If your Mt. Gox account has been compromised, PLEASE READ. - page 7.

joepie91

sr. member

Activity: 294

Merit: 250

Quote from: F104 on June 18, 2011, 10:23:47 AM

Quote from: joepie91 on June 18, 2011, 08:15:04 AM

It would be nice if we could get a response from MagicalTux on all of this.

I'm beginning to think we have heard all we are ever going to hear from him.

To be fair, he posted a thread today at http://forum.bitcoin.org/index.php?topic=18858 - however, so far it looks a lot like deny-everything marketing talk, although I may be wrong.
Plus I don't understand why he doesn't just implement two factor authentication (through email) instead of a withdrawal password, as the latter can still be circumvented when someone indeed successfully exploits the site to a point where he has database read access.

F104

newbie

Activity: 26

Merit: 0

Quote from: joepie91 on June 18, 2011, 08:15:04 AM

It would be nice if we could get a response from MagicalTux on all of this.

I'm beginning to think we have heard all we are ever going to hear from him.

evileric

newbie

Activity: 14

Merit: 0

Thankfully I'm not one of those affected as I'm still hoarding my coins and biding my time. The markeyts will mature and securirty will improve with time, still, remember the old saying:j Don't put all of your eggs in one basket, or keep all of your coins in one wallet Wink

Megamind

newbie

Activity: 13

Merit: 0

My account is safe although it has only a few BTC. Anyway, my new password is looooong.

joepie91

sr. member

Activity: 294

Merit: 250

Quote from: apflux on June 18, 2011, 06:51:33 AM

Quote from: joepie91 on June 18, 2011, 06:42:46 AM

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

So if it wasn't a XSS attack and the passwords were strong, it could only be that either the clients, the servers or the network traffic was compromised. Was any victim using linux? I tend to the servers, but how can you tell?

Yes. If you read the reports in this thread, you will see several people were using Linux.

I have also just seen a report of someone allegedly selling the Mt. Gox database. It would be nice if we could get a response from MagicalTux on all of this.

randomguy7

hero member

Activity: 527

Merit: 500

Has a site been found which actually performs the CSRF attack? Maybe some well visited bitcoin site is vulnerable to xss and got the attack code included.

apflux

newbie

Activity: 6

Merit: 0

Quote from: joepie91 on June 18, 2011, 06:42:46 AM

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

So if it wasn't a XSS attack and the passwords were strong, it could only be that either the clients, the servers or the network traffic was compromised. Was any victim using linux? I tend to the servers, but how can you tell?

joepie91

sr. member

Activity: 294

Merit: 250

Quote from: apflux on June 18, 2011, 06:33:47 AM

Quote from: joepie91 on June 18, 2011, 04:39:08 AM

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.

Maybe a CSRF attack that changed your password and the funds were transferred later?

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

apflux

newbie

Activity: 6

Merit: 0

Quote from: joepie91 on June 18, 2011, 04:39:08 AM

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.

Maybe a CSRF attack that changed your password and the funds were transferred later?

jondecker76

full member

Activity: 238

Merit: 100

It has been proven that MtGox has been compromised via a CSRF attack. I lost 20BTC myself,

Quote

06/14/11 15:45 Withdraw BTC 17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC -20.19 0 0.009 0.059

I also emailed MtGox as soon as I found out, and received an automated reply and assigned support ticket #1605

From my understanding, all you have to do is have the MtGox webiste open in your browser at the same time as another website running the attack. I commonly open all of my bitcoin related sites in separate tabs in firefox (not anymore!).

My question is, is MtGox going to refund our money that they failed to secure? 20 BTC may not seem like a lot to some people, but it was a lot to me, and rightfully mine. I hope they do the right thing for those that lost money due to their security flaw.
(in fact, I would even continue to use MtGox now that they have fixed the problem, and they did the right thing in returning money to those that lost out)

lechuck

member

Activity: 85

Merit: 10

have you guys considered that mt.gox servers themselfes might be compromised with backdoors, hosted at a insecure location or their passfiles might have been stolen? pfiles get stolen all the time from porn sites and such, all it takes is the pfile, a good wordlist or rainbow table and jack the ripper to decrypt the password hashes.

joepie91

sr. member

Activity: 294

Merit: 250

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

MBH

newbie

Activity: 51

Merit: 0

Quote from: BitterTea on June 16, 2011, 09:47:33 PM

Was anyone using this app, by any chance? I downloaded it the other day but decided against giving them my password. Noticed today that there is a new version that is now closed source. Coincidence?

I saw the app in the market and it spooked me since it wasn't developed by MtGox itself.

My friend installed it & gave it access. I donno if he got compromised or not (if not, he probably doesn't have worthy funds).

I highly suspect this app.

opticbit

hero member

Activity: 695

Merit: 502

PGP: 6EBEBCE1E0507C38

Mine hasn't been touched, but is a low balance, changed my pw just incase attacer was sitting on it, waiting for me to add more funds.

geek-trader

sr. member

Activity: 294

Merit: 250

Quote from: TrainDeluxe on June 18, 2011, 12:57:15 AM

I also get this error on login now:

Too many failure from your IP, temporarly blocked

Does anybody know what it means or have sold it?

I was getting it, then I clicked "forgot password" and reset my password, and I can log in now.

TrainDeluxe

newbie

Activity: 56

Merit: 0

I also get this error on login now:

Too many failure from your IP, temporarly blocked

Does anybody know what it means or have sold it?

goldbit

newbie

Activity: 23

Merit: 0

I think my account has been compromised.

I can login my account. After I login, I can still see my user name and my balance on the top right corner, but it said "Not logged in".

Can someone confirm me if my account is hacked??

Insert Quote
* How much funds did you lose?
not that much
* To what address were your stolen funds sent?
Can't log in to check; email address was changed as well.
* What OS are you using (Windows, Linux, Mac OSX ...)?
Windows 7 x64
* How long was your old password?
12 word,
* Was your old password random?
No really random
* Was your username the same on Mt. Gox as on the forum?
No
* Did you use your Mt. Gox password somewhere else?
Yes
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
No
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
Bitcoin, CPU-miner, namecoin,
* Please also include a screenshot if possible so we know it's a real report.

Am I screwed???

Update: I try to use forgot password function. I entered email, but it didn't work, so I think they changed my email.
So I submit my username to reset my password (even I know I won't receive the email).
But a few minutes later, I receive an reset password email in my original email account!
WTF is happening with Mt Gox???

Another update:
After I reset my password to 24 character, I am able to login and my fund is still there.
But I am very skeptical about using Mt Gox now.

Desu

newbie

Activity: 28

Merit: 0

Quote from: GeniuSxBoY on June 17, 2011, 02:01:27 PM

Wait wait wait...

are we saying that people's cash-moneys have been stolen and sent to other people's banks from mt gox?

Lawl, I love saying cash-monies.

cronopio

newbie

Activity: 55

Merit: 0

Yeah, I see this today in bitcoincharts.com

AntiVigilante

member

Activity: 98

Merit: 10

Quote from: joepie91 on June 16, 2011, 04:19:25 PM

EDIT: If you cannot access your account and your e-mail address on your account has been changed, please post here as well with as much information as you have.

EDIT2: Added a question about password reuse, please update your posts

While Mt. Gox being compromised is a possibility, there is no proof for it, and it's best NOT to assume that is the case - this may be an attempt at spreading fear and getting people to leave Mt. Gox.
It's best to wait for a response from MagicalTux on this. Personally I normally don't leave any funds in Mt. Gox (or any web wallet / exchange) any longer than necessary, exactly to avoid things like this. The only reason it happened now was because I was unable to access Mt. Gox at all for a long time, and thus didn't have the chance to withdraw my funds.

CSRF has been found. Having said that though bitcoin7 is riddled with them.

I'm still proposing that bitcoins themselves need to have unix like perms on them. Receive, Send, Operate. Wrap them up and they can't be transfered until there is a three way handshake.

Topic: If your Mt. Gox account has been compromised, PLEASE READ. - page 7. (Read 34602 times)