Topic: Reports of MtGox being hacked ARE REAL (Fixed) (Read 41513 times)

I have been following a few threads on the MtGox incident and I must say I am appaled by what I read!

The facts are:
1. someone patched together an exchange reusing insecure code that was developed for a completely diferent purpose.
2. someone else bought it later and made some improvements (nothing really significant though).
3. being one of the first, and for the lack of a better exchange, MtGox became big
4. MtGox started to generate profits of about $50,000/day or $70,000 on a really good day.
5. MtGox got hacked, the market has crashed, some people lost money and bitcoins, most people lost value (BTC going down etc.)
6. It is obvious that this could have been prevented given the significant profits made by MtGox. it was not.

What people say:
1. it's OK, this is the wild west and we're still building a country here.
2. he's one man, what would you expect?
3. well, as bad as it is, MtGox is trying really hard to fix it
4. etc.

Guys, why don't you try to pull something like this in the real world, on your own customers?
What do you think would happen?

IMHO, this kind of money should not be left in the hands of some kid who thinks he knows about computers.
Simply because there's always another computer-savvy  kid around the corner...

They could had just used MySQL injection instead (the 2nd bug as people say in forums) - the database of all users+passwords(weak hash) is leaked.

On logical grounds, this cannot be true because a XSRF vulnerability can only be found and confirmed by exploiting it, and several people already confirmed they have tried the exploit before and after it was fixed. The statement that the vuln was never exploited is therefore false.

In addition, I seriously doubt that a developer that was careless enough to trust a session token without checking the referal url could think of logging it. And if MtGox did not log the referal url of the http requests of each transaction, they cannot possibly claim that they know the flaw was not exploited.

If you have been stolen money from your MtGox account prior to the fix of this exploit, the least you are in right of demanding is the full log showing your transactions as well as the one where your funds were stollen. If the log does not contain any referal urls, or they are not from mtgox domain, or the ips used were only yours, then there really is something fishy.

Surely, the logs can be rewritten to make it  seem like the transaction was requested from another IP. Just to make sure it is not the case, some people who have NOT been hacked but have done multiple transactions from the same IP should claim that their account got hacked and ask the   logs just to ascertain that there is only their IP there and there is no log rewritting going on.

Another VERY important thing if you got stollen from your MtGox account but they refuse to be liable for it: MAKE A COPY OF YOUR BROWSER CACHE now and have it checked by a web developer you trust. If you were victim of XSRF the code of the forged request is likely still in your browser's cache where it can be found with a simple grep for the mtgox domain name.

Javascript is a legitimate technology that is pretty much a basic cornerstone of the web as it is now. You can't just take that away. A way better option would probably be if browsers by default protect against CSRF attacks, like they do with XSS now.

might be worth adding a captcha to any form of transaction via the web on mtgox?

Will

Well it has everything to do with possibility to disable JS in browser, which users might want to do.

Even as makomk JS was not necessity for THIS attack (just making it a bit easier by autosubmiting), overall it's better if users can turn off all JS. And say Flash (I recall some bitcoin sites, not cantors probably but at least stats pages - require it).

I sent a reply to my original ticket, requesting them to take responsibility for recent incidents. This was their response:


Judge for yourself, i'm done using MtGox...

+1

A good friend of mine lost about 20 btc.

My favorite part is that they blame the websites.

You entrust a BRAND NEW SITE (tradehill) with your regular password you use for "everything" related to bitcoins??

What's wrong with you?

Damn it...! I knew it wasn't any of my systems that got compromised..!

myopenid works with RSA tokens

I'd prefer hardware two-factor auth. tbh. (anything on the internet has vurnabilities) Something like Vasco Go3 http://www.vasco.com/products/digipass/digipass_go_range/digipass_go3.aspx And would be more than willing to fund a onetime fee for it.

I'll admit, as soon as multiple people started claiming they were being hacked, I bought up as many bitcoins as I could with my remaining MtGoxUSD and got the coins out of there ASAP.  It will be a long time before I trust the website enough to use it regularly again.

Right now I'm using Bitcoin2Cash, which offers two-factor authentication if you use Google's OpenID somehow.  Here's the relevant post about it.

I'm also disgusted by the fact that many of us are missing money, the exploit was found, yet a single person announces on IRC that according to his logs, the exploit never happened.  I for one will never use MtGox again, and would suggest the same for others. There are other markets out there now..

I remember when Deepbit was hacked some time ago and some people lost bitcoins.  They fixed the problem by requiring email validation of receiving address change, owned up to the mistake and paid money back.  Thats what you do as an honest business

So, just to get this right:

We found a massive security hole. Multiple people claim to have money stolen. MtGox writes a line on IRC stating the hole was not exploited, and we remain with multiple users who claim to not have been paid the money owed by MtGox?

I'd like this examined in detail. If my money ever disappears in such a fashion, I will be on the next plane to Japan to figure out in person what the fuck happened.

Just saying, this isn't a SONY-class incident leaking personal data, we have money vanishing according to some people, and just found a potential cause of it.

Nope, you were vulnerable just by visiting a malicious site whilst logged into Mt Gox - or even just an otherwise-trustworthy site with a malicious ad on it, in theory. The problem was with Mt Gox. They failed to verify that form data sumitted from your browser telling the site to do stuff was actually submitted by you rather than from some random evil webpage you've visited. This is a well known type of security issue and the methods of preventing it are also well-known.


Javascript makes CSRF slightly easier to exploit but not much. If you had Javascript disabled the malicious website would have to trick you into clicking a button on the page in order to hack you, but the button could be named and styled and presented however they wanted. (Also, as joepie91 says, it doesn't matter whether Mt Gox itself used Javascript or not.)

JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.

Nope, the bug was not related to JavaScript.

So an JS based exploit?

Personally I always disliked the JS usage in there.
There is a reason most banks do not do JS or at least allow to not use it.

Such site should be imo a pure simple and spartan XHTML site, no fancy JS.  And users should be adviced to turn off JS in the browser profile used for this site.
Would be glad to see such change in future in mtgox.