Pages:
Author

Topic: [Full Disclosure] ClearCoin CSRFs - page 2. (Read 8733 times)

sr. member
Activity: 504
Merit: 252
Elder Crypto God
June 19, 2011, 08:16:32 PM
#10
this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from a more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

I take offense to lumping all of us libertarians together as if we are the problem. Please look over my post history and you will see that I simply don't engage in personal attacks or abusive behavior in general, even when viciously insulted. The people that are decrying anything that could devalue BTC are the people that are just into Bitcoin to make a few quick bucks. I'm in it for the long haul because I value economic freedom as a libertarian. I'd rather see the currency stabilize than make money. I have a source of income. I don't need to speculate. I also welcome disclosure of vulnerabilities because it puts pressure on administrators to fix the problem as well as notifies the community that they should think twice about trusting the keys to the kingdom without considering risk. Please rethink your opinion on libertarians because even when the speculators are long gone, we will still be here wanting to use this currency.
unk
member
Activity: 84
Merit: 10
June 19, 2011, 08:03:32 PM
#9
this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.
member
Activity: 70
Merit: 10
June 19, 2011, 07:56:32 PM
#8
Who trusts Gavin anyway?

Well... the FBI?  (conference) Wink

hero member
Activity: 630
Merit: 500
June 19, 2011, 07:55:25 PM
#7
You can make thousands of mistakes in web programming, but please!!! - don't fuck up with C++ Smiley

Hahah, never has a truer word been spoken!
newbie
Activity: 56
Merit: 0
June 19, 2011, 07:05:34 PM
#6
Great job guys
newbie
Activity: 67
Merit: 0
June 19, 2011, 05:43:15 PM
#5
Yes, don't trust me, please.  I am human and will make mistakes.

The CSRF vulnerability on ClearCoin is fixed. I will be contacting any ClearCoin customers who have changed their refund addresses to make sure that they were not the victim of a CSRF attack.


Thank you for your timely response and correction of the issue.
hero member
Activity: 558
Merit: 500
June 19, 2011, 05:40:52 PM
#4
You can make thousands of mistakes in web programming, but please!!! - don't fuck up with C++ Smiley
legendary
Activity: 1652
Merit: 2301
Chief Scientist
June 19, 2011, 05:36:13 PM
#3
Yes, don't trust me, please.  I am human and will make mistakes.

The CSRF vulnerability on ClearCoin is fixed. I will be contacting any ClearCoin customers who have changed their refund addresses to make sure that they were not the victim of a CSRF attack.
newbie
Activity: 28
Merit: 0
June 19, 2011, 05:33:25 PM
#2
Who trusts Gavin anyway?
newbie
Activity: 67
Merit: 0
June 19, 2011, 05:26:45 PM
#1
Code:
From: Doug Huff
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg=pgp-sha1; boundary="Apple-Mail-2--499212877"
X-Smtp-Server: smtp.gmail.com:[email protected]
Subject: Bitcoin fun day!
Date: Sun, 19 Jun 2011 16:54:28 -0500
X-Universally-Unique-Identifier: 52968483-4027-4d0b-9145-dc72230ee50c
Message-Id: <[email protected]>
Cc: Bitcoin Dev
To: [email protected]
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Transfer-Encoding: 7bit
X-Pgp-Agent: GPGMail 1.3.3

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-2--499212877
Content-Type: multipart/signed; boundary=Apple-Mail-1--499212884; protocol="application/pkcs7-signature"; micalg=sha1


--Apple-Mail-1--499212884
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii

In light of recent events in the "bitcoin community" I have decided that =
private disclosure of issues is doing nothing but making them more =
prevalent.

In light of this decision I would like to report multiple CSRF =
vulnerabilities in http://clearcoin.appspot.com .

This set of CSRFs are particularly nasty since this is hosted on appspot =
and uses google account auth. So long as you stay logged into your =
google account you are vulnerable to this CSRF.

Things tested:
  Changing refund address.
  Releasing funds.

POC code (open this in any browser even from a local file):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
test
  
  
action=3D"https://clearcoin.appspot.com/set_refund_address" =
method=3D"POST">=20
      =20
      size=3D"60" value=3D"PUT ANY ADDRESS HERE"
             class=3D"text ui-widget-content ui-corner-all" autofocus =
required placeholder=3D"refund bitcoin address"/> (required)
  
=20
  

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Javascript auto submittal, hiding in an iframe, and other obfuscation =
methods are left as an exercise to the list.

This site is run and maintained by Gavin Anderson, aka, the lead bitcoin =
maintainer.

You should know better Gavin.

--=20
Douglas Huff



--Apple-Mail-1--499212884
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXDCCBN0w
ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix
GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR
Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w
NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx
FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx
ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz
dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx
B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8
om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG
TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl
yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j
BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59
MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j
b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu
Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw
DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8
NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s
APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK
N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU
TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggV3MIIEX6AD
AgECAhEA3puo39RJhNVx/ssfdXafbjANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT
VCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVU
Ti1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw0xMTA1MDEwMDAw
MDBaFw0xMjA0MzAyMzU5NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGRodWZmQGpyYm9iZG9iYnMub3Jn
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZPhVmPPoaj999EiZAp6e/giHUrh0Pq2
/LjCFtVgP7clqtoStYyz7i9LojgmRqKu6cswpltUICp+rRskK6ISYRYkNf9w587D2xtqHVVjmoH8
afW/B0db4v+wC7wjzh+hFlXZ3q7sZApMqsFgAS3mdF+iEe5nNt9kGD7OhNlVimvNqcpIhJhRBhpW
7vi7/Rt8uVciDOYVARJq7Tb1zZe88wTFkVri075/nFYfikCgU3GccxvcnR9QwC7xoyGFtE/z8qjv
1h1Tn+eS7eEYQveQxMFNnEPHfoihpiSQpQUzEAJK96dwj8ED2CXtNpV6pQ9PCu2HWjXIVpZj+YNN
eOSRbwIDAQABo4ICFjCCAhIwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0O
BBYEFGBmA3ruGdgBmCodBzi9QrRBvjz/MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAG
A1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0g
BD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2Rv
Lm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVRO
LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDov
L2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp
bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTAfBgNVHREEGDAWgRRkaHVmZkBqcmJvYmRvYmJzLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAj/Ck
hfsc3p7aoCSIMGOTVBzBjJBtCwWTUF1d/pnJ7ynWCiEOypIGGe0im5+Y1WH8+fVNgIwlifRSoZ1R
oloxXRuqiraKCevG5OC41Evkp67HmrrhlerLxUvoKLg7sDWfYtmQ24whfYEsd3Fm2u6KxoXboyyb
fdDhl5BLhWy+5kHHlIaoZjUoHHXOMuOZdhreIcJI54+wehddzwtdrhF0h2KUTm3tvA0e2kTX4Kzz
3JWIzFSsCmTdTx2UdiOBJmWZ8dgdskOSKRYByvSBT+/BsbF+JbJcjCHqDiEmmXQeTNuRDYeCPfkq
/HRSrEZMi/RORls1HSA79IOXjvj8RkAKyDGCA/8wggP7AgEBMIHEMIGuMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRS
VVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMt
VVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx
/ssfdXafbjAJBgUrDgMCGgUAoIICDzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
DQEJBTEPFw0xMTA2MTkyMTU0MjlaMCMGCSqGSIb3DQEJBDEWBBRTgeJlgs0yICFYnbqMVlsvFVdx
jTCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV
BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNV
BAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGll
bnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx/ssfdXafbjCB1wYLKoZIhvcN
AQkQAgsxgceggcQwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBM
YWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDov
L3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50
aWNhdGlvbiBhbmQgRW1haWwCEQDem6jf1EmE1XH+yx91dp9uMA0GCSqGSIb3DQEBAQUABIIBAIa0
nEwugdoy0co/xZSmSF2FL3Q2I1QjrcwOP2svW7D6yUXl2e9xZdvxPehdGg51UJGtGDDzc5vnT5DW
HWpskxWyBbwYHEM4g+Tuix0pCey7twTJ51tv4uCZljUzfNc1IrctezhdNmFJQfKIrN+Yq6b81Qnt
zmK0pq+va+WVMBez9CnojZaijViQD8agyCWouZhQRPwFE7iTaARwtcuoHpN34TqvNfGpeSOAwi13
6LpFDlN9zzyVeRLgwqbiRQnd2KCzv7yWI+OlzK4bgVB5TPclErhTUvb+rAtAlZM7cDf5uFzsMk1d
/ui76BOfwXTFRAZsmyKQRjz6NeTNKuOuNtkAAAAAAAA=

--Apple-Mail-1--499212884--

--Apple-Mail-2--499212877
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJN/nAVAAoJEEPHkQabDWHPBRUP/RqNgPYEjbzKLNOktnBr1Ec0
VC1k+z6dFoX8FiH4lciF+CFBPHuQ6fsbR9tbVLFVSWmym1F33KVy/7dzsIWbCfGf
Q255aHrFQsVFPejxmgzRRLhZ8D19vxp3l69ALMe3QKhVdfdfjykVZwnoeeUx7GnJ
kcrcM9VWISp+Lr9Yc/HgsnerDPomAYEmiH4ur/CS6vC2PKayVoAbwh4Cr+5UyBUP
/AdYXCRhF1Mci0K3mg3boG8FQkGn+zJJ7s3TB2FMZvK43lSzS1+f2GTfbBZRPVbq
1hyijFZJx/4P4fX6kOICudU/5/8i9X0qgRoqenXf7kJVH4+e29JCXJNOMXMMrMZN
au3H6mq6KvmZKMnxZIs4e8G1NIWzO6oOQD7BhUE8A11IlaiNiUYvT+Z1PrV3lfwP
PgSUnQo3FmH4dPT+fNydQusN/sLMKdrCzRLUAj6o0ZlAu2nvzHU+spDmDluzwdNo
QW7BNdgcpEUVozgFx/gxi0eXUjOfxS120uyCwLbEFWbUqwmmpxMlACpliOU439P3
p4uXpISVIOLmRY2pL2mFx9PEzAc5z4Q4+g+HTZtp9cy5fJ7htZSKItuSbciLNlcS
htX8F/g+Ap0W9Lnd+nnVXxZ8YxOufBvfptU9TSIaVq7uhIphluFiF+nMwqjg4PWE
BNbnmnNAmUKC7+bLjSzx
=e0ef
-----END PGP SIGNATURE-----


http://sourceforge.net/mailarchive/forum.php?thread_name=2B2201C1-E59F-47D4-BF67-08FDB0DDE386%40jrbobdobbs.org&forum_name=bitcoin-development

Sorry Gavin.

(Gavin has already pulled clearcoin offline to address the issue.)

Edit: Adding f-d link for posterity.
http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081574.html
Pages:
Jump to: