Topic: MtGox account compromised - page 2. (Read 110455 times)

Is this thread still alive?
I've seen this just now.
I would like to ask what is a dictionary attack. If that is what I know, it is really unlikely that it could have happened.

Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Over the network, with SSL authentication (that's overhead) I don't think the attacker could really try more than 1000 passwords per second; after that it becomes a bandwidth and CPU attack against mtgox resulting in DoS. even at this speed it would take an average of 10 years of continuous attempts to crack one single password, and nobody noticing anything in the meantime. I don't see this likely *at all*.

A different thing is if the attacker was able to download the file of hashed passwords by first hacking the mtgox website database with mysql injection. After that he could perform the dictionary attack locally on his PC (as opposed to over the network). At this point 3 words sticked together becomes feasible and 4 words is so-so. Also, I read people speaking about rainbow attacks: again, these are feasible only if the attacker could download the hashed passwords file.

But at this point one wonders, if the hacker is able to hack the DB and download the hashed passwords file from the website, why isn't he able to just login to the victim's account or change the victim's password to something known to him?

So I don't really see this clear. How did this attack really happen?

The people who got their account hacked (who hopefully changed their password by now) would they be willing to disclose their old password so we have an idea of how weak that was, and how could this hack actually happen?

hey, I wish I can afford one like this too: (everybody with bitcoin seems to have one)



just kidding.

Is there any reason for this dispute? Shake hands with each other, okay?

You are putting things on my keyboard that i din't write.
I never said that i don't care HERE. Perhaps i didn't care in some other thread.

PS.
SERIOUSLY dude. What is your problem ? Just to remind you - it was you who started insulting me.
We could have a polite conversation but no - you like shitfight better.

point 1, explanation
point 2, fuck you thats why! 

so, why are you coming back, and edit your posts if you don't care ?

Because you seem to have said so of course...

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.

Thanks. Every once in a while, I need to be reminded there's a browser called "IE" that people still use, sorry.

Worth noting is that the variables on the query string are "username" and "password", which differ from the variable names passed in the call to $.post ("name" and "pass").  The $.post call is then apparently unrelated to the problem.  (I confirmed that I see "username" and "password" in my address bar as well).

This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.

As a workaround, would adding method="POST" to the form help?  (currently it is not specified, it relies on onsubmit returning false, but if this is misunderstood by some browsers, at least an accidental POST would be far cleaner than an accidental GET which I understand is the default?)

I saw it using Firefox, but did not see it within Chrome. Seems that WebKit does not show it.

I did notice this several days ago - mentioned the same thing in an e-mail to Jed - because I observed this in my address bar.  Jed replied that indeed the site indeed uses POST, but I indeed still see this in my address bar.

Is it secure?  Well... depends.  Sure, it goes over HTTPS.  But what about any toolbar that looks at your URL's and silently sends them somewhere (common).  Even IE in its most basic configuration sends URL's you visit to Microsoft for the purpose of "smart screen" filtering.  Also it sits in your browser history, and can be seen by later users of the machine if they type the beginning of the URL.  So that is why indeed it's a concern.  I have only observed this within IE, if I use for example Safari, I don't see this.

If you're seeing this, and I'm seeing it too, then it's a problem, and not FUD.

Also a concern is the password retrieval feature.  Anyone who can read your e-mail can access your account and there is no apparent way to control this.

Yeah, you are right. Sorry for that. It just looks quite scary.

Heh nice. However... it does at least LOOK bad, and that will always be enough to make someone sound the alarms once in a while. I would highly encourage cleaning that up, if only to look a little more... "professional", but also to avoid freaking people out.

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

And you seem not to have a clue about them

I hope so. I got it in my address bar while I pressed the Login button.

but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?

OMG, this is serious.
These are security basics...

Yes it is.

However, this kind of URL is easily used in CSRF exploits.

Is it really a problem, having the password in the url when https is used? I thought that the browser checks the certificate and starts encrypting before the url is transmitted.

MTGOX! WAKEUP!!!