theymos (OP)
Administrator
Legendary
Offline
Activity: 5334
Merit: 13306
|
|
February 13, 2012, 05:20:31 AM |
|
I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed. While it is not known for sure that an attacker has discovered the flaw, you should assume that the list is public.
Anyone with a bitscalper account should immediately: - Withdraw all funds. No one should trust bitscalper.com after a security flaw of this sort, and I wouldn't be surprised if they run away with everyone's money once this gets out. - Change your password on any site where you've used the same password as bitscalper.com.
Because I do not consider Bitscalper to be reputable, I've decided to announce the existence of this flaw publicly before sending the technical details to bitscalper. Otherwise I fear that he may run away with everyone's money instead of alerting his users and losing trust.
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
copumpkin
Donator
Sr. Member
Offline
Activity: 266
Merit: 252
I'm actually a pineapple
|
|
February 13, 2012, 05:24:32 AM |
|
It's quite amazing how this community seems to attract the worst security practices.
|
|
|
|
Sysrq
Member
Offline
Activity: 66
Merit: 10
|
|
February 13, 2012, 05:26:43 AM |
|
Wow ! What a nice, well run site !
Theymos, thank you for the info.
|
|
|
|
Kluge
Donator
Legendary
Offline
Activity: 1218
Merit: 1015
|
|
February 13, 2012, 05:26:56 AM Last edit: February 13, 2012, 07:51:57 AM by Kluge |
|
And now, I assume the stampede of traffic is preventing website access, meaning Bitscalper admin could probably make off with everything left, anyway - not that withdrawals usually work... Hope nobody had a substantial amount left there. :x
ETA: was able to get through to site. Extremely sluggish, but can still get to account page. Small withdrawal request still "processing" from 2/9. ETA2: Wow, it was actually processed. Huh.
|
|
|
|
splatster
|
|
February 13, 2012, 05:28:20 AM |
|
md5($password + "mysupercoolsalt") There, I just took one simple step that could have gone a long way.
|
|
|
|
GeniuSxBoY
|
|
February 13, 2012, 05:33:51 AM |
|
hax0rs gonna hax
|
Be humble!
|
|
|
copumpkin
Donator
Sr. Member
Offline
Activity: 266
Merit: 252
I'm actually a pineapple
|
|
February 13, 2012, 05:34:20 AM |
|
md5($password + "mysupercoolsalt") There, I just took one simple step that could have gone a long way. But then how would you include the user's password in the email you send them when they forget it?
|
|
|
|
splatster
|
|
February 13, 2012, 05:38:08 AM |
|
md5($password + "mysupercoolsalt") There, I just took one simple step that could have gone a long way. But then how would you include the user's password in the email you send them when they forget it? Better yet, how could you give away everyone's money to anyone with a computer?
|
|
|
|
Snapman
|
|
February 13, 2012, 05:59:21 AM |
|
I saw this coming from far off. Except for the part on honesty, thanks.
|
BTCRadio: 17cafKShokyQCbaNuzaDo5HLoSnffMNPAs
|
|
|
someguy123
|
|
February 13, 2012, 06:17:11 AM |
|
Don't care that much.. Withdrew my 0.5BTC when I started to realize I wasn't really making much Plus I use keepass... so a nice 32 character password in there that can't be used for anything else. Bad luck for anyone who tried to use my password from it
|
|
|
|
deepceleron
Legendary
Offline
Activity: 1512
Merit: 1036
|
|
February 13, 2012, 06:27:47 AM |
|
"Bug reports are welcome at bugtraq@bitscalper.com. Thank you for your cooperation." Clearly the site op has come back from the future, and knows this isn't a problem: © 2012/2013 bitscalper.com
|
|
|
|
terrytibbs
|
|
February 13, 2012, 06:31:43 AM |
|
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
Damn!
|
|
|
|
Ente
Legendary
Offline
Activity: 2126
Merit: 1001
|
|
February 13, 2012, 07:11:28 AM |
|
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it.. Hats off to you, chsx3, thank you for being a positive example in a largely rotten world. I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.
No surprises from BS's side, though. Ente
|
|
|
|
Jonathan Ryan Owens
Donator
Sr. Member
Offline
Activity: 392
Merit: 252
|
|
February 13, 2012, 08:23:11 AM |
|
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it.. Hats off to you, chsx3, thank you for being a positive example in a largely rotten world. I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.
No surprises from BS's side, though. Ente Most people are honest in situations like that. It's also penny wise and pound stupid to take the Bitcoin. He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin (assuming that there are even a few thousand bitcoin at BitScalper).
|
|
|
|
caveden
Legendary
Offline
Activity: 1106
Merit: 1004
|
|
February 13, 2012, 08:27:44 AM |
|
It's quite amazing how this community seems to attract the worst security practices.
I'd say that unfortunately many software developers in general do not follow important security practices. The main difference with this community is that there is a considerable amount of people capable of exploiting such vulnerabilities. And, well, most of the time there's money involved, not only ordinary data. Congratulations for both chsx3 and theymos for the honest behavior.
|
|
|
|
P4man
|
|
February 13, 2012, 08:37:14 AM |
|
He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin
Really? Why? It wouldnt be to me. In fact it wouldnt be worth 5BTC to me. The knowledge that I didnt scam people and helped avoid them get scammed would be worth a lot more to me, but the "hero" status on this board.. nop.
|
|
|
|
finway
|
|
February 13, 2012, 08:54:08 AM |
|
Sorry to hear that.
|
|
|
|
Cluster2k
Legendary
Offline
Activity: 1692
Merit: 1018
|
|
February 13, 2012, 09:44:13 AM |
|
Plain text passwords? Words escape me how incompetent someone could be to even think of allowing that. It's an unforgivable error.
|
|
|
|
BombaUcigasa
Legendary
Offline
Activity: 1442
Merit: 1005
|
|
February 13, 2012, 10:24:52 AM |
|
It's quite amazing how this community seems to attract the worst security practices.
Your expectations of people that believe they understand mathematics, economics and computing at the same time, are too high. Because few of these people exist.
|
|
|
|
film2240
Legendary
Offline
Activity: 1022
Merit: 1000
Freelance videographer
|
|
February 13, 2012, 11:07:54 AM |
|
Thanks for the heads up Theymos.
|
[This signature is available for rent.BTC/ETH/LTC or £50 equivalent a month] [This signature is available for rent.BTC/ETH/LTC or £50 equivalent a month] [This signature is available for rent.BTC/ETH/LTC or £50 equivalent a month]
|
|
|
|