Bitscalper passwords have been leaked

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: caveden on February 16, 2012, 10:03:45 AM

Quote from: rjk on February 15, 2012, 04:49:37 PM

Quote from: RaggedMonk on February 15, 2012, 04:34:46 PM

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Uh, no. Maybe, just maybe, if someone was using SSL... which this site wasn't. But "most modern websites"? Utter BS.

SSL wouldn't be of any help. Hashing in the client and authenticating the hash == storing passwords in clear text.

To be honest, it is a little less bad than storing clear passwords because at least a leak wouldn't allow an attacker to screw users who use the same password on different sites. But in what concerns your server, it is the same.

Yes that was my point.

caveden

legendary

Activity: 1106

Merit: 1004

Quote from: rjk on February 15, 2012, 04:49:37 PM

Quote from: RaggedMonk on February 15, 2012, 04:34:46 PM

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Uh, no. Maybe, just maybe, if someone was using SSL... which this site wasn't. But "most modern websites"? Utter BS.

SSL wouldn't be of any help. Hashing in the client and authenticating the hash == storing passwords in clear text.

To be honest, it is a little less bad than storing clear passwords because at least a leak wouldn't allow an attacker to screw users who use the same password on different sites. But in what concerns your server, it is the same.

caveden

legendary

Activity: 1106

Merit: 1004

Quote from: RaggedMonk on February 15, 2012, 04:34:46 PM

Quote from: caveden on February 15, 2012, 09:49:13 AM

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If you're sending the hash to the server for authentication, hashing has no point: if your database leaks, anybody in possession of the leak can authenticate himself as any of your users. Remember the client is in control of whatever he sends to your server. He doesn't need to execute the javascript you send him, he can forge any requests as he pleases.

The whole point of hashing a password instead of storing it in clear text is to prevent issues in case of a database leak. The hashing operation must be done in the server.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: RaggedMonk on February 15, 2012, 04:34:46 PM

Quote from: caveden on February 15, 2012, 09:49:13 AM

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Uh, no. Maybe, just maybe, if someone was using SSL... which this site wasn't. But "most modern websites"? Utter BS.

RaggedMonk

sr. member

Activity: 308

Merit: 250

Quote from: caveden on February 15, 2012, 09:49:13 AM

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

This is how most modern websites work. You have to hash your password somewhere, so you do it locally in your browser on your machine before transmitting it. Take a deep breath, guys.

If plaintext passwords were stolen, either the attacker modified the code of the website to prevent pre-transmisssion hashing, or passwords were not salted before they were hashed, so the attackers just brute forced a rainbow table.

Wandering Albatross

member

Activity: 70

Merit: 10

Quote from: rjk

Can we please make javascript illegal?

Yes, agree, it's a huge exploit running in every browser. These forums suffered from javascript exploits recently...maybe you knew that already.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: Matthew N. Wright on February 15, 2012, 09:56:56 AM

Quote from: caveden on February 15, 2012, 09:49:13 AM

Quote from: Nachtwind on February 15, 2012, 07:55:26 AM

Quote from: caveden on February 15, 2012, 07:53:45 AM

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..

I'm not disputing that. But it seems the exploit allowed the retrieval of clear text passwords. If they are not stored in clear text, how would that be possible?

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

+2

Can we please make javascript illegal? Thanks.

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

Quote from: caveden on February 15, 2012, 09:49:13 AM

Quote from: Nachtwind on February 15, 2012, 07:55:26 AM

Quote from: caveden on February 15, 2012, 07:53:45 AM

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..

I'm not disputing that. But it seems the exploit allowed the retrieval of clear text passwords. If they are not stored in clear text, how would that be possible?

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

+2

caveden

legendary

Activity: 1106

Merit: 1004

Quote from: Nachtwind on February 15, 2012, 07:55:26 AM

Quote from: caveden on February 15, 2012, 07:53:45 AM

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..

I'm not disputing that. But it seems the exploit allowed the retrieval of clear text passwords. If they are not stored in clear text, how would that be possible?

But wait, you're saying that there's a javascript performing the hash on the client? That's pretty much the equivalent of storing them as clear text.

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: bitscalper on February 15, 2012, 07:37:49 AM

Because of personal freedom concerns, management of bitscalper was forced to leave the site alone for the last ten days. We did just notice the security breach and we do apologize about any issue that this might cause. We want to clarify that we did not store any password in plain text, rather the server was compromised to add a textual password column to the database, supposedly for the hacker to get all the user's passwords.
We did store all the passwords in MD5, while we acknowledge that it is not the state of the art, it still works for decently choosen passwords. We will be posting any update/finding on here. Thanks and apologizes for delaying intervention.

The security vulnerability I used still exists. Read the email I sent to [email protected].

Nachtwind

hero member

Activity: 700

Merit: 507

Quote from: caveden on February 15, 2012, 07:53:45 AM

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Well.. if you had a look at the javascript of bitscalper you would have spotted theyre actually using md5 hashed passwords.. so i guess he is not lieing about that..
Looking at the list of withdrawals: Any word to those.. i guess 70 or 80 people who try to cash out? Will they get their BTC back?

caveden

legendary

Activity: 1106

Merit: 1004

What you're saying doesn't make much sense to me.

If the passwords were hashed (even unsalted MD5), how could an attacker create a clear text column with everybody's password? At most he would get some through rainbow tables, but not all.

Unless the attacker actually manage to inject code into your server. That would be a more serious flaw, not just a password leak. And still, he would only be able to get the clear version of each password after everybody logs in.

Nachtwind

hero member

Activity: 700

Merit: 507

umm.. md5 is not just not State of the Art - md5 is just as good as plaintext for almost every password with a length of less than maybe a quadrillion characters..

bitscalper

member

Activity: 70

Merit: 10

Because of personal freedom concerns, management of bitscalper was forced to leave the site alone for the last ten days. We did just notice the security breach and we do apologize about any issue that this might cause. We want to clarify that we did not store any password in plain text, rather the server was compromised to add a textual password column to the database, supposedly for the hacker to get all the user's passwords.
We did store all the passwords in MD5, while we acknowledge that it is not the state of the art, it still works for decently choosen passwords. We will be posting any update/finding on here. Thanks and apologizes for delaying intervention.

marked

full member

Activity: 168

Merit: 100

Clearly there was no validation on input on the sql statements.

I'm currently seeing password in cleartext on an error page, across a non-encrypted link.

Error 1054 : Unknown column 'readable' in 'field list' SQL = [UPDATE spyuser SET readable ='PASSWORD' WHERE email = '[email protected]'] Array ( => Array ( [file] => /var/www/p/app/database.php [line] => 19 [function] => db_report_error [args] => Array ( => UPDATE spyuser SET readable ='PASSWORD' WHERE email = '[email protected]' ) ) [1] => Array ( [file] => /var/www/p/app/index.php [line] => 14 [function] => db_query [args] => Array ( => UPDATE spyuser SET readable ='PASSWORD' WHERE email = '[email protected]' ) ) ) [/tt]

toffoo

sr. member

Activity: 408

Merit: 261

So what's the story here, has anybody been able to pull any deposits out since this news hit or are the coins officially gone?

cablepair

hero member

Activity: 896

Merit: 1000

Buy this account on March-2019. New Owner here!!

Quote from: Raoul Duke on February 14, 2012, 09:15:08 AM

Quote from: splatster on February 14, 2012, 04:11:32 AM

The fact that they didn't have SSL says even more about their [il]legitimacy.

Yes, because only legitimate persons can get a free SSL cert at startcom. Roll Eyes

lol

not to mention anyone with a linux box can install openssl and generate their own cert, it really means nothing unless its a cert from a reputable certification agency

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: splatster on February 14, 2012, 04:11:32 AM

The fact that they didn't have SSL says even more about their [il]legitimacy.

Yes, because only legitimate persons can get a free SSL cert at startcom. Roll Eyes

splatster

full member

Activity: 176

Merit: 100

The fact that they didn't have SSL says even more about their [il]legitimacy.
I'm glad I didn't fall victim to this.

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

I guess it wouldn't surprise anyone here to know that when KalyHost went down over that one weekend a few weeks back, the reason BitScalper was freaking out is because if he never bothered to backup the wallets OR his site's code.

markio

newbie

Activity: 38

Merit: 0

Theymos is the Hero of Winterfell...

jothan

full member

Activity: 184

Merit: 100

Feel the coffee, be the coffee.

Quote from: mb300sd on February 13, 2012, 09:35:55 PM

Quote from: rjk on February 13, 2012, 09:30:05 PM

Quote from: jothan on February 13, 2012, 09:21:51 PM

No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.

Too true

It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.

There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it.

End-to-end encryption and security is the way to go, but it needs user involvement and education.

For passwords, something like SRP over HTTPS would be just about bulletproof, except for the untrustable javascript crypto implementation.

See http://www.matasano.com/articles/javascript-cryptography/ for a full discussion of javascript cryptography.

mb300sd

legendary

Activity: 1260

Merit: 1000

Drunk Posts

Quote from: rjk on February 13, 2012, 09:30:05 PM

Quote from: jothan on February 13, 2012, 09:21:51 PM

No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.

Too true

It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.

There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: jothan on February 13, 2012, 09:21:51 PM

No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.

Too true

It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.

jothan

full member

Activity: 184

Merit: 100

Feel the coffee, be the coffee.

Quote from: rjk on February 13, 2012, 09:18:56 PM

Quote from: jothan on February 13, 2012, 09:14:23 PM

Here is what I posted when I checked out Bitscalper a little while ago.

Quote from: jothan on January 12, 2012, 05:51:52 PM

I'm not putting a password on that website. There is no https.

I highly suggest that he invest in an SSL certificate.

He did not even hash his passwords. I'm glad I did not sign-up !

Why, do you use the same password for everything? Tongue

No, I use a password manager for everything valuable.

No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: jothan on February 13, 2012, 09:14:23 PM

Here is what I posted when I checked out Bitscalper a little while ago.

Quote from: jothan on January 12, 2012, 05:51:52 PM

I'm not putting a password on that website. There is no https.

I highly suggest that he invest in an SSL certificate.

He did not even hash his passwords. I'm glad I did not sign-up !

Why, do you use the same password for everything? Tongue

jothan

full member

Activity: 184

Merit: 100

Feel the coffee, be the coffee.

Here is what I posted when I checked out Bitscalper a little while ago.

Quote from: jothan on January 12, 2012, 05:51:52 PM

I'm not putting a password on that website. There is no https.

I highly suggest that he invest in an SSL certificate.

He did not even hash his passwords. I'm glad I did not sign-up !

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: theymos on February 13, 2012, 07:29:38 PM

Quote from: Raoul Duke on February 13, 2012, 07:02:57 PM

Theymos, have you seen the leaked logins or are you just spreading FUD?

I have the logins. I'll release technical details once it's fixed.

Here's me logged into the admin account (you can see I tried to withdraw his 851 BTC -- still pending):
http://i.imgur.com/l92H3.png

And btc-e was also compromised https://bitcointalksearch.org/topic/m.747080

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: Raoul Duke on February 13, 2012, 07:02:57 PM

Theymos, have you seen the leaked logins or are you just spreading FUD?

I have the logins. I'll release technical details once it's fixed.

Here's me logged into the admin account (you can see I tried to withdraw his 851 BTC -- still pending):
http://i.imgur.com/l92H3.png

Raoul Duke

legendary

Activity: 1358

Merit: 1002

I call bullshit on this one...

Theymos, have you seen the leaked logins or are you just spreading FUD?

PS: I have no bitcoin on bitscalper, but I made an account there and got some profits out a while back.

Littleshop

legendary

Activity: 1386

Merit: 1004

Quote from: M4v3R on February 13, 2012, 05:13:02 PM

Bitscalper didn't use any hashing, so every password got out. As for Mt. Gox back then, try this link: How secure is my password?

Wow. Glad it was unique. It says years so I guess it was not too bad. Thanks, good link

M4v3R

hero member

Activity: 607

Merit: 500

Bitscalper didn't use any hashing, so every password got out. As for Mt. Gox back then, try this link: How secure is my password?

Littleshop

legendary

Activity: 1386

Merit: 1004

Quote from: M4v3R on February 13, 2012, 05:04:31 PM

Quote from: alan2here on February 13, 2012, 04:26:46 PM

Didn't gox have a similar thing occur once?

No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked.

While I have changed my password, had a unique one for that site and withdrew (though it has not arrived), how well would a 11 char password hold up?

M4v3R

hero member

Activity: 607

Merit: 500

Quote from: alan2here on February 13, 2012, 04:26:46 PM

Didn't gox have a similar thing occur once?

No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked.

alan2here

hero member

Activity: 1778

Merit: 504

WorkAsPro

Didn't gox have a similar thing occur once?

splatster

full member

Activity: 176

Merit: 100

People should have seen this comming.
By now, the coins are probably already gone.

Matoking

sr. member

Activity: 352

Merit: 250

Firstbits: 1m8xa

Plaintext passwords? Seriously?

Ente

legendary

Activity: 2126

Merit: 1001

Being paranoid: Please trust (your local) keepass (keepassx in linux) instead of a website.. We just saw what you may get in trusting an external entity ;-)

Ente

vampire

hero member

Activity: 574

Merit: 500

I use separate password for everything, thanks to last pass. I am a bit paranoid, so my main banking account has its own password that I don't store anywhere and a RSA key that is locked in a safe.

Use last pass or similar website to manage your passwords.

cablepair

hero member

Activity: 896

Merit: 1000

Buy this account on March-2019. New Owner here!!

damn, I knew this was too good to be true. This is the reason I only deposited 5 btc

(grew to 5.3532907242433 within a couple weeks)

Luckily I have been using separate passwords on every single site since MTGox got hacked back in june.

film2240

legendary

Activity: 1022

Merit: 1000

Freelance videographer

Thanks for the heads up Theymos.

BombaUcigasa

legendary

Activity: 1442

Merit: 1005

Quote from: copumpkin on February 13, 2012, 12:24:32 AM

It's quite amazing how this community seems to attract the worst security practices.

Your expectations of people that believe they understand mathematics, economics and computing at the same time, are too high. Because few of these people exist.

Cluster2k

legendary

Activity: 1692

Merit: 1018

Plain text passwords? Words escape me how incompetent someone could be to even think of allowing that. It's an unforgivable error.

finway

hero member

Activity: 714

Merit: 500

Sorry to hear that.

P4man

hero member

Activity: 518

Merit: 500

Quote from: Jonathan Ryan Owens on February 13, 2012, 03:23:11 AM

He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin

Really? Why? It wouldnt be to me. In fact it wouldnt be worth 5BTC to me.
The knowledge that I didnt scam people and helped avoid them get scammed would be worth a lot more to me, but the "hero" status on this board.. nop.

caveden

legendary

Activity: 1106

Merit: 1004

Quote from: copumpkin on February 13, 2012, 12:24:32 AM

It's quite amazing how this community seems to attract the worst security practices.

I'd say that unfortunately many software developers in general do not follow important security practices. The main difference with this community is that there is a considerable amount of people capable of exploiting such vulnerabilities. And, well, most of the time there's money involved, not only ordinary data.

Congratulations for both chsx3 and theymos for the honest behavior.

Jonathan Ryan Owens

donator

Activity: 392

Merit: 252

Quote from: Ente on February 13, 2012, 02:11:28 AM

Quote from: theymos on February 13, 2012, 12:20:31 AM

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.

Quote from: theymos on February 13, 2012, 12:20:31 AM

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.

No surprises from BS's side, though.

Ente

Most people are honest in situations like that. It's also penny wise and pound stupid to take the Bitcoin. He gets to be the one that exposed BitScalper vulnerability, and is now a hero. That's worth more than a few thousand bitcoin (assuming that there are even a few thousand bitcoin at BitScalper).

Ente

legendary

Activity: 2126

Merit: 1001

Quote from: theymos on February 13, 2012, 12:20:31 AM

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

You have my deepest respect, chsx3. Many people say (or believe) they are ethically integer. Just until they get the chance to prove it..
Hats off to you, chsx3, thank you for being a positive example in a largely rotten world.

Quote from: theymos on February 13, 2012, 12:20:31 AM

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed.

No surprises from BS's side, though.

Ente

terrytibbs

hero member

Activity: 560

Merit: 501

Quote from: theymos on February 13, 2012, 12:20:31 AM

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

Damn!

deepceleron

legendary

Activity: 1512

Merit: 1036

"Bug reports are welcome at [email protected]. Thank you for your cooperation."

Clearly the site op has come back from the future, and knows this isn't a problem:
© 2012/2013 bitscalper.com

someguy123

sr. member

Activity: 336

Merit: 254

CEO of Privex Inc. (www.privex.io)

Don't care that much..
Withdrew my 0.5BTC when I started to realize I wasn't really making much
Plus I use keepass... so a nice 32 character password in there that can't be used for anything else. Bad luck for anyone who tried to use my password from it

Snapman

sr. member

Activity: 291

Merit: 250

BTCRadio Owner

I saw this coming from far off. Except for the part on honesty, thanks.

splatster

full member

Activity: 176

Merit: 100

Quote from: copumpkin on February 13, 2012, 12:34:20 AM

Quote from: splatster on February 13, 2012, 12:28:20 AM

Code:

md5($password + "mysupercoolsalt")

There, I just took one simple step that could have gone a long way.

But then how would you include the user's password in the email you send them when they forget it? Wink

Better yet, how could you give away everyone's money to anyone with a computer?

copumpkin

donator

Activity: 266

Merit: 252

I'm actually a pineapple

Quote from: splatster on February 13, 2012, 12:28:20 AM

Code:

md5($password + "mysupercoolsalt")

There, I just took one simple step that could have gone a long way.

But then how would you include the user's password in the email you send them when they forget it? Wink

GeniuSxBoY

hero member

Activity: 616

Merit: 500

hax0rs gonna hax

splatster

full member

Activity: 176

Merit: 100

Code:

md5($password + "mysupercoolsalt")

There, I just took one simple step that could have gone a long way.

Kluge

donator

Activity: 1218

Merit: 1015

And now, I assume the stampede of traffic is preventing website access, meaning Bitscalper admin could probably make off with everything left, anyway - not that withdrawals usually work... Hope nobody had a substantial amount left there. :x

ETA: was able to get through to site. Extremely sluggish, but can still get to account page. Small withdrawal request still "processing" from 2/9. ETA2: Wow, it was actually processed. Huh.

Sysrq

member

Activity: 66

Merit: 10

Wow ! What a nice, well run site !

Theymos, thank you for the info.

copumpkin

donator

Activity: 266

Merit: 252

I'm actually a pineapple

It's quite amazing how this community seems to attract the worst security practices.

theymos

administrator

Activity: 5222

Merit: 13032

I have received and confirmed a report from chsx3 that a security flaw exists in the bitscalper.com website allowing all username/password combinations to be retrieved in plaintext. Passwords are not hashed. While it is not known for sure that an attacker has discovered the flaw, you should assume that the list is public.

Anyone with a bitscalper account should immediately:
- Withdraw all funds. No one should trust bitscalper.com after a security flaw of this sort, and I wouldn't be surprised if they run away with everyone's money once this gets out.
- Change your password on any site where you've used the same password as bitscalper.com.

Because I do not consider Bitscalper to be reputable, I've decided to announce the existence of this flaw publicly before sending the technical details to bitscalper. Otherwise I fear that he may run away with everyone's money instead of alerting his users and losing trust.

Hats off to chsx3 for not abusing this. He could have easily stolen thousands of bitcoins from Bitscalper users.

Topic: Bitscalper passwords have been leaked (Read 7619 times)