Topic: MyMonero.com - Security Issues (Read 8226 times)

Hi,

i have the same Problem.

I created the Wallet and transferred Monero on December 13th to MyMonero Wallet and in the same night, just 5 hours later at approximetely 2:30 in the morning all my Monero got transferred out of it.

Is there anything I can do? I already notified the Support (they probably dont even comment on it). Could you do anything about it?

I dont think that someone got my Private Keys. If so, another Wallet would be empty too.

Atleast i learned alot from it...

I Lost My Coin in this wallet mymonero.com there is a transaction log that i never done ,
 i already cek my komputer but there is no security issue ,
i read my transaction , i found something wierd that the transaction is pass without payment ID.... ( its like a bank check without ID Payment who come ?? )
, i try to email the support team , now i'm waiting for their answer.... , Hope there are not a SCAM , cause i found this on google :

https://www.cryptocompare.com/wallets/mymonero-wallet/

Anybody has the same problem

beware  there are exactly the same sites as mymonero.com  .even the name :  that was the first google search option for me twice . 
https://www.4shared.com/img/MFUgJfe9ca/s25/15f5465da10/fake

is this wallet safe anymore?

'Funds in mymonero.com may be stuck after 10/1/2017: "you may struggle to retrieve funds after this date '
https://www.cryptocompare.com/wallets/mymonero-wallet/

Its a shame there is only one light wallet for XMR . credited coins have thousands of safe wallets. Many are not capable of running a full wallet node.

Still inactive.Very interesting...I guess something is wrong.

https://www.reddit.com/r/Monero/comments/5n3b9b/psa_mymonero_is_offline_for_updates_during_the/

The site is closed.Any info?

Ah, ok. Thanks.

The new BitLicences ask for a pen test

"Penetration testing. Each Licensee shall conduct penetration testing of its electronic systems, at least annually, and vulnerability assessment of those systems, at least quarterly. "

p33

http://www.dfs.ny.gov/legal/regulations/adoptions/dfsp200t.pdf


Apart from the bleeding obvious that this is not a licensed service and or is not based in NY, a pen test might be deemed a reasonable obligation if this is securing customer funds?

i did not expect that the discussion in this thread would be valuable and constructive, but i was wrong.
if you troll like this your are welcome. Critism is wanted by most if not all of us, but it must have hand and feet. sometimes i feel BlockaFett just trolls to keep people busy, but this thread gives some good insight. still its a waste of time

maybe its time for all of us to evolve a little? (maybe we allready did). i never really took place in all this coinwars but i guess it took everyone a lot of energy.

edit: so much energy wasted..

+1 Davey.

Apologies if I sounded frustrated Celestio.

actually i have to say this first time im on Blocka´s side.

1. This thread is not about Dash so use on of the many threads or create one yourself
2. I actually think we have a nice discussion and the way fluffy responds also helps everyone concerning about Monero
3. Every piece of information is good for new people getting into Monero who actually want to research a coin.

You seem to have missed the previous page celestio...MyMonero is sending your spend key and seed to the server in a cookie for a lot of users and all the evidence is there....let's not start this ridiculous sherade and start to p*** me off with blatant lies like above ("no factual information") when I just went to the trouble of doing your security testing for you backed by full evidence, and even Fluffy admits the problem and provided a plausible explanation and we dealt with it like adults and no need to start dragging this up.  If I really wanted to cause a stink about this obviously with a fact like this I could, but the fact i'm not should show you I am not just trying to 'troll Monero'...please take a deep breath maybe this BS style of FUD'ing BCT should stop.

BlockaFett admitted himself that this thread is a "troll" thread/entirely worthless. It has no factual information and is only biased speculation as BlockaFett is a DASH supporter. Of course we could do the opposite and talk about DASH's 2million coin fraudulent instamine...which is factual.

WebWallet like blockchain.info

Just pulling up a seat before catching up with events tomorrow.

Hold on, this is a third party service we're talking about?

Ok so my points would be:

API - I understand it's on a different sub domain so it doesn't get the cookie with the send key, same with google analytics.. It is going to mymonero.com though so not sure how much difference that makes (from pure exploit point of view). I think it's plausible that a dev might not have spotted this though like you say.

Cache - again, plausible that this is the cause as you say

Shredding - no I meant on the client side - for the MyMonero users who's cookie with send-key / seed being sent to the server, locally that cookie was on their HD during the session, so if someone else accesses the HD they could potentially recover everything to hijack that wallet from clear-text....so they should probably be alerted and move their funds to a new address (and because the cookies could have been intercepted in transit etc anyway)

Private key propagation - yes they weren't going to the API but they were going to mymonero.com in every request (for the ?2 users) so it would be trivial (from an exploit point of view) to insert code server side to read this and retain it and use it later and serve that ostensibly through a flat html file (using an http module or extension mask or whatever you want).  Not saying you *are* doing that, but it is *possible* with this setup, which is the reason I raised it.

Confidentiality on your stats / demographics - sure, not for me to say, just asking.  

Replacing Monero Core as the first option - Yes as an observer that would seem to be the obvious way to go but again not for me to say.

Not storing large quantities on MyMonero - Sure, after Mintpal IMO I would say this about any centralized store of coin info...if you got hacked and the private keys are moving from the client to the server then through various scenarios it could be a similar outcome, just me but as a user I would want to be told that from the outset on the choose page but again not for me to say

Monero design goals - I am not an expert, the above situation seems like a contradiction to what I heard from some of your 'evangelists' but as I never bought Monero I don't think I qualify to try to say what is should be for.. I hold Dash as you know and if we were talking about a Dash web wallet plus these issues here i would be saying exactly the same thing, anyway..

Yes looks like some cache issue probably triggered by the different URL rewrite patterns e.g. when i type in mymonero.com it redirects to this (using ?2 *with* the cookie code)

https://mymonero.com/#/

But if I type mymonero.com/index.html it rewrites to this: (using ?2 *without* the cookie code)

https://mymonero.com/index.html#/

so probably based on location, you get the different versions, based on the cache you are hitting, I would guess...

Fireforx 38.0.5 , URL = mymonero.com as you ask. And im from Germany and as fluffy brought up of maybe Cloudflare being the reason... usually i get routed to the Cloudfare Frankfurt servers afaik when some sites using Cloudfare were down.

Ok so just to clarify: with AngularJS you basically just get index.html + a bunch of JS files, and then it gets "partials" (kinda like views in an MVC pattern) as it needs. BUT that's just static files. The stuff that is polled regularly / any actual interaction with MyMonero is done through the API. Now the MyMonero API is on a different domain (api.mymonero.com), so cookies are never sent to it (the cookie was explicitly for "mymonero.com", not ".mymonero.com" which would have included subdomains). So the risk we identified with it (ie. why we dropped that functionality) was because it would be included in static object requests, which is something that the developer who added that functionality in the very initial version never considered.


I understand that - what I meant is that ?2 should never be served by index.html:)


That code hasn't existed on the server (except as a git blob) for ages, so there's nothing to delete on that side. When you add ?2 to the file you're being served a cached file somewhere along the line, which is why I went and cleared a bunch of things server-side that could be caching it. I suspect the reason that actual file can still be accessed is because CloudFlare has longer lived caching on some of their endpoints. But beyond that nobody should ever be served ?2, so the caching of the actual JS should be/have been largely irrelevant.

Re: shredding, we don't log static object requests, as that just clutters the log, and we've never logged cookies (even when we do receive them). Since all the heavy lifting is done client-side, and then on the server side by the API, the static objects are just cached aggressively and served as quickly as possible. Logging would interfere with that. We also don't log much of anything else, because I don't want to have an environment where I've got metadata that can be requested by LEA.


Nowhere near a year:) It's been up since the end of last year (so about 5 months), and as mentioned above private keys weren't going to the API, and static requests weren't logged.


Yes absolutely to the MITM risk that existed with that code snippet, or to the risk that I'm outright lying and we've logged everything. But, at the same time, the risk profile doesn't change: if I really wanted to I could serve up some obfuscated JS buried deep in the code (not obvious and outright like you've seen) that surreptitiously sends me private keys. That's the risk you take with any webwallet, Bitcoin or otherwise, and that is why it doesn't matter how much is done client-side, you still have to trust the operator 100%. I don't think (or hope) that anyone that uses MyMonero is under any illusions there. They have to trust me, it's the nature of using a web wallet.


It's a commercial project that cost a lot of money to develop and build out by a small team of accomplished developers. This isn't something I hacked up on a weekend, and I'm also not the only owner (Risto Pietilä owns half of it). There's no secrecy with the backend, it's just a commercial project that isn't going to be made open-source just yet. We do have long-term plans to provide a user-hostable version, but right now it's just too complex and "delicate" to release.

No you can't have an indication as to the userbase for two reasons. Firstly, it's a commercial project, and the Google Analytics stats are not public. Secondly, even if I provided stats on the number of viewkeys it's all rather meaningless, as it's really easy to create multiple accounts.


No, it'll be replaced by Monero Core as the first option when that is completed. MyMonero fills a usability gap that couldn't be filled with Monero Core fast enough, and there was (and is) a need for those that are interested in tinkering around with Monero to have something that they could use.

I would never, ever recommend anyone store large quantities of value in Monero itself (which is somewhat trivially attacked by a motivated attacker with enough mining power) and definitely not in MyMonero. But overall I think you misunderstand what Monero is trying to achieve. It's not designed to be some super-secret currency that is so private that nobody even knows it exists. It's not designed to fill some specific use-case like "buying dildos on the dark web". It is designed to be truly fungible, sure, but that is only one aspect of its design.

Things like our eternal emission (to retain mining incentives), or the move to a 6-month rolling hard fork window, are there to make Monero useful. Things like OpenAlias, and the slowly-increasing easy-to-understand content on GetMonero.org, are there to make Monero usable. Transactional privacy is a core feature, but even that is not yet complete (eg. we still have to implement the changes posited in MRL-0004). We ultimately want Monero to be easy to use by everyone, whether they're very familiar with cryptocurrencies or not.

what's your browser and exact URL?

Here's some cache results (so independent of client / location)

Google:



Bing:



Yahoo:



So ^ these are what the search engines index on their side, and they all use the account.js?2 the code that sends the private key / seed up to the server in the cookie...

The only one with account.js?1 is wayback....



.....Which doesn't send the private key

Maybe a URL rewriting issue?  But how come the cookie code is anywhere on the server should delete it really?