Topic: Bitscalper passwords have been leaked - page 3. (Read 7575 times)
Thanks for the heads up Theymos.
It's quite amazing how this community seems to attract the worst security practices.
Your expectations of people that believe they understand mathematics, economics and computing at the same time, are too high. Because few of these people exist. 
Plain text passwords? Words escape me how incompetent someone could be to even think of allowing that. It's an unforgivable error.
Sorry to hear that.
He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin
Really? Why? It wouldnt be to me. In fact it wouldnt be worth 5BTC to me.
The knowledge that I didnt scam people and helped avoid them get scammed would be worth a lot more to me, but the "hero" status on this board.. nop.
It's quite amazing how this community seems to attract the worst security practices.
I'd say that unfortunately many software developers in general do not follow important security practices. The main difference with this community is that there is a considerable amount of people capable of exploiting such vulnerabilities. And, well, most of the time there's money involved, not only ordinary data.
Congratulations for both chsx3 and theymos for the honest behavior.
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.
I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.
No surprises from BS's side, though.
Ente
Most people are honest in situations like that. It's also penny wise and pound stupid to take the Bitcoin. He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin (assuming that there are even a few thousand bitcoin at BitScalper).
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.
I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.
No surprises from BS's side, though.
Ente
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
Damn! 
"Bug reports are welcome at [email protected]. Thank you for your cooperation."
Clearly the site op has come back from the future, and knows this isn't a problem:
© 2012/2013 bitscalper.com
Clearly the site op has come back from the future, and knows this isn't a problem:
© 2012/2013 bitscalper.com
Don't care that much..
Withdrew my 0.5BTC when I started to realize I wasn't really making much
Plus I use keepass... so a nice 32 character password in there that can't be used for anything else. Bad luck for anyone who tried to use my password from it
Withdrew my 0.5BTC when I started to realize I wasn't really making much
Plus I use keepass... so a nice 32 character password in there that can't be used for anything else. Bad luck for anyone who tried to use my password from it
I saw this coming from far off. Except for the part on honesty, thanks.
Code:
md5($password + "mysupercoolsalt")
But then how would you include the user's password in the email you send them when they forget it?
Better yet, how could you give away everyone's money to anyone with a computer?
Code:
md5($password + "mysupercoolsalt")
But then how would you include the user's password in the email you send them when they forget it?
hax0rs gonna hax
Code:
md5($password + "mysupercoolsalt")
And now, I assume the stampede of traffic is preventing website access, meaning Bitscalper admin could probably make off with everything left, anyway - not that withdrawals usually work... Hope nobody had a substantial amount left there. :x
ETA: was able to get through to site. Extremely sluggish, but can still get to account page. Small withdrawal request still "processing" from 2/9. ETA2: Wow, it was actually processed. Huh.
ETA: was able to get through to site. Extremely sluggish, but can still get to account page. Small withdrawal request still "processing" from 2/9. ETA2: Wow, it was actually processed. Huh.
Wow ! What a nice, well run site !
Theymos, thank you for the info.
Theymos, thank you for the info.
It's quite amazing how this community seems to attract the worst security practices.
I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed. While it is not known for sure that an attacker has discovered the flaw, you should assume that the list is public.
Anyone with a bitscalper account should immediately:
- Withdraw all funds. No one should trust bitscalper.com after a security flaw of this sort, and I wouldn't be surprised if they run away with everyone's money once this gets out.
- Change your password on any site where you've used the same password as bitscalper.com.
Because I do not consider Bitscalper to be reputable, I've decided to announce the existence of this flaw publicly before sending the technical details to bitscalper. Otherwise I fear that he may run away with everyone's money instead of alerting his users and losing trust.
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
Anyone with a bitscalper account should immediately:
- Withdraw all funds. No one should trust bitscalper.com after a security flaw of this sort, and I wouldn't be surprised if they run away with everyone's money once this gets out.
- Change your password on any site where you've used the same password as bitscalper.com.
Because I do not consider Bitscalper to be reputable, I've decided to announce the existence of this flaw publicly before sending the technical details to bitscalper. Otherwise I fear that he may run away with everyone's money instead of alerting his users and losing trust.
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
Jump to: