitcoins Team make another update.

Localbitcoins team have pretty solid history, and have always been expedient fixing any issues.
thx . but disabling javascript makes the withdraw button nonfunctional i think
was going to try withdraw but let me wait for a day

FreeLite.co.in
All FOR SALE Wink
BitTalk.com   FreeBTC    FreeCasino.in   Name.co.in  LiteCo.in  IndiaCo.in
bryant.coleman
Legendary
*
Offline Offline

Activity: 3780
Merit: 1219


View Profile
April 18, 2014, 07:28:50 AM
 #9

Any business operation would initially claim the problem not to be serious otherwise there'd be mass panic. In both situations (serious and non-serious) it would be best to claim a reduced degree of severity simply because it is true if it is non-serious and if its not it buys you time to fix or steal before people begin suspecting and panic withdrawing and finding it doesn't work.

Know what? I was planning to sell 1 BTC (for fiat) tomorrow on Localbitcoins (In my country, the Bitstamp / BTC-E fiat withdrawal can take a lot of time). Seems like I'll have to convert it somewhere else.
franky1
Legendary
*
Offline Offline

Activity: 4438
Merit: 4820



View Profile
April 18, 2014, 07:38:10 AM
 #10

most likely insider job.

too many times i see bitcoin services put their hotwallets on remote servers. what makes it worse is they put it on remote servers which accepts bitcoin. this is a bit glowing neon sign that say the hosting provider knows all about bitcoin and has full access to the source code. so no matter how much security the service provider or customers use to prevent outside intrusion. there is nothing to stop insiders..

history has shown that the majority of hacks were actually inside jobs.. will bitcoin service providers ever learn. will service users ever learn

do not store large amounts for long term periods on third party services.

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
pandit
Member
**
Offline Offline

Activity: 67
Merit: 10


View Profile
April 18, 2014, 01:16:56 PM
 #11

now withdrawals are working  in lbc ?

.
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 01:46:55 PM
 #12

now withdrawals are working  in lbc ?

Cheers Pandit, how long did it take you?
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 01:49:38 PM
 #13

most likely insider job.

too many times i see bitcoin services put their hotwallets on remote servers. what makes it worse is they put it on remote servers which accepts bitcoin. this is a bit glowing neon sign that say the hosting provider knows all about bitcoin and has full access to the source code. so no matter how much security the service provider or customers use to prevent outside intrusion. there is nothing to stop insiders..

history has shown that the majority of hacks were actually inside jobs.. will bitcoin service providers ever learn. will service users ever learn

do not store large amounts for long term periods on third party services.

You could be right my brother, others think this is a possibility - Just takes one bad apple! I hope they fully secure this soon.
pandit
Member
**
Offline Offline

Activity: 67
Merit: 10


View Profile
April 18, 2014, 02:38:22 PM
 #14

now withdrawals are working  in lbc ?

Cheers Pandit, how long did it take you?
actually i am asking   if any one withdraw  btc from them  Tongue

.
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 02:55:10 PM
 #15

now withdrawals are working  in lbc ?

Cheers Pandit, how long did it take you?
actually i am asking   if any one withdraw  btc from them  Tongue

lol Mybad - Yeah, so some users report that withdrawals are being processed. 45 minutes for full Confirmations.

Localbitcoins Team recently posted this: http://localbitcoins.blogspot.fi/2014/04/investigation-report-of-claimed.html

I'm still waiting for another announcement saying "all is good/secure"

If you are going to try just make sure you have 2FA and run a virus scan first.
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 02:56:13 PM
 #16

most likely insider job.

too many times i see bitcoin services put their hotwallets on remote servers. what makes it worse is they put it on remote servers which accepts bitcoin. this is a bit glowing neon sign that say the hosting provider knows all about bitcoin and has full access to the source code. so no matter how much security the service provider or customers use to prevent outside intrusion. there is nothing to stop insiders..

history has shown that the majority of hacks were actually inside jobs.. will bitcoin service providers ever learn. will service users ever learn

do not store large amounts for long term periods on third party services.

LocalBitcoins Team response:

This case is also very unlikely to be an inside job. LocalBitcoins logs all the actions done by its support staff and developers to an audit log, so potential abuse of staff privileges is easily uncovered. Two-factor authentication codes and passwords are not accessible by the support staff. Furthermore, it would not be very rational for an insider to attack against one particular user and his/her wallet only if the insider would have access to all wallets.
Rishodi
Member
**
Offline Offline

Activity: 77
Merit: 10



View Profile WWW
April 18, 2014, 06:56:39 PM
 #17

This is the reply which I have posted on the LocalBitcoins blog:

Quote
From the given information, the theft depended on 1) session hijacking and 2) compromised 2FA. Although this is certainly indicative of a compromised user device, LocalBitcoins needs to take more aggressive action to inhibit session hijacking.

Even with 2FA enabled, requests which originate from a user with a different IP address and browser than that which was recorded at the initiation of a session should be responded to by immediately destroying that session and asking the user to reauthenticate. In this particular case, the withdrawal request was associated with an IP address and user agent header which were distinguishably different from that which was recorded at the start of the session. As a result, the request should have been flagged as suspicious and denied.

Of course, such policies may not have been able to prevent the theft in this particular case. If the attacker was able to gain not merely read-only permissions but also execution permissions on the user's device, then the attacker could have sent the request directly from the user's device using the existing session, and the request would not appear suspicious to the server. If the attacker was able to access both the user's password and 2FA code, then the attacker could simply establish a new session from anywhere and subsequently send the withdrawal request.

Nonetheless, it is alarming to find that the security of session management at LocalBitcoins is certainly lacking. Taking a more proactive approach to session security would help to inhibit attacks and bolster trust in the LocalBitcoins platform. A good technical overview of the topic can be found here: https://wblinks.com/notes/secure-session-management-tips/

For anyone who uses LocalBitcoins, the safest course of action is to 1) enable 2FA and 2) logout after every session. Logging out will close the user session, and with no active sessions you are not susceptible to a session hijack attempt.

Bitrated user: Rishodi.
kittucrypt
Sr. Member
****
Offline Offline

Activity: 300
Merit: 253

Ok Check!


View Profile
April 18, 2014, 07:03:18 PM
 #18

So it looks like the user account was hacked via a user device? I wonder if LBTC did anything fishy here?

RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 07:26:31 PM
 #19

This is the reply which I have posted on the LocalBitcoins blog:

Quote
From the given information, the theft depended on 1) session hijacking and 2) compromised 2FA. Although this is certainly indicative of a compromised user device, LocalBitcoins needs to take more aggressive action to inhibit session hijacking.

Even with 2FA enabled, requests which originate from a user with a different IP address and browser than that which was recorded at the initiation of a session should be responded to by immediately destroying that session and asking the user to reauthenticate. In this particular case, the withdrawal request was associated with an IP address and user agent header which were distinguishably different from that which was recorded at the start of the session. As a result, the request should have been flagged as suspicious and denied.

Of course, such policies may not have been able to prevent the theft in this particular case. If the attacker was able to gain not merely read-only permissions but also execution permissions on the user's device, then the attacker could have sent the request directly from the user's device using the existing session, and the request would not appear suspicious to the server. If the attacker was able to access both the user's password and 2FA code, then the attacker could simply establish a new session from anywhere and subsequently send the withdrawal request.

Nonetheless, it is alarming to find that the security of session management at LocalBitcoins is certainly lacking. Taking a more proactive approach to session security would help to inhibit attacks and bolster trust in the LocalBitcoins platform. A good technical overview of the topic can be found here: https://wblinks.com/notes/secure-session-management-tips/

For anyone who uses LocalBitcoins, the safest course of action is to 1) enable 2FA and 2) logout after every session. Logging out will close the user session, and with no active sessions you are not susceptible to a session hijack attempt.

Thanks for the input Rishodi ! Is a session logout possible with an Active listing?
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 07:27:08 PM
 #20

Coindesk, summary of events:

http://www.coindesk.com/localbitcoins-releases-investigation-report-site-wallet-issues/
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!