Topic: Mt. Gox: If your coins were stolen, please write here - page 3. (Read 22296 times)

It must be in the thread ocnfirming the existence of the CSRF vulnerability.

I had 20 BTC stolen from my account, I didn't find out until 2 days later.

Here, I added 20 BTC to do some trading:

Within a single day, it had been transferred out (unknown to me)

I sent an email from your website reporting the problem, here is the automated reply:

I feel that it is MtGox's responsibility to own up to losses from multiple users.  You can confirm yourself that my original report to you was received before there was any mention of a confirmed vulnerability.

Where was MD5 mentioned?

The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

MagicalTux, a few cases can already be found here: http://forum.bitcoin.org/index.php?topic=18050.0
It also has some information regarding passwords strengths and operating systems that people used etc.

Also, have you received my PM about the CSS history sniffing vulnerability?


If the easiest way of "laundering" stolen money would be the exact site you compromised (Mt. Gox) I can imagine that someone does not want to go through the trouble of laundering everything, and would rather sell off the entire database in one hit and have others deal with that. Not to mention selling the database to multiple people.

Hashes (even salted) can be bruteforced. Especially if someone has for example already set up Bitcoin mining rigs, he would have considerable power to use on bruteforcing passwords, not to mention things like Amazon AWS (or other cloud computing services) that can be used to very quickly crack hashes.

Uhm, I think you need to read up on it. Salting helps defend against table lookups but does not strongly protect against brute force.

That's what salt is for!

Just read it up on Wikipedia...

Well, to be fair, if you have the hashed values, it takes very little effort to bruteforce a large number of passwords. Especially if you use tables.

Your statement makes me nervous about the state of overall security at mtgox....relying on hashed passwords was a failing paradigm over a decade ago.

As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then.

As a reminder we assume no responsibility should your funds be stolen by someone using your own password.

Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD

Seeing the database doesn't mean having write access.

Ok, due to that, i tried to change my password in MTGox and it doesnt let me... wtf?

I call that a fake/scam attempt. If it was true, this "hacker" would first have emptied as many accounts as possible before selling it. My account remains untouched and so do accounts of most others, only a small % of the people got "exploited".

Copy in case that disappears:

What do you have to say about this here:

http://securityforthemasses.blogspot.com/2011/06/mt-gox-db-purportedly-for-sale.html

You know about my case very well MARK - I`m still waiting for my stolen 13.4 BTC...

There was indeed a CSRF vulnerability in the "change email" and "send funds" features, however we verified the logs of the webserver and could confirm neither were ever exploited, except by the people who discovered it.

Both are now fixed.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994

Ok, we've been seeing a "lot" of cases recently.

So far I have 10 known cases of people whose coins were stolen (someone logged in on the account using their password, traded USD for BTC, withdrew all the BTC). Considering we have now over 60000 accounts (2 months ago we had 10 times less), this seems to be a problem coming mainly from users.

Problem is many have been posting in various places (forums, reddit, twitter, irc, etc) causing a lot of fear among users when the problem is still fairly limited.

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

By the way we are working on adding an extra feature: a withdraw password. If you define one (on the settings screen) you will have to enter this password too. Should be available by monday.



Now, we cannot recover the funds, however we can try to track those and locate to which account they were sent. I guess that if your account was compromised you first sent an email to [email protected] asking for your account to be blocked until investigation, providing as much information as you can as for the problem.

Please post here your ticket number that was assigned to you when you created this if you want priority handling. Please read the following FAQ before.


FAQ

My history disappears along all my coins and monies

You have not logged in with your usual login. Please make sure you are using the right account.

My coins were traded for USD, or my USD were traded for coins, I never entered any order

You had an open order that couldn't be filled because you didn't have enough funds. When you added funds (or coins) your order could be filled, and was filled.