Pages:
Author

Topic: Reports of MtGox being hacked ARE REAL (Fixed) (Read 41607 times)

newbie
Activity: 28
Merit: 0
I have been following a few threads on the MtGox incident and I must say I am appaled by what I read!

The facts are:
1. someone patched together an exchange reusing insecure code that was developed for a completely diferent purpose.
2. someone else bought it later and made some improvements (nothing really significant though).
3. being one of the first, and for the lack of a better exchange, MtGox became big
4. MtGox started to generate profits of about $50,000/day or $70,000 on a really good day.
5. MtGox got hacked, the market has crashed, some people lost money and bitcoins, most people lost value (BTC going down etc.)
6. It is obvious that this could have been prevented given the significant profits made by MtGox. it was not.

What people say:
1. it's OK, this is the wild west and we're still building a country here.
2. he's one man, what would you expect?
3. well, as bad as it is, MtGox is trying really hard to fix it
4. etc.

Guys, why don't you try to pull something like this in the real world, on your own customers?
What do you think would happen?

IMHO, this kind of money should not be left in the hands of some kid who thinks he knows about computers.
Simply because there's always another computer-savvy  kid around the corner...
member
Activity: 70
Merit: 10
What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)
From IRC several hours ago
Quote
09:01   MagicalTux      • thermal: we checked the logs, the CSRF found by phantomcircuit was never exploited

Doesn't look like it.

They could had just used MySQL injection instead (the 2nd bug as people say in forums) - the database of all users+passwords(weak hash) is leaked.
hero member
Activity: 770
Merit: 500
I sent a reply to my original ticket, requesting them to take responsibility for recent incidents. This was their response:

Quote
Hi,

We have evidence the problems found by phantomcircuit have never been exploited by anyone, and we have further evidence someone logged in on your account using your password. We cannot take liability for a case which is clearly not linked to any problems on our side.
Thanks,
Mark
MtGox.com Team

Judge for yourself, i'm done using MtGox...

On logical grounds, this cannot be true because a XSRF vulnerability can only be found and confirmed by exploiting it, and several people already confirmed they have tried the exploit before and after it was fixed. The statement that the vuln was never exploited is therefore false.

In addition, I seriously doubt that a developer that was careless enough to trust a session token without checking the referal url could think of logging it. And if MtGox did not log the referal url of the http requests of each transaction, they cannot possibly claim that they know the flaw was not exploited.

If you have been stolen money from your MtGox account prior to the fix of this exploit, the least you are in right of demanding is the full log showing your transactions as well as the one where your funds were stollen. If the log does not contain any referal urls, or they are not from mtgox domain, or the ips used were only yours, then there really is something fishy.

Surely, the logs can be rewritten to make it  seem like the transaction was requested from another IP. Just to make sure it is not the case, some people who have NOT been hacked but have done multiple transactions from the same IP should claim that their account got hacked and ask the   logs just to ascertain that there is only their IP there and there is no log rewritting going on.

Another VERY important thing if you got stollen from your MtGox account but they refuse to be liable for it: MAKE A COPY OF YOUR BROWSER CACHE now and have it checked by a web developer you trust. If you were victim of XSRF the code of the forged request is likely still in your browser's cache where it can be found with a simple grep for the mtgox domain name.

sr. member
Activity: 294
Merit: 250
JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.

Well it has everything to do with possibility to disable JS in browser, which users might want to do.

Even as makomk JS was not necessity for THIS attack (just making it a bit easier by autosubmiting), overall it's better if users can turn off all JS. And say Flash (I recall some bitcoin sites, not cantors probably but at least stats pages - require it).





Javascript is a legitimate technology that is pretty much a basic cornerstone of the web as it is now. You can't just take that away. A way better option would probably be if browsers by default protect against CSRF attacks, like they do with XSS now.
hero member
Activity: 767
Merit: 500
might be worth adding a captcha to any form of transaction via the web on mtgox?

Will
member
Activity: 70
Merit: 10
JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.

Well it has everything to do with possibility to disable JS in browser, which users might want to do.

Even as makomk JS was not necessity for THIS attack (just making it a bit easier by autosubmiting), overall it's better if users can turn off all JS. And say Flash (I recall some bitcoin sites, not cantors probably but at least stats pages - require it).




legendary
Activity: 1937
Merit: 1001
I sent a reply to my original ticket, requesting them to take responsibility for recent incidents. This was their response:

Quote
Hi,

We have evidence the problems found by phantomcircuit have never been exploited by anyone, and we have further evidence someone logged in on your account using your password. We cannot take liability for a case which is clearly not linked to any problems on our side.
Thanks,
Mark
MtGox.com Team

Judge for yourself, i'm done using MtGox...
member
Activity: 116
Merit: 10
I'm also disgusted by the fact that many of us are missing money, the exploit was found, yet a single person announces on IRC that according to his logs, the exploit never happened.  I for one will never use MtGox again, and would suggest the same for others. There are other markets out there now..

I remember when Deepbit was hacked some time ago and some people lost bitcoins.  They fixed the problem by requiring email validation of receiving address change, owned up to the mistake and paid money back.  Thats what you do as an honest business

+1

A good friend of mine lost about 20 btc.
full member
Activity: 196
Merit: 101
That would make sense, my account was hacked and the only places I used my password was mtgox, tradehill, and deepbit.

You entrust a BRAND NEW SITE (tradehill) with your regular password you use for "everything" related to bitcoins??

What's wrong with you?

My favorite part is that they blame the websites.
sr. member
Activity: 280
Merit: 252
That would make sense, my account was hacked and the only places I used my password was mtgox, tradehill, and deepbit.

You entrust a BRAND NEW SITE (tradehill) with your regular password you use for "everything" related to bitcoins??

What's wrong with you?
legendary
Activity: 1937
Merit: 1001
Damn it...! I knew it wasn't any of my systems that got compromised..!
sr. member
Activity: 364
Merit: 250

Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.

I'd prefer hardware two-factor auth. tbh. (anything on the internet has vurnabilities) Something like Vasco Go3 http://www.vasco.com/products/digipass/digipass_go_range/digipass_go3.aspx And would be more than willing to fund a onetime fee for it.



myopenid works with RSA tokens
full member
Activity: 210
Merit: 100

Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.

I'd prefer hardware two-factor auth. tbh. (anything on the internet has vurnabilities) Something like Vasco Go3 http://www.vasco.com/products/digipass/digipass_go_range/digipass_go3.aspx And would be more than willing to fund a onetime fee for it.
sr. member
Activity: 373
Merit: 250
I'll admit, as soon as multiple people started claiming they were being hacked, I bought up as many bitcoins as I could with my remaining MtGoxUSD and got the coins out of there ASAP.  It will be a long time before I trust the website enough to use it regularly again.

This is why we need two-factor authentication ASAP.  I think MagicalTux said it was being worked on right now.  I hope so.
Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.
full member
Activity: 238
Merit: 100
I'm also disgusted by the fact that many of us are missing money, the exploit was found, yet a single person announces on IRC that according to his logs, the exploit never happened.  I for one will never use MtGox again, and would suggest the same for others. There are other markets out there now..

I remember when Deepbit was hacked some time ago and some people lost bitcoins.  They fixed the problem by requiring email validation of receiving address change, owned up to the mistake and paid money back.  Thats what you do as an honest business
legendary
Activity: 1036
Merit: 1002
So, just to get this right:

We found a massive security hole. Multiple people claim to have money stolen. MtGox writes a line on IRC stating the hole was not exploited, and we remain with multiple users who claim to not have been paid the money owed by MtGox?

I'd like this examined in detail. If my money ever disappears in such a fashion, I will be on the next plane to Japan to figure out in person what the fuck happened.

Just saying, this isn't a SONY-class incident leaking personal data, we have money vanishing according to some people, and just found a potential cause of it.
hero member
Activity: 686
Merit: 564
so as I understand it you're only vulnerable if you're compromised by another site already?  Why dont you clearly state what actions can make you vulnerable instead of making people think that mtgox has a virus on it or something (which is what most 'regular' people woul infer from this)

Nope, you were vulnerable just by visiting a malicious site whilst logged into Mt Gox - or even just an otherwise-trustworthy site with a malicious ad on it, in theory. The problem was with Mt Gox. They failed to verify that form data sumitted from your browser telling the site to do stuff was actually submitted by you rather than from some random evil webpage you've visited. This is a well known type of security issue and the methods of preventing it are also well-known.

So an JS based exploit?

Javascript makes CSRF slightly easier to exploit but not much. If you had Javascript disabled the malicious website would have to trick you into clicking a button on the page in order to hack you, but the button could be named and styled and presented however they wanted. (Also, as joepie91 says, it doesn't matter whether Mt Gox itself used Javascript or not.)
sr. member
Activity: 294
Merit: 250
THIS HAS BEEN FIXED.

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode

phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password

So an JS based exploit?

Personally I always disliked the JS usage in there.
There is a reason most banks do not do JS or at least allow to not use it.

Such site should be imo a pure simple and spartan XHTML site, no fancy JS.  And users should be adviced to turn off JS in the browser profile used for this site.
Would be glad to see such change in future in mtgox.



JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.
sr. member
Activity: 337
Merit: 285
So an JS based exploit?

Nope, the bug was not related to JavaScript.
member
Activity: 70
Merit: 10
THIS HAS BEEN FIXED.

I have identified an exploit in MtGox allowing an attacker to completely take over some users account.

I have been trying to contact MagicalTux for hours, but I feel that a general warning should go out to users.

All of the threads about MtGox accounts being hacked are REAL.

A strong password will not help you.  Anti Virus software WILL NOT HELP YOU.

This is not a trojan or a virus.

You can protect yourself by only visiting MtGox and then immediately logging out.


workaround: logout from mtgox, use it in a separate browser or chrome's incognito mode

phantomcircuit: you should add that users check their email adresses in their mtgox profile. if they are incorrect they have to change their address + password

So an JS based exploit?

Personally I always disliked the JS usage in there.
There is a reason most banks do not do JS or at least allow to not use it.

Such site should be imo a pure simple and spartan XHTML site, no fancy JS.  And users should be adviced to turn off JS in the browser profile used for this site.
Would be glad to see such change in future in mtgox.

Pages:
Jump to: