Bitcoin Forum
December 09, 2016, 09:44:14 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3  All
  Print  
Author Topic: Bitscalper passwords have been leaked  (Read 6891 times)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
February 13, 2012, 05:20:31 AM
 #1

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed. While it is not known for sure that an attacker has discovered the flaw, you should assume that the list is public.

Anyone with a bitscalper account should immediately:
- Withdraw all funds. No one should trust bitscalper.com after a security flaw of this sort, and I wouldn't be surprised if they run away with everyone's money once this gets out.
- Change your password on any site where you've used the same password as bitscalper.com.

Because I do not consider Bitscalper to be reputable, I've decided to announce the existence of this flaw publicly before sending the technical details to bitscalper. Otherwise I fear that he may run away with everyone's money instead of alerting his users and losing trust.

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
1481319854
Hero Member
*
Offline Offline

Posts: 1481319854

View Profile Personal Message (Offline)

Ignore
1481319854
Reply with quote  #2

1481319854
Report to moderator
1481319854
Hero Member
*
Offline Offline

Posts: 1481319854

View Profile Personal Message (Offline)

Ignore
1481319854
Reply with quote  #2

1481319854
Report to moderator
1481319854
Hero Member
*
Offline Offline

Posts: 1481319854

View Profile Personal Message (Offline)

Ignore
1481319854
Reply with quote  #2

1481319854
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481319854
Hero Member
*
Offline Offline

Posts: 1481319854

View Profile Personal Message (Offline)

Ignore
1481319854
Reply with quote  #2

1481319854
Report to moderator
1481319854
Hero Member
*
Offline Offline

Posts: 1481319854

View Profile Personal Message (Offline)

Ignore
1481319854
Reply with quote  #2

1481319854
Report to moderator
copumpkin
Donator
Sr. Member
*
Offline Offline

Activity: 266


I'm actually a pineapple


View Profile
February 13, 2012, 05:24:32 AM
 #2

It's quite amazing how this community seems to attract the worst security practices.
Sysrq
Member
**
Offline Offline

Activity: 66



View Profile
February 13, 2012, 05:26:43 AM
 #3

Wow ! What a nice, well run site !

Theymos, thank you for the info.
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218


Michael, send me some coins before I hitman you


View Profile
February 13, 2012, 05:26:56 AM
 #4

And now, I assume the stampede of traffic is preventing website access, meaning Bitscalper admin could probably make off with everything left, anyway - not that withdrawals usually work... Hope nobody had a substantial amount left there. :x

ETA: was able to get through to site. Extremely sluggish, but can still get to account page. Small withdrawal request still "processing" from 2/9. ETA2: Wow, it was actually processed. Huh.

Don't mix your coins someone said isn't legal
splatster
Full Member
***
Offline Offline

Activity: 175



View Profile
February 13, 2012, 05:28:20 AM
 #5

Code:
md5($password + "mysupercoolsalt")
There, I just took one simple step that could have gone a long way.

S² Capital Management | #bitcoin-otc ratings | 1M5j2g4iz4mSwkngrYkqtcmKNGmyDAQzk2
GeniuSxBoY
Hero Member
*****
Offline Offline

Activity: 546



View Profile
February 13, 2012, 05:33:51 AM
 #6

hax0rs gonna hax
copumpkin
Donator
Sr. Member
*
Offline Offline

Activity: 266


I'm actually a pineapple


View Profile
February 13, 2012, 05:34:20 AM
 #7

Code:
md5($password + "mysupercoolsalt")
There, I just took one simple step that could have gone a long way.

But then how would you include the user's password in the email you send them when they forget it? Wink
splatster
Full Member
***
Offline Offline

Activity: 175



View Profile
February 13, 2012, 05:38:08 AM
 #8

Code:
md5($password + "mysupercoolsalt")
There, I just took one simple step that could have gone a long way.

But then how would you include the user's password in the email you send them when they forget it? Wink

Better yet, how could you give away everyone's money to anyone with a computer?

S² Capital Management | #bitcoin-otc ratings | 1M5j2g4iz4mSwkngrYkqtcmKNGmyDAQzk2
Snapman
Sr. Member
****
Offline Offline

Activity: 291


BTCRadio Owner


View Profile WWW
February 13, 2012, 05:59:21 AM
 #9

I saw this coming from far off. Except for the part on honesty, thanks.

BTCRadio: 17cafKShokyQCbaNuzaDo5HLoSnffMNPAs
someguy123
Sr. Member
****
Offline Offline

Activity: 335


PHP Coder, Bitcoin enthusiast, Litecointalk admin


View Profile WWW
February 13, 2012, 06:17:11 AM
 #10

Don't care that much..
Withdrew my 0.5BTC when I started to realize I wasn't really making much
Plus I use keepass... so a nice 32 character password in there that can't be used for anything else. Bad luck for anyone who tried to use my password from it Smiley

1SoMGuYknDgyYypJPVVKE2teHBN4HDAh3
Administrator/owner of LTC Forum | LTC Block Explorer | Someguy123 Web Development
deepceleron
Legendary
*
Offline Offline

Activity: 1470



View Profile WWW
February 13, 2012, 06:27:47 AM
 #11

"Bug reports are welcome at bugtraq@bitscalper.com. Thank you for your cooperation."

Clearly the site op has come back from the future, and knows this isn't a problem:
© 2012/2013 bitscalper.com

terrytibbs
Hero Member
*****
Offline Offline

Activity: 560



View Profile
February 13, 2012, 06:31:43 AM
 #12

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
Damn!
Ente
Legendary
*
Offline Offline

Activity: 1834



View Profile
February 13, 2012, 07:11:28 AM
 #13

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.

No surprises from BS's side, though.

Ente
Jonathan Ryan Owens
Donator
Sr. Member
*
Offline Offline

Activity: 392



View Profile WWW
February 13, 2012, 08:23:11 AM
 #14

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.

No surprises from BS's side, though.

Ente

Most people are honest in situations like that. It's also penny wise and pound stupid to take the Bitcoin. He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin (assuming that there are even a few thousand bitcoin at BitScalper).
 

caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 13, 2012, 08:27:44 AM
 #15

It's quite amazing how this community seems to attract the worst security practices.

I'd say that unfortunately many software developers in general do not follow important security practices. The main difference with this community is that there is a considerable amount of people capable of exploiting such vulnerabilities. And, well, most of the time there's money involved, not only ordinary data.

Congratulations for both chsx3 and theymos for the honest behavior.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
P4man
Hero Member
*****
Offline Offline

Activity: 504



View Profile
February 13, 2012, 08:37:14 AM
 #16

He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin

Really? Why? It wouldnt be to me. In fact it wouldnt be worth 5BTC to me.
The knowledge that I didnt scam people and helped avoid them get scammed would be worth a lot more to me, but the "hero" status on this board.. nop.

finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
February 13, 2012, 08:54:08 AM
 #17

Sorry to hear that.

Cluster2k
Legendary
*
Offline Offline

Activity: 1512


View Profile
February 13, 2012, 09:44:13 AM
 #18

Plain text passwords?  Words escape me how incompetent someone could be to even think of allowing that.  It's an unforgivable error.

Do not send bitcoins to me: 16b8s7pBJ9rUmsExNW25qD5VUqVqRPZuXu
100% solar powered bitcoin generation
BombaUcigasa
Legendary
*
Online Online

Activity: 1414



View Profile
February 13, 2012, 10:24:52 AM
 #19

It's quite amazing how this community seems to attract the worst security practices.
Your expectations of people that believe they understand mathematics, economics and computing at the same time, are too high. Because few of these people exist.
film2240
Legendary
*
Offline Offline

Activity: 994


Professional filmmaker/Freelance videographer


View Profile WWW
February 13, 2012, 11:07:54 AM
 #20

Thanks for the heads up Theymos.

[This signature is available for rent]
[This signature is available for rent]
[This signature is available for rent]
[This signature is available for rent]
Pages: [1] 2 3  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!