Topic: heartbleed & bitcointalk. (Read 2924 times)

https://lastpass.com/heartbleed/?h=bitcointalk.org%2F


Thanks for all pitching in their advice and help, from theymos to other members.

Feel free to security bounty me for bringing a 5 day old exploit, which you where some what already aware of and fixed, to your attention (ever so politely and delicately, as I always am ) in slightly more detail as to protect your lovely odd 100,000+ userbase

16m38DJdtcoP4KVNjLLmL6zgdwGidQJYBT

Just kidding.. allthough you have missed my last 32 birthdays and 31 xmas gifts!
 

OH that explains why I got logged out and roger
Twice lol

I stand corrected.

You're mistaken. After OpenSSL decrypts data it recieves from the client it temporarily stores it in RAM. You can use heartbleed to get the POST data or part of it when a user logs in if you can time it right. The POST data of course contains the password in plaintext, the hashing is done server-side.

It is difficult to time it right but it does work. However it is incredibly easy to steal session id's using heartbleed as the session id is sent every time a user views a page. An attacker can then use that session id to login as the user.

Grue... i have tried it. I have seen passwords... other people have tried it, they have seen passwords.
I am not a security researcher or anyting like that...  just a person capable of running the script.

However you are partially correct.. I think my use of "in server memory" was me typing abit to quickly for my own good, without thinking.
anyways it has been documented by actual people who can explain it in exact detail (as oposed to me   ) that yes, passowrds, everything can be captured.
Unless ofcourse you hash the password on the client side first... otherwise the password is sent.. under normal circumstances your protected by HTTPS and obviously people can't pull data from your server.......... until this issue came about.

someone even managed to get the private keys off a server..

http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge


anyways - the msg for users to change passwd has been put up. thank you

now you're being disingenuous. the passwords aren't stored in server memory. the passwords aren't stored anywhere, because they're hashed + salted. the most that can be stolen are the hashes.

Thank god I found this thread, got logged out thought I got/was getting hacked

Hmm... I thought that the leaked memory would only include OpenSSL-specific stuff, but I did some more research and I think you're right: user passwords could have possibly been leaked, though it would have been difficult.

I'll log everyone out and add this info to the header.

basically... everyone.. please change your password..
If there was ever a necessary time, its now.....

ummm I highly advise you look into security issues abit more next time.
I'm not trying to be a dick but a 3rd party could basically see what was in your servers memory... you understand that right ? If a user logged in, a 3rd party could get lucky and see that information. A 3rd party did NOT need the private key to see the unencrypted data.......

To run the exploit you simply had the download the vulnerability checking script written in python and add an extra line to print the 64k worth of data. It was so simple even I was able to get it working and I am in no way a programmer, security expert or developer etc... ( To confirm I never ran the exploit against this site.. i assumed the software was so old there would be no point even bothering to test)

the following scenario was proven to work on many many vulnerable servers.

Alice lives in Australia and logs into her server in the USA via browser/HTTPS
Bob lives in the UK and ran the exploit and the timing was just right, Alice had just logged in
and Bob got back 64k of unencrypted data, which contained Alices password.

This attack did NOT involve MITM or anything like that... you could basically just keep getting 64k of data from the servers memory.. sometimes it might be posts, useless crap and obviously very occasionaly you might get lucky and get passwords. But you DID NOT need to be in the path of the user or server... that is why this was so critical and every other website was concerned and advised people to change passwords, after is fixed.

How do you know someone wasnt doing this exploit for months, but it only went public a few days ago ? Chances are they werent, but how do you now.


The fact you don't think its necessary to change passwords now is very very scary.

You should have a huge alert telling users to change their passwords, as you did with the bitcoin client update.


Seriously.. do you just not give a shit about the users security  ??
You only seem concerned with generating revenue from advertisements.

Good man. Thanks theymos. 

I updated the keys.

It's never a bad idea to change your password, but in this case I don't really think that it's necessary.

It was, but it was fixed hours after the vulnerability was announced. It's very unlikely IMO that the private key was compromised, and an attacker would also need to be able to read traffic between you and the forum to see anything, so a lot of concern isn't necessary IMO. I will still update the TLS keys as soon as I can. (RapidSSL/NameCheap has some technical problems with reissues -- it seems that they always sign the last certificate you sent them when doing a reissue, so you actually need to reissue twice to change the cert, and this takes time.)

I'm not entirely sure about this, but "the word on the street is" the forum was using an older version of OpenSSL which did not have the heartbeat extension so we were not vulnerable.

The SSL certificate has not been updated either, which would also point to this being the case as theymos would have certainly replaced it should the forum been vulnerable to heartbleed.

Also, just to correct your post, while LastPass was vulnerable to heartbleed the attack was useless as all LastPass data is client-side encrypted, meaning an attacker still could not read your data.

This would be great.

I changed my PW here anyhow just in case, and suggest anyone else aswell.

I could careless any longer scratched out part was bout all hacks in gen, gmail lastpass ect.no pun tend to btctalk ., but was bitcointalk effected by hearbleed bug, if gmail and lastpass was, I have no doubt bitcointalk.org was too.

If so: explain.
If not explain:

What are your words on this theymos.