Bitscalper passwords have been leaked

[theymos]

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed. While it is not known for sure that an attacker has discovered the flaw, you should assume that the list is public.

Anyone with a bitscalper account should immediately:
- Withdraw all funds. No one should trust bitscalper.com after a security flaw of this sort, and I wouldn't be surprised if they run away with everyone's money once this gets out.
- Change your password on any site where you've used the same password as bitscalper.com.

Because I do not consider Bitscalper to be reputable, I've decided to announce the existence of this flaw publicly before sending the technical details to bitscalper. Otherwise I fear that he may run away with everyone's money instead of alerting his users and losing trust.

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

[1715237312]

1715237312

[1715237312]

1715237312

[1715237312]

1715237312

[1715237312]

1715237312

[copumpkin]

It's quite amazing how this community seems to attract the worst security practices.

[Sysrq]

Wow ! What a nice, well run site !

Theymos, thank you for the info.

[Kluge]

And now, I assume the stampede of traffic is preventing website access, meaning Bitscalper admin could probably make off with everything left, anyway - not that withdrawals usually work... Hope nobody had a substantial amount left there. :x

ETA: was able to get through to site. Extremely sluggish, but can still get to account page. Small withdrawal request still "processing" from 2/9. ETA2: Wow, it was actually processed. Huh.

[splatster]

Code:

md5($password + "mysupercoolsalt")

There, I just took one simple step that could have gone a long way.

[GeniuSxBoY]

hax0rs gonna hax

[copumpkin]

Code:

md5($password + "mysupercoolsalt")

There, I just took one simple step that could have gone a long way.

But then how would you include the user's password in the email you send them when they forget it?

[splatster]

Code:

md5($password + "mysupercoolsalt")

There, I just took one simple step that could have gone a long way.

But then how would you include the user's password in the email you send them when they forget it?

Better yet, how could you give away everyone's money to anyone with a computer?

[Snapman]

I saw this coming from far off. Except for the part on honesty, thanks.

[someguy123]

Don't care that much..
Withdrew my 0.5BTC when I started to realize I wasn't really making much
Plus I use keepass... so a nice 32 character password in there that can't be used for anything else. Bad luck for anyone who tried to use my password from it

[deepceleron]

"Bug reports are welcome at bugtraq@bitscalper.com. Thank you for your cooperation."

Clearly the site op has come back from the future, and knows this isn't a problem:
© 2012/2013 bitscalper.com

[terrytibbs]

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

Damn!

[Ente]

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.

No surprises from BS's side, though.

Ente

[Jonathan Ryan Owens]

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.

No surprises from BS's side, though.

Ente

Most people are honest in situations like that. It's also penny wise and pound stupid to take the Bitcoin. He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin (assuming that there are even a few thousand bitcoin at BitScalper).
 

[caveden]

It's quite amazing how this community seems to attract the worst security practices.

I'd say that unfortunately many software developers in general do not follow important security practices. The main difference with this community is that there is a considerable amount of people capable of exploiting such vulnerabilities. And, well, most of the time there's money involved, not only ordinary data.

Congratulations for both chsx3 and theymos for the honest behavior.

[P4man]

He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin

Really? Why? It wouldnt be to me. In fact it wouldnt be worth 5BTC to me.
The knowledge that I didnt scam people and helped avoid them get scammed would be worth a lot more to me, but the "hero" status on this board.. nop.

[finway]

Sorry to hear that.

[Cluster2k]

Plain text passwords?  Words escape me how incompetent someone could be to even think of allowing that.  It's an unforgivable error.

[BombaUcigasa]

It's quite amazing how this community seems to attract the worst security practices.

Your expectations of people that believe they understand mathematics, economics and computing at the same time, are too high. Because few of these people exist.

[film2240]

Thanks for the heads up Theymos.