Author

Topic: Bter does not force https. Your password might get stolen. (Read 323 times)

member
Activity: 61
Merit: 10
http://www.reddit.com/r/Bitcoin/comments/22tbrv/bter_does_not_force_https_your_password_might_be/

Every exchange forces you to use https. If for instance you connect to http://www.bitstamp.net/, you'll immediately get redirected to encrypted https://www.bitstamp.net/.
Every exchange except Bter. If you connect through http://bter.com and login, your username, password and cookies will go through internet unencrypted. I checked that with Wireshark.
Mail was sent to support. Since fix is about 5 lines in apache.conf, they should be able to fix it quickly.

Please share: If you have ever used Bter, consider your passwords compromised, and change them asap using https version of their website, in case someone intercepted your password or cookies. You might've sent your passwords in plaintext through internet like I did.

Even if you're using 2FA it doesn't save your cookies from being intercepted. So MITM is still able to login "beside you".
I think that this is critical, should be fixed asap, and all users should get e-mail from staff instructing them to change their password.
Jump to: