Pages:
Author

Topic: MtGox account compromised - page 2. (Read 110460 times)

newbie
Activity: 3
Merit: 0
March 05, 2011, 09:52:57 PM
Is this thread still alive?
I've seen this just now.
I would like to ask what is a dictionary attack. If that is what I know, it is really unlikely that it could have happened.

Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Over the network, with SSL authentication (that's overhead) I don't think the attacker could really try more than 1000 passwords per second; after that it becomes a bandwidth and CPU attack against mtgox resulting in DoS. even at this speed it would take an average of 10 years of continuous attempts to crack one single password, and nobody noticing anything in the meantime. I don't see this likely *at all*.

A different thing is if the attacker was able to download the file of hashed passwords by first hacking the mtgox website database with mysql injection. After that he could perform the dictionary attack locally on his PC (as opposed to over the network). At this point 3 words sticked together becomes feasible and 4 words is so-so. Also, I read people speaking about rainbow attacks: again, these are feasible only if the attacker could download the hashed passwords file.

But at this point one wonders, if the hacker is able to hack the DB and download the hashed passwords file from the website, why isn't he able to just login to the victim's account or change the victim's password to something known to him?

So I don't really see this clear. How did this attack really happen?

The people who got their account hacked (who hopefully changed their password by now) would they be willing to disclose their old password so we have an idea of how weak that was, and how could this hack actually happen?
legendary
Activity: 1441
Merit: 1000
Live and enjoy experiments
February 11, 2011, 05:20:55 PM
hey, I wish I can afford one like this too: (everybody with bitcoin seems to have one)



just kidding.
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
February 11, 2011, 04:38:42 PM
Is there any reason for this dispute? Shake hands with each other, okay?
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
February 11, 2011, 04:15:31 PM
FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley

You are putting things on my keyboard that i din't write.
I never said that i don't care HERE. Perhaps i didn't care in some other thread.

PS.
SERIOUSLY dude. What is your problem ? Just to remind you - it was you who started insulting me.
We could have a polite conversation but no - you like shitfight better.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
February 11, 2011, 02:06:10 PM
FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley

point 1, explanation
point 2, fuck you thats why!  Cheesy
legendary
Activity: 1372
Merit: 1008
1davout
February 11, 2011, 01:56:42 PM
FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
February 11, 2011, 01:44:50 PM
Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley

Because you seem to have said so of course...

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
legendary
Activity: 1441
Merit: 1000
Live and enjoy experiments
February 09, 2011, 05:09:55 PM
This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.
Thanks. Every once in a while, I need to be reminded there's a browser called "IE" that people still use, sorry.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
February 09, 2011, 01:34:26 PM
Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!
but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?

Worth noting is that the variables on the query string are "username" and "password", which differ from the variable names passed in the call to $.post ("name" and "pass").  The $.post call is then apparently unrelated to the problem.  (I confirmed that I see "username" and "password" in my address bar as well).

This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.

As a workaround, would adding method="POST" to the form help?  (currently it is not specified, it relies on onsubmit returning false, but if this is misunderstood by some browsers, at least an accidental POST would be far cleaner than an accidental GET which I understand is the default?)
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
February 09, 2011, 01:18:44 PM
I saw it using Firefox, but did not see it within Chrome. Seems that WebKit does not show it.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
February 08, 2011, 08:13:43 PM
Maybe you should contact mtgox before spreading FUD like this.
Yeah, you are right. Sorry for that. It just looks quite scary.

I did notice this several days ago - mentioned the same thing in an e-mail to Jed - because I observed this in my address bar.  Jed replied that indeed the site indeed uses POST, but I indeed still see this in my address bar.

Is it secure?  Well... depends.  Sure, it goes over HTTPS.  But what about any toolbar that looks at your URL's and silently sends them somewhere (common).  Even IE in its most basic configuration sends URL's you visit to Microsoft for the purpose of "smart screen" filtering.  Also it sits in your browser history, and can be seen by later users of the machine if they type the beginning of the URL.  So that is why indeed it's a concern.  I have only observed this within IE, if I use for example Safari, I don't see this.

If you're seeing this, and I'm seeing it too, then it's a problem, and not FUD.

Also a concern is the password retrieval feature.  Anyone who can read your e-mail can access your account and there is no apparent way to control this.
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
February 08, 2011, 03:28:12 PM
Maybe you should contact mtgox before spreading FUD like this.
Yeah, you are right. Sorry for that. It just looks quite scary.
member
Activity: 82
Merit: 10
February 08, 2011, 07:56:49 AM
Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley

Heh nice. However... it does at least LOOK bad, and that will always be enough to make someone sound the alarms once in a while. I would highly encourage cleaning that up, if only to look a little more... "professional", but also to avoid freaking people out.

legendary
Activity: 1372
Merit: 1008
1davout
February 08, 2011, 05:52:22 AM
Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
February 08, 2011, 03:28:05 AM
I hope so. I got it in my address bar while I pressed the Login button.
legendary
Activity: 1441
Merit: 1000
Live and enjoy experiments
February 08, 2011, 12:21:55 AM
Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!
but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
February 07, 2011, 07:08:19 PM
Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!

OMG, this is serious.
These are security basics...
legendary
Activity: 1372
Merit: 1008
1davout
February 07, 2011, 04:34:01 PM
Yes it is.

However, this kind of URL is easily used in CSRF exploits.
hero member
Activity: 681
Merit: 500
February 07, 2011, 04:32:34 PM
Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!

Is it really a problem, having the password in the url when https is used? I thought that the browser checks the certificate and starts encrypting before the url is transmitted.
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
February 07, 2011, 04:20:11 PM
Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!
Pages:
Jump to: