(if you read the transcript, this fool didn't even enable it after the loss)
Is he a fool? His account was cleaned out.
Quote
Very much agreed.
What are you agreeing too Ukyo? A refund to the op?
Topic: BitFunder.com has been hacked and IT IS BitFunder's fault - page 2. (Read 30123 times)
Is he a fool? His account was cleaned out.
What are you agreeing too Ukyo? A refund to the op?
So what it sounds like to me, a layperson, is that bitfunder has some shitty code that potentially allows for a fraudulent transfer to happen.
OP is bitter because he and another person lost their shares due to 1) that exploit AND 2) their failure to use 2 factor authentication. If they had used 2fa, they would still have their shares/coins. Is that correct?
I'm not saying bitfunder shouldn't have to revamp that code. In fact, they should fess up to this flaw and as a kind gesture, refund the coins. But isn't this exactly the type of thing 2fa is designed to prevent? Who in their right mind WOULDN'T enable it, especially AFTER something like this has happened to you. (if you read the transcript, this fool didn't even enable it after the loss)
OP is bitter because he and another person lost their shares due to 1) that exploit AND 2) their failure to use 2 factor authentication. If they had used 2fa, they would still have their shares/coins. Is that correct?
I'm not saying bitfunder shouldn't have to revamp that code. In fact, they should fess up to this flaw and as a kind gesture, refund the coins. But isn't this exactly the type of thing 2fa is designed to prevent? Who in their right mind WOULDN'T enable it, especially AFTER something like this has happened to you. (if you read the transcript, this fool didn't even enable it after the loss)
Very much agreed.
Now that BitFunder and WeExchange is finally getting support staff team to help offload tickets and other requests, I am now able to spend more time focusing on operations including the legalization of BitFunder, and hiring additional developers and even multi-lingual support staff.
We have already began conducting a full code review and started on a backend systems redesign with lots of new features and most importantly, security in mind.
-Ukyo
Yipes! As someone who has worked in web development for several years, this is SHOCKING.
I created an account a while ago, but never deposited any BTC because I didn't want to use WeExchange. Now I'm glad that I never!
+1I created an account a while ago, but never deposited any BTC because I didn't want to use WeExchange. Now I'm glad that I never!
Websites are not safe for this application. Learn GPG. That is all.
I detect many suppressed lels in this statement.
Websites are not safe for this application. Learn GPG. That is all.
So what it sounds like to me, a layperson, is that bitfunder has some shitty code that potentially allows for a fraudulent transfer to happen.
OP is bitter because he and another person lost their shares due to 1) that exploit AND 2) their failure to use 2 factor authentication. If they had used 2fa, they would still have their shares/coins. Is that correct?
I'm not saying bitfunder shouldn't have to revamp that code. In fact, they should fess up to this flaw and as a kind gesture, refund the coins. But isn't this exactly the type of thing 2fa is designed to prevent? Who in their right mind WOULDN'T enable it, especially AFTER something like this has happened to you. (if you read the transcript, this fool didn't even enable it after the loss)
OP is bitter because he and another person lost their shares due to 1) that exploit AND 2) their failure to use 2 factor authentication. If they had used 2fa, they would still have their shares/coins. Is that correct?
I'm not saying bitfunder shouldn't have to revamp that code. In fact, they should fess up to this flaw and as a kind gesture, refund the coins. But isn't this exactly the type of thing 2fa is designed to prevent? Who in their right mind WOULDN'T enable it, especially AFTER something like this has happened to you. (if you read the transcript, this fool didn't even enable it after the loss)
The problem was something like this on a random site you visited:
Bye bye assets.
Code:
Bye bye assets.
Yes, this code will work if you
The problem was something like this on a random site you visited:
Bye bye assets.
Code:
Bye bye assets.
Does this mean that he visited a site with the above code while he was logged in to bitfunder?
Quote
Yes, BitFunder's site was is still vulnerable.
If so, how can we protect ourselves?
Enable your 2fa, this code will not work if you enable your 2fa, because once you enabled your 2fa it need the 2fa field with correct value to complete the transfer.
The easiest way to protect yourself would be using web applications that are coded securely. Now I'm not sure if btct.co uses an anti csrf token (I don't think it does?), but their PIN / 2 FA system makes this attack less useful (an attacker can just use JS to submit ~100 most common PINs)
Yipes! As someone who has worked in web development for several years, this is SHOCKING.
I created an account a while ago, but never deposited any BTC because I didn't want to use WeExchange. Now I'm glad that I never!
I created an account a while ago, but never deposited any BTC because I didn't want to use WeExchange. Now I'm glad that I never!
Are you protected if you use BitFunder in a different browser?
Against the easiest ways to attack yes - but I wouldn't recommend thinking of it as 100% safe.
Are you protected if you use BitFunder in a different browser?
Yes, I do that. I close any tabs I have open, log in to bitfunder, log out after I'm done and then open any other sites I want to visit.
With the monumental security flaws demonstrated in this thread, I would personally:
* Get my bitcoins out
* Get out
* Never come back
The person who wrote that code has no business being in business.
Cheers, Paul.
Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.
Ok, thanks. I always close any open tabs when I log in to exchanges.
Yes, I do that. I close any tabs I have open, log in to bitfunder, log out after I'm done and then open any other sites I want to visit.
Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.
Ok, thanks. I always close any open tabs when I log in to exchanges.
Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.
Ok, thanks. I always close any open tabs when I log in to exchanges.
The problem was something like this on a random site you visited:
Bye bye assets.
Code:
Bye bye assets.
Does this mean that he visited a site with the above code while he was logged in to bitfunder?
Yes.
Quote
Quote
Yes, BitFunder's site was is still vulnerable.
If so, how can we protect ourselves?
Unless you use a site that has protected itself from these type of attacks (like TradeFortress described), log out of the exchange website after you're done. Or use a different browser / virtual machine for the exchange website.
The problem was something like this on a random site you visited:
Bye bye assets.
Code:
Bye bye assets.
Does this mean that he visited a site with the above code while he was logged in to bitfunder?
Quote
Yes, BitFunder's site was is still vulnerable.
If so, how can we protect ourselves?
Not through share transfers, but through another method yes. 2FA doesn't help.
Would be fixed if Bitfunder implemented a csrf token.
Would be fixed if Bitfunder implemented a csrf token.
Would the account hack described above have occurred if 2 factor auth was used?
These are serious flaws and need to be fixed on alllll sites
This isn't a 0day that was suddenly discovered. It doesn't need to be fixed on "allll" sites because most sites are not vulnerable in the first place:
Every single function on Inputs.io:
Quote
$("#turnonnotify").click(function(){
$.post("ajax", {token: $.cookie("token"), action: "changenotify", email: "yes"});
$(this).fadeOut(250).fadeIn(250).html("Turn off");
});
$.post("ajax", {token: $.cookie("token"), action: "changenotify", email: "yes"});
$(this).fadeOut(250).fadeIn(250).html("Turn off");
});
Jump to: