Pages:
Author

Topic: Bitscalper passwords have been leaked - page 3. (Read 7607 times)

legendary
Activity: 1022
Merit: 1000
Freelance videographer
February 13, 2012, 06:07:54 AM
#20
Thanks for the heads up Theymos.
legendary
Activity: 1442
Merit: 1005
February 13, 2012, 05:24:52 AM
#19
It's quite amazing how this community seems to attract the worst security practices.
Your expectations of people that believe they understand mathematics, economics and computing at the same time, are too high. Because few of these people exist.
legendary
Activity: 1692
Merit: 1018
February 13, 2012, 04:44:13 AM
#18
Plain text passwords?  Words escape me how incompetent someone could be to even think of allowing that.  It's an unforgivable error.
hero member
Activity: 714
Merit: 500
February 13, 2012, 03:54:08 AM
#17
Sorry to hear that.
hero member
Activity: 518
Merit: 500
February 13, 2012, 03:37:14 AM
#16
He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin

Really? Why? It wouldnt be to me. In fact it wouldnt be worth 5BTC to me.
The knowledge that I didnt scam people and helped avoid them get scammed would be worth a lot more to me, but the "hero" status on this board.. nop.
legendary
Activity: 1106
Merit: 1004
February 13, 2012, 03:27:44 AM
#15
It's quite amazing how this community seems to attract the worst security practices.

I'd say that unfortunately many software developers in general do not follow important security practices. The main difference with this community is that there is a considerable amount of people capable of exploiting such vulnerabilities. And, well, most of the time there's money involved, not only ordinary data.

Congratulations for both chsx3 and theymos for the honest behavior.
donator
Activity: 392
Merit: 252
February 13, 2012, 03:23:11 AM
#14
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.

No surprises from BS's side, though.

Ente

Most people are honest in situations like that. It's also penny wise and pound stupid to take the Bitcoin. He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin (assuming that there are even a few thousand bitcoin at BitScalper).
 
legendary
Activity: 2126
Merit: 1001
February 13, 2012, 02:11:28 AM
#13
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.

No surprises from BS's side, though.

Ente
hero member
Activity: 560
Merit: 501
February 13, 2012, 01:31:43 AM
#12
Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
Damn!
legendary
Activity: 1512
Merit: 1036
February 13, 2012, 01:27:47 AM
#11
"Bug reports are welcome at [email protected]. Thank you for your cooperation."

Clearly the site op has come back from the future, and knows this isn't a problem:
© 2012/2013 bitscalper.com
sr. member
Activity: 336
Merit: 254
CEO of Privex Inc. (www.privex.io)
February 13, 2012, 01:17:11 AM
#10
Don't care that much..
Withdrew my 0.5BTC when I started to realize I wasn't really making much
Plus I use keepass... so a nice 32 character password in there that can't be used for anything else. Bad luck for anyone who tried to use my password from it Smiley
sr. member
Activity: 291
Merit: 250
BTCRadio Owner
February 13, 2012, 12:59:21 AM
#9
I saw this coming from far off. Except for the part on honesty, thanks.
full member
Activity: 176
Merit: 100
February 13, 2012, 12:38:08 AM
#8
Code:
md5($password + "mysupercoolsalt")
There, I just took one simple step that could have gone a long way.

But then how would you include the user's password in the email you send them when they forget it? Wink

Better yet, how could you give away everyone's money to anyone with a computer?
donator
Activity: 266
Merit: 252
I'm actually a pineapple
February 13, 2012, 12:34:20 AM
#7
Code:
md5($password + "mysupercoolsalt")
There, I just took one simple step that could have gone a long way.

But then how would you include the user's password in the email you send them when they forget it? Wink
hero member
Activity: 616
Merit: 500
February 13, 2012, 12:33:51 AM
#6
hax0rs gonna hax
full member
Activity: 176
Merit: 100
February 13, 2012, 12:28:20 AM
#5
Code:
md5($password + "mysupercoolsalt")
There, I just took one simple step that could have gone a long way.
donator
Activity: 1218
Merit: 1015
February 13, 2012, 12:26:56 AM
#4
And now, I assume the stampede of traffic is preventing website access, meaning Bitscalper admin could probably make off with everything left, anyway - not that withdrawals usually work... Hope nobody had a substantial amount left there. :x

ETA: was able to get through to site. Extremely sluggish, but can still get to account page. Small withdrawal request still "processing" from 2/9. ETA2: Wow, it was actually processed. Huh.
member
Activity: 66
Merit: 10
February 13, 2012, 12:26:43 AM
#3
Wow ! What a nice, well run site !

Theymos, thank you for the info.
donator
Activity: 266
Merit: 252
I'm actually a pineapple
February 13, 2012, 12:24:32 AM
#2
It's quite amazing how this community seems to attract the worst security practices.
administrator
Activity: 5222
Merit: 13032
February 13, 2012, 12:20:31 AM
#1
I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed. While it is not known for sure that an attacker has discovered the flaw, you should assume that the list is public.

Anyone with a bitscalper account should immediately:
- Withdraw all funds. No one should trust bitscalper.com after a security flaw of this sort, and I wouldn't be surprised if they run away with everyone's money once this gets out.
- Change your password on any site where you've used the same password as bitscalper.com.

Because I do not consider Bitscalper to be reputable, I've decided to announce the existence of this flaw publicly before sending the technical details to bitscalper. Otherwise I fear that he may run away with everyone's money instead of alerting his users and losing trust.

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.
Pages:
Jump to: