Author

Topic: 'Password reset via email' option used to hack the account? (Read 478 times)

legendary
Activity: 2044
Merit: 1231
I rarely download and run executable files. Basically, only updates. I decided to see what I downloaded in the last 3 months. Of the downloads were only Core and VirtualBox. I decided to check with Virustotal.

A curious result for VirtualBox showed Baidu for the last 2 downloads: Win32.Trojan.WisdomEyes.16070401.950 ...

https://www.virustotal.com/#/file/bbd74e2d9717285863578ff728c16b411c88d1d0b63e3fd456cd09d2131635b3/detection

https://www.virustotal.com/#/file/da7bbcc9806a3f574f1faed5381c6e116b10a7bbb4779913d5446e49fe08fd7d/detection

Quote
Win32.Trojan.WisdomEyes
This Trojan is aimed at the Windows platform. This malicious code collects all the files in the user's Desktop folder, compresses them and sends them to the remote server. In addition, it takes screenshots, steals data from the clipboard and performs Keylogging. Malicious programs also try to contact via email to register an infection. To survive a system reboot, the malware creates a Run entry key and creates its own copy on the disk.

Is there anybody who uses these versions of VirtualBox? Smiley

I downloaded from the official website on March 3 and January 17. VirtualBox carefully displays windows with links to updates.

P. S. I trust Oracle more then Baidu.
full member
Activity: 532
Merit: 132
The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

Why don't we have confirmation email before the password can be changed?
I don't know why this step of confirming is just bypassed, which it's too important because once a hacker login into your account, you will be 100% hacked without any verification with the email. I hope that, theymos will consider this step as soon as possible.
legendary
Activity: 2044
Merit: 1231
Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stole as the password.  Sad

I doubt that the hacker hacked your email and computer a long time ago,I believe he did so only lately when he was able to change your password. The 2FA should be setup when you setup the email and not after the hacker has power over your computer. Anyway now you remind me that this thing should be set up in a Linux environment where hacking is more difficult than Windows.

Please read with a translator the article https://xakep.ru/2015/04/07/195-routers/ It is difficult for me to explain in English. I am not a native American.

legendary
Activity: 3318
Merit: 1247
Bitcoin Casino Est. 2013
Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stole as the password.  Sad

I doubt that the hacker hacked your email and computer a long time ago,I believe he did so only lately when he was able to change your password. The 2FA should be setup when you setup the email and not after the hacker has power over your computer. Anyway now you remind me that this thing should be set up in a Linux environment where hacking is more difficult than Windows.

legendary
Activity: 2044
Merit: 1231
Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.

If you set 2FA through a vulnerable router your secret also will be stolen as the password. Sad
jr. member
Activity: 109
Merit: 1
Complete transparency on your charitable donations
That's why Gmail recommend a high and some combo password for your email, and try to set your settings on the highest privacy and secured settings as possible like, if your email had been opened to a computer they need a code send to your mobile phone to ensure it's you, I do that especially I'm traveling and need to check my email on shops to open big file that can't be open on my phone.
legendary
Activity: 3318
Merit: 1247
Bitcoin Casino Est. 2013
Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.

The lesson to be learned here is to always enable 2FA if possible and if your email provider doesn't support 2FA to move on to Gmail. I am using Gmail with 2FA enabled from 2 years now and no hacker can hack anything, unless it is an inside job from the Google team which I don't think they do these things. Even if the hacker enters your computer through vulnerable router , he can have your password but cannot have your 2FA code if you do it by your mobile phone.
legendary
Activity: 2044
Merit: 1231
Here is the person who hacks passwords on the forum - Smartwm.
He does that through vulnerable routers by "man-in-the-middle attack". He does not hack computers ussually.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
~

The problem is in that security of my PC has been compramized.

I wouldn't have expected there to be someone with particular interest in Bitcoint talk accounts to produce a virus to steal them - means we all have to be even more cautious when browsing/downloading cyrpto related information now.
I'm guessing this is soemthing that wouldn't show up on any antimalware services (you could certainly try to uninstall the software and try to change it in your firewall settings or just reinstall your OS - which is probably recommended although I assume you already know and are running through these already).
legendary
Activity: 2044
Merit: 1231
...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

Who is your email provider, maybe one of their staff intercepted it?

Also, just because an IP isn't in an email security log doesn't always mean it wasn't accessed by it. Mistakes can happen by the mail servers.

You're quite lucky your account was recoverable so quickly.

The problem is in that security of my PC has been compramized.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.

Who is your email provider, maybe one of their staff intercepted it?

Also, just because an IP isn't in an email security log doesn't always mean it wasn't accessed by it. Mistakes can happen by the mail servers.

You're quite lucky your account was recoverable so quickly.
legendary
Activity: 2044
Merit: 1231
...Most likely the email was intercepted at his end somehow.

Yes, it was. I am solving the problem.
full member
Activity: 230
Merit: 100
19/11/2018 - Capitulation !!!!
The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.

Why don't we have confirmation email before the password can be changed?
administrator
Activity: 5222
Merit: 13032
The code is 10 random characters from an alphabet of 62 characters; you're never brute-forcing that over a network. You'd bring down the forum before you got to even 10000 attempts per second. Most likely the email was intercepted at his end somehow.
hero member
Activity: 504
Merit: 732
Maybe he had an easy password

According to logs (the screenshot link is above) password was reseted via email. Also it would be odd to request the password reset (thus notifying the user), then spend 30 minutes twiddling one's thumbs and finally change password, obtained somewhere at the beginning. I'd doubt mental faculties of such a hacker.:)
full member
Activity: 504
Merit: 185
Maybe he had an easy password
hero member
Activity: 2422
Merit: 668
Community management 24/7 for hire
Older forums are very easy victims of sql injection or URL hacking.
Maybe how. See if you can find a bug. They pay big rewards I have seen.
hero member
Activity: 504
Merit: 732
I wonder if someone from staff can clarify this.

The situation

Recently one of our Legendarys was hacked. He created a thread describing what happened (I adduce the translation from Russian below):

Got 2 messages:

  • the link to reset my allegedly 'forgotten' password:
    Quote
    Dear Vadi2323,

    This mail was sent because the 'forgot password' function has been applied to your account. To set a new password click the following link:



    IP: 173.224.120.147

    Username: Vadi2323

    Regards,
    The Bitcoin Forum Team.
  • after that - the letter about password change turned up:
    Quote
    Dear Vadi2323,

    Your Bitcoin Forum (bitcointalk.org) password was just changed by IP address 173.224.120.147 via email recovery. If you did not do this, then you should use the forgotten password feature to change your password.

    Regards,
    The Bitcoin Forum Team.

I tried to log in - and password indeed didn't match. Then I changed it myself via forgot password option.

Also I checked the e-mail visit log, but it revealed my IPs only, no 173.224.120.147.

E-mail didn't seem to send messages to any other addresses too.

WTF? Huh Angry


In other words, someone somehow changed his password bypassing the e-mail (since it doesn't look like the e-mail was compromised).
The chronology:

https://ip.bitcointalk.org/?u=https%3A%2F%2Fs8.hostingkartinok.com%2Fuploads%2Fimages%2F2018%2F03%2F622f841b86de505e1fc0c20e7a84eee6.png&t=586&c=3gzXpgExQJ7frA

Moscow time:

20:21 - hacker requested the password reset via e-mail
20:50 - hacker changed the password (as if he was using the e-mail link)
20:55 - I requested the password reset via e-mail
20:56 - I changed the password (definitely using the e-mail link)

Our suppositions

Reset links sent by e-mails are typal. Usually we receive a message including link like that:

https://bitcointalk.org/index.php?action=reminder;sa=setpassword;u=userIDhere;code=someCodeHere

Presumably anyone can set the userIDhere to the ID of target account and get to the targetaccount's 'change password here' page.
The snag is in the last part of the link - the code. I assume that it's supposed to be unique and should be formed by engine for every request. And you can't change the password if the code is wrong.

So for now the only reasonable explanation we have is that someone just brute forced that code. Using some kind of automated tool, for example.

Accordingly the question is: can this be true? Or perhaps some other possibility to change password on the reset-email-stage without e-mail access exists?
Jump to: