The choice of using WordPress seems to be a strange one. A financial exchange and a blogging platform are completely different things with completely different risk profiles if something were to go wrong. If a blog is hacked and it was backed up, then no problem. You could just roll back the database and reupload any files that were affected. The same obviously does not apply for a Bitcoin exchange.
And it's not just WordPress. You wouldn't host an exchange on a copy of phpBB either.
Topic: Is Wordpress Cause for Bitcoin Exchange AllCrypt.com Goes Down? (Read 1373 times)
Just out of curiosity but what difference does it make whether or not WordPress (or any other similar content management system such as Joomla or Drupal) is used as the front-end? If the back-end which does the actual processing of payments is coded securely and operates independently of WordPress (which I understand wasn't the case here), does the fact that a site uses WordPress as its CMS still pose a security risk?
Front-end sends commands to the back-end, and exposes back-end info to users, unless you have an air-gap and a human manually verifying everything, once the front-end is compromised, the back-end will fall regardless of its security level.
If the front-end is compromised, the hacker can just f.i. turn a "buy coins" command into a "withdraw coins" command. If the 2FA is handled by the front-end, either directly or because the front-end allows changing or resetting 2FA/email address, then the back-end has no way to know if a command originates from a user or from a hacker that compromised the front-end.
If the administration is part of the front-end (which is common), then gaining control of the front-end means you have admin control of the back-end.
Just out of curiosity but what difference does it make whether or not WordPress (or any other similar content management system such as Joomla or Drupal) is used as the front-end? If the back-end which does the actual processing of payments is coded securely and operates independently of WordPress (which I understand wasn't the case here), does the fact that a site uses WordPress as its CMS still pose a security risk?
WordPress was designed to be a blogging platform, not a Bitcoin exchange. And their terms of use explicitly state that they can't be held liable for situations like these.
Bter already said they were hacked by someone who gained access to the hosting company. I think Bitstamp might have done the same thing. Personally, the tone of the announcement posted by the site's owner suggests to me IMO the explanation is genuine. The decision to use WordPress seems to have been the main problem.
As for Wordpress, I would demand an official response from them, but that would not happen since they would be exposed to a lawsuit..
WordPress was designed to be a blogging platform, not a Bitcoin exchange. And their terms of use explicitly state that they can't be held liable for situations like these.
That's what they always do, they either say it was an inside job and there was an ex employee who did it and since that story was getting old and boring they're now coming up with newer excuses so nobody blames them. Now it's wordpress, somewhere down the line they're gonna say it's the hosting company etc etc.
The fact is people should just stop trusting sites just because they say they're secure and they have a pretty looking site. They will keep making new ones and keep coming back unless something is done about this.
The fact is people should just stop trusting sites just because they say they're secure and they have a pretty looking site. They will keep making new ones and keep coming back unless something is done about this.
Bter already said they were hacked by someone who gained access to the hosting company. I think Bitstamp might have done the same thing. Personally, the tone of the announcement posted by the site's owner suggests to me IMO the explanation is genuine. The decision to use WordPress seems to have been the main problem.
Running any kind of CMS on the same server, or on a server where you access the wallets server was asking for trouble.
The wallets should be alone on their own VPS servers (so a faulty wallet won't compromise others), the servers and hosts should be used for nothing else (to minimize attack surface), and should not even be directly reachable from the internet but use proxies to connect to the wallet network, and strict ip-filtered VPN for admin. Be wary of hosting-company-provided remote admin tools as well. And that's for bare minimum.
The wallets should be alone on their own VPS servers (so a faulty wallet won't compromise others), the servers and hosts should be used for nothing else (to minimize attack surface), and should not even be directly reachable from the internet but use proxies to connect to the wallet network, and strict ip-filtered VPN for admin. Be wary of hosting-company-provided remote admin tools as well. And that's for bare minimum.
As a developer that uses the language that WordPress is coded (PHP); their code base is a mess. I've used it, it's PITA to use. It's probably one of the most vulnerable blogging/CMS platforms available. There's actually a full blown security add-on from a third-party just to secure it up to the point of usable. The first issue that all wordpress installations have is the admin log-in page in the exact same spot. Find a blog that uses wordpress then change the URL to the domain and then /wp-admin ... you'll get the admin panel log-in... nearly every damn time, unless the admin of the blog knows how to change it (which isn't easy).
Sounds like the hacker used the eval PHP function (or the exec function). It essentially gives root access right to the OS of the server. Surprised they didn't deactivate it somehow (there are ways). It's one of PHP's biggest security issues; even the developers of PHP give a warning on their manual (http://php.net/eval). FaceBook personally went so far as to rewrite the PHP interpreter to remove it for their uses.
Joomla is more secure, but the admin panel interface is awful. It's on them for choosing a highly insecure platform to begin with. Any web-developer will tell you to avoid it at all costs. The only reason I used it in the past is because I was too lazy to code something myself.
Sounds like the hacker used the eval PHP function (or the exec function). It essentially gives root access right to the OS of the server. Surprised they didn't deactivate it somehow (there are ways). It's one of PHP's biggest security issues; even the developers of PHP give a warning on their manual (http://php.net/eval). FaceBook personally went so far as to rewrite the PHP interpreter to remove it for their uses.
Joomla is more secure, but the admin panel interface is awful. It's on them for choosing a highly insecure platform to begin with. Any web-developer will tell you to avoid it at all costs. The only reason I used it in the past is because I was too lazy to code something myself.
Putting your money in a small anonymous exchanges is like publishing your private key on facebook, just waiting for someone to take it..
As for Wordpress, I would demand an official response from them, but that would not happen since they would be exposed to a lawsuit..
As for Wordpress, I would demand an official response from them, but that would not happen since they would be exposed to a lawsuit..
I wonder how that would expose Wordpress to a lawsuit. Aside from the fact that the software is distributed free of charge with source code and no warranty whatsoever, this was clearly a customized and modified version of Wordpress (I know of know official cryptocurrency exchange plugin) and the software was clearly not being used for its intended purpose (blogging).
If I'm out street racing in a Corvette I modified myself to be faster than stock, I cause an accident and General Motors releases a statement to the effect that their vehicle was never intended to be driven at that speeds.. I fail to see how General Motors would expose itself to a lawsuit in that situation. In that situation, I created the problem myself and it is entirely my responsibility, not theirs. Similarly, in the AllCrypt situation, the site admin clearly created the situation that made his site unsafe and the responsibility is his. If he did not know that Wordpress was never intended as a financial exchange platform and was never secure enough to be used as such, that's his own fault for not knowing how to use Google.
I'm not a web developer, but if there was some kind of optimization that could risk security, then obviously wordpress would not admit to their fault.
Putting your money in a small anonymous exchanges is like publishing your private key on facebook, just waiting for someone to take it..
As for Wordpress, I would demand an official response from them, but that would not happen since they would be exposed to a lawsuit..
As for Wordpress, I would demand an official response from them, but that would not happen since they would be exposed to a lawsuit..
I wonder how that would expose Wordpress to a lawsuit. Aside from the fact that the software is distributed free of charge with source code and no warranty whatsoever, this was clearly a customized and modified version of Wordpress (I know of know official cryptocurrency exchange plugin) and the software was clearly not being used for its intended purpose (blogging).
If I'm out street racing in a Corvette I modified myself to be faster than stock, I cause an accident and General Motors releases a statement to the effect that their vehicle was never intended to be driven at that speeds.. I fail to see how General Motors would expose itself to a lawsuit in that situation. In that situation, I created the problem myself and it is entirely my responsibility, not theirs. Similarly, in the AllCrypt situation, the site admin clearly created the situation that made his site unsafe and the responsibility is his. If he did not know that Wordpress was never intended as a financial exchange platform and was never secure enough to be used as such, that's his own fault for not knowing how to use Google.
Emotional message from AllCrypt.com:
Shame, I did use allcrypt in the past (might even had some small balance there, not even sure).
Quote
Update: A blog post is up explaining the current status of things. https://www.allcrypt.com/blog/2015/03/what-happened-and-whats-going-on/
Update: Spent the last 16 hours scouring logs. I believe I know what happened and how. I'll post full details as soon as I know more. The site is down, for now, completely, until I can assess the damage done. I'm not even sure there is anything to bring back up.
Older notice:
Well, due to some apparent exploit in wordpress, someone, somehow, got into the server tonight, installed some files, and managed to empty the goddamned BTC wallet. Best I can tell it was something with that worthless pile of shit software wordpress.
I'm fucking done. I run a site, spend thousands of hours of time, thousands of dollars of my OWN money to run it, decide to shut down, and somehow, through ways I cannot even figure the hell out, someone gets in, uploads files to the server, somehow finds the goddamned BTC wallet on the network, and it appears that they slammed it with withdraw requests. Of course, the wallet is locked - but it unlocks when a withdraw is legitimately made through the site. I THINK they made a real wd on the site, and then slammed the backdoor to get the other funds out.
We had 42 BTC in the wallet. 12 was the sites. 30 was users BTC. I'm fucking done with crypto. I'll post details when I sort this fucking mess out. Not that it will matter, because no one ever actually gives a shit when something like this happens.
Update: Spent the last 16 hours scouring logs. I believe I know what happened and how. I'll post full details as soon as I know more. The site is down, for now, completely, until I can assess the damage done. I'm not even sure there is anything to bring back up.
Older notice:
Well, due to some apparent exploit in wordpress, someone, somehow, got into the server tonight, installed some files, and managed to empty the goddamned BTC wallet. Best I can tell it was something with that worthless pile of shit software wordpress.
I'm fucking done. I run a site, spend thousands of hours of time, thousands of dollars of my OWN money to run it, decide to shut down, and somehow, through ways I cannot even figure the hell out, someone gets in, uploads files to the server, somehow finds the goddamned BTC wallet on the network, and it appears that they slammed it with withdraw requests. Of course, the wallet is locked - but it unlocks when a withdraw is legitimately made through the site. I THINK they made a real wd on the site, and then slammed the backdoor to get the other funds out.
We had 42 BTC in the wallet. 12 was the sites. 30 was users BTC. I'm fucking done with crypto. I'll post details when I sort this fucking mess out. Not that it will matter, because no one ever actually gives a shit when something like this happens.
Shame, I did use allcrypt in the past (might even had some small balance there, not even sure).
L.I.B.! A crybaby and a thief. Glad this fucker's done with crypto, ergo his ass won't be around these parts any longer.
The bitcoin exchange AllCrypt.com has gone down, and 42 bitcoins is reported missing. The Allcrypt.com site has a note posted saying “Allcrypt.com is down for a bit.” Attempts are being made to resurrect the site, and details will be posted as they become available.
The site's owners blames Wordpress for their failure, diverts responsibility away from the site’s owners.
Quote
WordPress is a blogging platform. Using it for something as serious as handling the transfer of thousands of dollars, or potentially hundreds of thousands or more, is absolutely a failure in logic. Even if you had to begin with a WordPress platform to get off the ground, you should not have continued using it once money started flowing. Either a proprietary solution developed in-house or a solution licensed from a veritable vendor would have been more appropriate.
The culprit seems to be WordPress in every way, since the hacker was able to use it to upload adminer.php, a well-known database management tool which allowed him to modify the site’s database at will. He then sent MySQL calls for non-existent accounts to have their balances changed. At some point, the site’s “secondary accounting system” was able to stop him, but he was able to recover from this roadblock and continue by converting the fake balances to other coins, an obvious oversight in the architecture of the exchange.
The culprit seems to be WordPress in every way, since the hacker was able to use it to upload adminer.php, a well-known database management tool which allowed him to modify the site’s database at will. He then sent MySQL calls for non-existent accounts to have their balances changed. At some point, the site’s “secondary accounting system” was able to stop him, but he was able to recover from this roadblock and continue by converting the fake balances to other coins, an obvious oversight in the architecture of the exchange.
The site's owners blames Wordpress for their failure, diverts responsibility away from the site’s owners.
That's what they always do, they either say it was an inside job and there was an ex employee who did it and since that story was getting old and boring they're now coming up with newer excuses so nobody blames them. Now it's wordpress, somewhere down the line they're gonna say it's the hosting company etc etc.
The fact is people should just stop trusting sites just because they say they're secure and they have a pretty looking site. They will keep making new ones and keep coming back unless something is done about this.
I don't have much Wordpress experience but years ago someone said new vulnerabilities keep getting found and used for hacks. Apparently they are fixed quickly after a hack, but Wordpress is not really safe to be integrated into sensitive systems like exchanges.
Emotional message from AllCrypt.com:
Shame, I did use allcrypt in the past (might even had some small balance there, not even sure).
Quote
Update: A blog post is up explaining the current status of things. https://www.allcrypt.com/blog/2015/03/what-happened-and-whats-going-on/
Update: Spent the last 16 hours scouring logs. I believe I know what happened and how. I'll post full details as soon as I know more. The site is down, for now, completely, until I can assess the damage done. I'm not even sure there is anything to bring back up.
Older notice:
Well, due to some apparent exploit in wordpress, someone, somehow, got into the server tonight, installed some files, and managed to empty the goddamned BTC wallet. Best I can tell it was something with that worthless pile of shit software wordpress.
I'm fucking done. I run a site, spend thousands of hours of time, thousands of dollars of my OWN money to run it, decide to shut down, and somehow, through ways I cannot even figure the hell out, someone gets in, uploads files to the server, somehow finds the goddamned BTC wallet on the network, and it appears that they slammed it with withdraw requests. Of course, the wallet is locked - but it unlocks when a withdraw is legitimately made through the site. I THINK they made a real wd on the site, and then slammed the backdoor to get the other funds out.
We had 42 BTC in the wallet. 12 was the sites. 30 was users BTC. I'm fucking done with crypto. I'll post details when I sort this fucking mess out. Not that it will matter, because no one ever actually gives a shit when something like this happens.
Update: Spent the last 16 hours scouring logs. I believe I know what happened and how. I'll post full details as soon as I know more. The site is down, for now, completely, until I can assess the damage done. I'm not even sure there is anything to bring back up.
Older notice:
Well, due to some apparent exploit in wordpress, someone, somehow, got into the server tonight, installed some files, and managed to empty the goddamned BTC wallet. Best I can tell it was something with that worthless pile of shit software wordpress.
I'm fucking done. I run a site, spend thousands of hours of time, thousands of dollars of my OWN money to run it, decide to shut down, and somehow, through ways I cannot even figure the hell out, someone gets in, uploads files to the server, somehow finds the goddamned BTC wallet on the network, and it appears that they slammed it with withdraw requests. Of course, the wallet is locked - but it unlocks when a withdraw is legitimately made through the site. I THINK they made a real wd on the site, and then slammed the backdoor to get the other funds out.
We had 42 BTC in the wallet. 12 was the sites. 30 was users BTC. I'm fucking done with crypto. I'll post details when I sort this fucking mess out. Not that it will matter, because no one ever actually gives a shit when something like this happens.
Shame, I did use allcrypt in the past (might even had some small balance there, not even sure).
Putting your money in a small anonymous exchanges is like publishing your private key on facebook, just waiting for someone to take it..
As for Wordpress, I would demand an official response from them, but that would not happen since they would be exposed to a lawsuit..
As for Wordpress, I would demand an official response from them, but that would not happen since they would be exposed to a lawsuit..
The bitcoin exchange AllCrypt.com has gone down, and 42 bitcoins is reported missing. The Allcrypt.com site has a note posted saying “Allcrypt.com is down for a bit.” Attempts are being made to resurrect the site, and details will be posted as they become available.
The site's owners blames Wordpress for their failure, diverts responsibility away from the site’s owners.
Quote
WordPress is a blogging platform. Using it for something as serious as handling the transfer of thousands of dollars, or potentially hundreds of thousands or more, is absolutely a failure in logic. Even if you had to begin with a WordPress platform to get off the ground, you should not have continued using it once money started flowing. Either a proprietary solution developed in-house or a solution licensed from a veritable vendor would have been more appropriate.
The culprit seems to be WordPress in every way, since the hacker was able to use it to upload adminer.php, a well-known database management tool which allowed him to modify the site’s database at will. He then sent MySQL calls for non-existent accounts to have their balances changed. At some point, the site’s “secondary accounting system” was able to stop him, but he was able to recover from this roadblock and continue by converting the fake balances to other coins, an obvious oversight in the architecture of the exchange.
The culprit seems to be WordPress in every way, since the hacker was able to use it to upload adminer.php, a well-known database management tool which allowed him to modify the site’s database at will. He then sent MySQL calls for non-existent accounts to have their balances changed. At some point, the site’s “secondary accounting system” was able to stop him, but he was able to recover from this roadblock and continue by converting the fake balances to other coins, an obvious oversight in the architecture of the exchange.
The site's owners blames Wordpress for their failure, diverts responsibility away from the site’s owners.
Jump to: