'Password reset via email' option used to hack the account?

Vadi2323

legendary

Activity: 2044

Merit: 1231

I rarely download and run executable files. Basically, only updates. I decided to see what I downloaded in the last 3 months. Of the downloads were only Core and VirtualBox. I decided to check with Virustotal.

A curious result for VirtualBox showed Baidu for the last 2 downloads: Win32.Trojan.WisdomEyes.16070401.950 ...

https://www.virustotal.com/#/file/bbd74e2d9717285863578ff728c16b411c88d1d0b63e3fd456cd09d2131635b3/detection

https://www.virustotal.com/#/file/da7bbcc9806a3f574f1faed5381c6e116b10a7bbb4779913d5446e49fe08fd7d/detection

Quote

Win32.Trojan.WisdomEyes
This Trojan is aimed at the Windows platform. This malicious code collects all the files in the user's Desktop folder, compresses them and sends them to the remote server. In addition, it takes screenshots, steals data from the clipboard and performs Keylogging. Malicious programs also try to contact via email to register an infection. To survive a system reboot, the malware creates a Run entry key and creates its own copy on the disk.

Is there anybody who uses these versions of VirtualBox?

I downloaded from the official website on March 3 and January 17. VirtualBox carefully displays windows with links to updates.

P. S. I trust Oracle more then Baidu.

seven2smoke1

full member

Activity: 532

Merit: 132

Quote from: F8N00 on March 10, 2018, 11:39:12 AM

Quote from: theymos on March 09, 2018, 07:11:46 AM

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

Why don't we have confirmation email before the password can be changed?

I don't know why this step of confirming is just bypassed, which it's too important because once a hacker login into your account, you will be 100% hacked without any verification with the email. I hope that, theymos will consider this step as soon as possible.

Vadi2323

legendary

Activity: 2044

Merit: 1231

Quote from: swogerino on March 12, 2018, 03:23:15 PM

Quote from: Vadi2323 on March 12, 2018, 03:17:28 PM

Quote from: swogerino on March 12, 2018, 03:11:25 PM

Quote from: Vadi2323 on March 12, 2018, 02:53:53 PM

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stole as the password. Sad

I doubt that the hacker hacked your email and computer a long time ago,I believe he did so only lately when he was able to change your password. The 2FA should be setup when you setup the email and not after the hacker has power over your computer. Anyway now you remind me that this thing should be set up in a Linux environment where hacking is more difficult than Windows.

Please read with a translator the article https://xakep.ru/2015/04/07/195-routers/ It is difficult for me to explain in English. I am not a native American.

swogerino

legendary

Activity: 3318

Merit: 1247

Bitcoin Casino Est. 2013

Quote from: Vadi2323 on March 12, 2018, 03:17:28 PM

Quote from: swogerino on March 12, 2018, 03:11:25 PM

Quote from: Vadi2323 on March 12, 2018, 02:53:53 PM

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stole as the password. Sad

I doubt that the hacker hacked your email and computer a long time ago,I believe he did so only lately when he was able to change your password. The 2FA should be setup when you setup the email and not after the hacker has power over your computer. Anyway now you remind me that this thing should be set up in a Linux environment where hacking is more difficult than Windows.

Vadi2323

legendary

Activity: 2044

Merit: 1231

Quote from: swogerino on March 12, 2018, 03:11:25 PM

Quote from: Vadi2323 on March 12, 2018, 02:53:53 PM

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stolen as the password. Sad

Ms Emi

jr. member

Activity: 109

Merit: 1

Complete transparency on your charitable donations

That's why Gmail recommend a high and some combo password for your email, and try to set your settings on the highest privacy and secured settings as possible like, if your email had been opened to a computer they need a code send to your mobile phone to ensure it's you, I do that especially I'm traveling and need to check my email on shops to open big file that can't be open on my phone.

swogerino

legendary

Activity: 3318

Merit: 1247

Bitcoin Casino Est. 2013

Quote from: Vadi2323 on March 12, 2018, 02:53:53 PM

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

Vadi2323

legendary

Activity: 2044

Merit: 1231

Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: Vadi2323 on March 10, 2018, 01:12:20 PM

~

The problem is in that security of my PC has been compramized.

I wouldn't have expected there to be someone with particular interest in Bitcoint talk accounts to produce a virus to steal them - means we all have to be even more cautious when browsing/downloading cyrpto related information now.
I'm guessing this is soemthing that wouldn't show up on any antimalware services (you could certainly try to uninstall the software and try to change it in your firewall settings or just reinstall your OS - which is probably recommended although I assume you already know and are running through these already).

Vadi2323

legendary

Activity: 2044

Merit: 1231

Quote from: jackg on March 10, 2018, 12:42:13 PM

Quote from: Vadi2323 on March 10, 2018, 12:23:45 PM

Quote from: theymos on March 09, 2018, 07:11:46 AM

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

Who is your email provider, maybe one of their staff intercepted it?

Also, just because an IP isn't in an email security log doesn't always mean it wasn't accessed by it. Mistakes can happen by the mail servers.

You're quite lucky your account was recoverable so quickly.

The problem is in that security of my PC has been compramized.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: Vadi2323 on March 10, 2018, 12:23:45 PM

Quote from: theymos on March 09, 2018, 07:11:46 AM

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

Who is your email provider, maybe one of their staff intercepted it?

Also, just because an IP isn't in an email security log doesn't always mean it wasn't accessed by it. Mistakes can happen by the mail servers.

You're quite lucky your account was recoverable so quickly.

Vadi2323

legendary

Activity: 2044

Merit: 1231

Quote from: theymos on March 09, 2018, 07:11:46 AM

...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

F8N00

full member

Activity: 230

Merit: 100

19/11/2018 - Capitulation !!!!

Quote from: theymos on March 09, 2018, 07:11:46 AM

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

Why don't we have confirmation email before the password can be changed?

theymos

administrator

Activity: 5222

Merit: 13032

The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

esmanthra

hero member

Activity: 504

Merit: 732

Quote from: killyou73 on March 09, 2018, 05:35:04 AM

Maybe he had an easy password

According to logs (the screenshot link is above) password was reseted via email. Also it would be odd to request the password reset (thus notifying the user), then spend 30 minutes twiddling one's thumbs and finally change password, obtained somewhere at the beginning. I'd doubt mental faculties of such a hacker.:)

killyou73

full member

Activity: 504

Merit: 185

Maybe he had an easy password

JanEmil

hero member

Activity: 2422

Merit: 668

Community management 24/7 for hire

Older forums are very easy victims of sql injection or URL hacking.
Maybe how. See if you can find a bug. They pay big rewards I have seen.

esmanthra

hero member

Activity: 504

Merit: 732

I wonder if someone from staff can clarify this.

The situation

Recently one of our Legendarys was hacked. He created a thread describing what happened (I adduce the translation from Russian below):

Quote from: Vadi2323 on March 06, 2018, 02:33:26 PM

Got 2 messages:

the link to reset my allegedly 'forgotten' password:
Quote
Dear Vadi2323,

This mail was sent because the 'forgot password' function has been applied to your account. To set a new password click the following link:

IP: 173.224.120.147

Username: Vadi2323

Regards,
The Bitcoin Forum Team.
after that - the letter about password change turned up:
Quote
Dear Vadi2323,

Your Bitcoin Forum (bitcointalk.org) password was just changed by IP address 173.224.120.147 via email recovery. If you did not do this, then you should use the forgotten password feature to change your password.

Regards,
The Bitcoin Forum Team.

I tried to log in - and password indeed didn't match. Then I changed it myself via forgot password option.

Also I checked the e-mail visit log, but it revealed my IPs only, no 173.224.120.147.

E-mail didn't seem to send messages to any other addresses too.

WTF?

In other words, someone somehow changed his password bypassing the e-mail (since it doesn't look like the e-mail was compromised).
The chronology:

https://ip.bitcointalk.org/?u=https%3A%2F%2Fs8.hostingkartinok.com%2Fuploads%2Fimages%2F2018%2F03%2F622f841b86de505e1fc0c20e7a84eee6.png&t=586&c=3gzXpgExQJ7frA

Quote from: Vadi2323 on March 07, 2018, 08:45:00 AM

Moscow time:

20:21 - hacker requested the password reset via e-mail
20:50 - hacker changed the password (as if he was using the e-mail link)
20:55 - I requested the password reset via e-mail
20:56 - I changed the password (definitely using the e-mail link)

Our suppositions

Reset links sent by e-mails are typal. Usually we receive a message including link like that:

https://bitcointalk.org/index.php?action=reminder;sa=setpassword;u=userIDhere;code=someCodeHere

Presumably anyone can set the userIDhere to the ID of target account and get to the targetaccount's 'change password here' page.
The snag is in the last part of the link - the code. I assume that it's supposed to be unique and should be formed by engine for every request. And you can't change the password if the code is wrong.

So for now the only reasonable explanation we have is that someone just brute forced that code. Using some kind of automated tool, for example.

Accordingly the question is: can this be true? Or perhaps some other possibility to change password on the reset-email-stage without e-mail access exists?

Topic: 'Password reset via email' option used to hack the account? (Read 472 times)