Bitscalper passwords have been leaked

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: caveden on February 16, 2012, 10:03:45 AM

Quote from: rjk on February 15, 2012, 04:49:37 PM

Quote from: RaggedMonk on February 15, 2012, 04:34:46 PM

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Uh, no. Maybe, just maybe, if someone was using SSL... which this site wasn't. But "most modern websites"? Utter BS.

SSL wouldn't be of any help. Hashing in the client and authenticating the hash == storing passwords in clear text.

To be honest, it is a little less bad than storing clear passwords because at least a leak wouldn't allow an attacker to screw users who use the same password on different sites. But in what concerns your server, it is the same.

Yes that was my point.

caveden

legendary

Activity: 1106

Merit: 1004

Quote from: rjk on February 15, 2012, 04:49:37 PM

Quote from: RaggedMonk on February 15, 2012, 04:34:46 PM

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Uh, no. Maybe, just maybe, if someone was using SSL... which this site wasn't. But "most modern websites"? Utter BS.

SSL wouldn't be of any help. Hashing in the client and authenticating the hash == storing passwords in clear text.

To be honest, it is a little less bad than storing clear passwords because at least a leak wouldn't allow an attacker to screw users who use the same password on different sites. But in what concerns your server, it is the same.

caveden

legendary

Activity: 1106

Merit: 1004

Quote from: RaggedMonk on February 15, 2012, 04:34:46 PM

Quote from: caveden on February 15, 2012, 09:49:13 AM

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If you're sending the hash to the server for authentication, hashing has no point: if your database leaks, anybody in possession of the leak can authenticate himself as any of your users. Remember the client is in control of whatever he sends to your server. He doesn't need to execute the javascript you send him, he can forge any requests as he pleases.

The whole point of hashing a password instead of storing it in clear text is to prevent issues in case of a database leak. The hashing operation must be done in the server.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: RaggedMonk on February 15, 2012, 04:34:46 PM

Quote from: caveden on February 15, 2012, 09:49:13 AM

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Uh, no. Maybe, just maybe, if someone was using SSL... which this site wasn't. But "most modern websites"? Utter BS.

RaggedMonk

sr. member

Activity: 308

Merit: 250

Quote from: caveden on February 15, 2012, 09:49:13 AM

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Wandering Albatross

member

Activity: 70

Merit: 10

Quote from: rjk

Can we please make javascript illegal?

Yes, agree, it's a huge exploit running in every browser. These forums suffered from javascript exploits recently...maybe you knew that already.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: Matthew N. Wright on February 15, 2012, 09:56:56 AM

Quote from: caveden on February 15, 2012, 09:49:13 AM

Quote from: Nachtwind on February 15, 2012, 07:55:26 AM

Quote from: caveden on February 15, 2012, 07:53:45 AM

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..

I'm not disputing that. But it seems the exploit allowed the retrieval of clear text passwords. If they are not stored in clear text, how would that be possible?

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

+2

Can we please make javascript illegal? Thanks.

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

Quote from: caveden on February 15, 2012, 09:49:13 AM

Quote from: Nachtwind on February 15, 2012, 07:55:26 AM

Quote from: caveden on February 15, 2012, 07:53:45 AM

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..

I'm not disputing that. But it seems the exploit allowed the retrieval of clear text passwords. If they are not stored in clear text, how would that be possible?

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

+2

caveden

legendary

Activity: 1106

Merit: 1004

Quote from: Nachtwind on February 15, 2012, 07:55:26 AM

Quote from: caveden on February 15, 2012, 07:53:45 AM

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..

I'm not disputing that. But it seems the exploit allowed the retrieval of clear text passwords. If they are not stored in clear text, how would that be possible?

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: bitscalper on February 15, 2012, 07:37:49 AM

Because of personal freedom concerns, management of bitscalper was forced to leave the site alone for the last ten days. We did just notice the security breach and we do apologize about any issue that this might cause. We want to clarify that we did not store any password in plain text, rather the server was compromised to add a textual password column to the database, supposedly for the hacker to get all the user's passwords.
We did store all the passwords in MD5, while we acknowledge that it is not the state of the art, it still works for decently choosen passwords. We will be posting any update/finding on here. Thanks and apologizes for delaying intervention.

The security vulnerability I used still exists. Read the email I sent to [email protected].

Nachtwind

hero member

Activity: 700

Merit: 507

Quote from: caveden on February 15, 2012, 07:53:45 AM

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..
Looking at the list of withdrawals: Any word to those.. i guess 70 or 80 people who try to cash out? Will they get their BTC back?

caveden

legendary

Activity: 1106

Merit: 1004

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Nachtwind

hero member

Activity: 700

Merit: 507

umm.. md5 is not just not State of the Art - md5 is just as good as plaintext for almost every password with a length of less than maybe a quadrillion characters..

bitscalper

member

Activity: 70

Merit: 10

Because of personal freedom concerns, management of bitscalper was forced to leave the site alone for the last ten days. We did just notice the security breach and we do apologize about any issue that this might cause. We want to clarify that we did not store any password in plain text, rather the server was compromised to add a textual password column to the database, supposedly for the hacker to get all the user's passwords.
We did store all the passwords in MD5, while we acknowledge that it is not the state of the art, it still works for decently choosen passwords. We will be posting any update/finding on here. Thanks and apologizes for delaying intervention.

marked

full member

Activity: 168

Merit: 100

Clearly there was no validation on input on the sql statements.

I'm currently seeing password in cleartext on an error page, across a non-encrypted link.

Error 1054 : Unknown column 'readable' in 'field list' SQL = [UPDATE spyuser SET readable ='PASSWORD' WHERE email = '[email protected]'] Array ( => Array ( [file] => /var/www/p/app/database.php [line] => 19 [function] => db_report_error [args] => Array ( => UPDATE spyuser SET readable ='PASSWORD' WHERE email = '[email protected]' ) ) [1] => Array ( [file] => /var/www/p/app/index.php [line] => 14 [function] => db_query [args] => Array ( => UPDATE spyuser SET readable ='PASSWORD' WHERE email = '[email protected]' ) ) ) [/tt]

toffoo

sr. member

Activity: 408

Merit: 261

So what's the story here, has anybody been able to pull any deposits out since this news hit or are the coins officially gone?

cablepair

hero member

Activity: 896

Merit: 1000

Buy this account on March-2019. New Owner here!!

Quote from: Raoul Duke on February 14, 2012, 09:15:08 AM

Quote from: splatster on February 14, 2012, 04:11:32 AM

The fact that they didn't have SSL says even more about their [il]legitimacy.

Yes, because only legitimate persons can get a free SSL cert at startcom. Roll Eyes

lol

not to mention anyone with a linux box can install openssl and generate their own cert, it really means nothing unless its a cert from a reputable certification agency

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: splatster on February 14, 2012, 04:11:32 AM

The fact that they didn't have SSL says even more about their [il]legitimacy.

Yes, because only legitimate persons can get a free SSL cert at startcom. Roll Eyes

splatster

full member

Activity: 176

Merit: 100

The fact that they didn't have SSL says even more about their [il]legitimacy.
I'm glad I didn't fall victim to this.

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

I guess it wouldn't surprise anyone here to know that when KalyHost went down over that one weekend a few weeks back, the reason BitScalper was freaking out is because if he never bothered to backup the wallets OR his site's code.

Topic: Bitscalper passwords have been leaked (Read 7607 times)