Pages:
Author

Topic: BitFunder.com has been hacked and IT IS BitFunder's fault - page 2. (Read 30148 times)

newbie
Activity: 22
Merit: 0
(if you read the transcript, this fool didn't even enable it after the loss) 



Is he a fool? His account was cleaned out.

Quote
Very much agreed.

What are you agreeing too Ukyo? A refund to the op?
sr. member
Activity: 448
Merit: 250
So what it sounds like to me, a layperson, is that bitfunder has some shitty code that potentially allows for a fraudulent transfer to happen. 

OP is bitter because he and another person lost their shares due to 1) that exploit AND 2) their failure to use 2 factor authentication.  If they had used 2fa, they would still have their shares/coins.  Is that correct?

I'm not saying bitfunder shouldn't have to revamp that code.  In fact, they should fess up to this flaw and as a kind gesture, refund the coins.  But isn't this exactly the type of thing 2fa is designed to prevent?  Who in their right mind WOULDN'T enable it, especially AFTER something like this has happened to you.  (if you read the transcript, this fool didn't even enable it after the loss) 

Very much agreed.

Now that BitFunder and WeExchange is finally getting support staff team to help offload tickets and other requests, I am now able to spend more time focusing on operations including the legalization of BitFunder, and hiring additional developers and even multi-lingual support staff.

We have already began conducting a full code review and started on a backend systems redesign with lots of new features and most importantly, security in mind.

-Ukyo
hero member
Activity: 630
Merit: 500
Bitgoblin
Yipes! As someone who has worked in web development for several years, this is SHOCKING.

I created an account a while ago, but never deposited any BTC because I didn't want to use WeExchange. Now I'm glad that I never!
+1
legendary
Activity: 1554
Merit: 1009
Websites are not safe for this application. Learn GPG. That is all.

I detect many suppressed lels in this statement.
hero member
Activity: 756
Merit: 522
Websites are not safe for this application. Learn GPG. That is all.
full member
Activity: 238
Merit: 100
So what it sounds like to me, a layperson, is that bitfunder has some shitty code that potentially allows for a fraudulent transfer to happen. 

OP is bitter because he and another person lost their shares due to 1) that exploit AND 2) their failure to use 2 factor authentication.  If they had used 2fa, they would still have their shares/coins.  Is that correct?

I'm not saying bitfunder shouldn't have to revamp that code.  In fact, they should fess up to this flaw and as a kind gesture, refund the coins.  But isn't this exactly the type of thing 2fa is designed to prevent?  Who in their right mind WOULDN'T enable it, especially AFTER something like this has happened to you.  (if you read the transcript, this fool didn't even enable it after the loss) 

legendary
Activity: 1022
Merit: 1000
The problem was something like this on a random site you visited:

Code:

    
    
    




Bye bye assets.

Yes, this code will work if you
The problem was something like this on a random site you visited:

Code:

    
    
    





Bye bye assets.

Does this mean that he visited a site with the above code while he was logged in to bitfunder?


Quote
Yes, BitFunder's site was is still vulnerable.


If so, how can we protect ourselves?

Enable your 2fa, this code will not work if you enable your 2fa, because once you enabled your 2fa it need the 2fa field with correct value to complete the transfer.
vip
Activity: 1316
Merit: 1043
👻
The easiest way to protect yourself would be using web applications that are coded securely. Now I'm not sure if btct.co uses an anti csrf token (I don't think it does?), but their PIN / 2 FA system makes this attack less useful (an attacker can just use JS to submit ~100 most common PINs)
legendary
Activity: 1554
Merit: 1009
Yipes! As someone who has worked in web development for several years, this is SHOCKING.

I created an account a while ago, but never deposited any BTC because I didn't want to use WeExchange. Now I'm glad that I never!
hero member
Activity: 532
Merit: 500
Are you protected if you use BitFunder in a different browser?

Against the easiest ways to attack yes - but I wouldn't recommend thinking of it as 100% safe.
hero member
Activity: 574
Merit: 500
Are you protected if you use BitFunder in a different browser?
legendary
Activity: 1008
Merit: 1007
Yes, I do that. I close any tabs I have open, log in to bitfunder, log out after I'm done and then open any other sites I want to visit.

With the monumental security flaws demonstrated in this thread, I would personally:

* Get my bitcoins out
* Get out
* Never come back

The person who wrote that code has no business being in business.

Cheers, Paul.
sr. member
Activity: 384
Merit: 250
Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.

Ok, thanks. I always close any open tabs when I log in to exchanges.
You need to log out.

Yes, I do that. I close any tabs I have open, log in to bitfunder, log out after I'm done and then open any other sites I want to visit.
vip
Activity: 1316
Merit: 1043
👻
Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.

Ok, thanks. I always close any open tabs when I log in to exchanges.
You need to log out.
sr. member
Activity: 384
Merit: 250
Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.

Ok, thanks. I always close any open tabs when I log in to exchanges.
hero member
Activity: 728
Merit: 500
The problem was something like this on a random site you visited:

Code:

    
    
    





Bye bye assets.

Does this mean that he visited a site with the above code while he was logged in to bitfunder?

Yes.


Quote
Quote
Yes, BitFunder's site was is still vulnerable.


If so, how can we protect ourselves?

Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.
sr. member
Activity: 384
Merit: 250
The problem was something like this on a random site you visited:

Code:

    
    
    





Bye bye assets.

Does this mean that he visited a site with the above code while he was logged in to bitfunder?


Quote
Yes, BitFunder's site was is still vulnerable.


If so, how can we protect ourselves?
vip
Activity: 1316
Merit: 1043
👻
Not through share transfers, but through another method yes. 2FA doesn't help.

Would be fixed if Bitfunder implemented a csrf token.
sr. member
Activity: 771
Merit: 258
Trident Protocol | Simple «buy-hold-earn» system!
Would the account hack described above have occurred if 2 factor auth was used?
vip
Activity: 1316
Merit: 1043
👻
These are serious flaws and need to be fixed on alllll sites
This isn't a 0day that was suddenly discovered. It doesn't need to be fixed on "allll" sites because most sites are not vulnerable in the first place:



Every single function on Inputs.io:

Quote
$("#turnonnotify").click(function(){
   $.post("ajax", {token: $.cookie("token"), action: "changenotify", email: "yes"});
   $(this).fadeOut(250).fadeIn(250).html("Turn off");
});
Pages:
Jump to: