Topic: Reports of MtGox being hacked ARE REAL (Fixed) - page 2. (Read 41582 times)

This is exactly why I tell everyone to setup separate account for such jobs: e.g. separate firefox/browser profile used ONLY to access say mtgox.com

btw.: Trololololo

1. Britcoin was never hacked.
2. We have all the funds there.
3. A team of 4 is working fulltime on the code: https://gitorious.org/intersango/

Even if you protect your private keys and passwords carefully it appears you could be compromised on MtGox. People expect an exchange to be secure, and that's completely reasonable (quote from MtGox frontpage: "Safe and Easy"). Security should be the number one priority for such operations - you'd rather be unable to trade due to a non-security-related bug rather than lose all of yours coins, right?


It should have been prevented (not caught) during development. But the few bits of MtGox history I picked up learnt me that MtGox was sold and is based on a code base once used for a completely different trading purpose. I hope the current maintainer(s?) aren't the same ones who wrote the insecure code. Neglecting security to "keep things running" doesn't sound like proper practise to me, regardless.


By who? Especially your second point shouldn't have been the responsibility of the users. In case of a security incident I expect full (and pre-emptive) transparency about the issue, it's impact and mitigation. Look at LastPass, think they did a pretty good job recently.. I haven't seen MtGox do anything like that at all.


So you're basically saying regulations and audits are pointless, backed up by a single example. Go tell your bank how they can save some cash..


We're not.
-The reference bitcoin client currently stores keys in plaintext, which is a huge vulnerability considering 'the average user' needs lots of handholding to remain secure (0.4 should at least protect you from clueless adversaries).
- Exchanges aren't as secure as they should be - CSRF vulnerabilties were reported in multiple exchanges.

Bottom line: I believe MtGox is operating understaffed on a outdated, re-used and potentially inherently insecure code base. The very least they could do is get some auditing done and hire some competent developers to fix found issues.

But he has "PHP can do ANYTHING!" in his motto which suggests that he knows some stuff about web dev. (I haven't seen non web-dev fans of PHP so far.)

And I think any decent web developer should be well aware of CSRF.

It takes approximately a minute to check whether your site has CSRF vulnerability. Then it takes approximately a minute to fix this (via referer check, which is less than perfect, but will work).

So, no, being 'alone' is not an excuse. It takes just two fucking minutes to secure your site. If you cannot find two minutes then you shouldn't be in business.

If you don't know web stuff very well then, well, pay somebody who can secure it.

There are NO excuses for for-profit enterprises.

From IRC several hours ago

Doesn't look like it.

What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)

I have sent MagicalTux a PM about a CSS history sniffing vulnerability and haven't had a response yet.

Bitoption was hit with CSRF attacks today as well; no successes, though.

Re: Curl and Mt. Gox, I believe they changed their SSL Cert recently. My linux boxes didn't have a good CA chain to their authority, and resisted all attempts to add the chain in. Eventually I just imported the direct Gox one and marked it trusted. Curl finally shut up at that point.

This is why we need two-factor authentication ASAP.  I think MagicalTux said it was being worked on right now.  I hope so.

this is why I don't keep bitcoin/money in MtGox.
I alway do my business quick, get in and out.

Hell the wallet I sent all my coins to, I only boot when I want to trade.  Well after waiting for the block download.

seconded, I actually think the server is just being hammered or something, apparently I just got through a few second ago and printed me some data, I wrote a script to ping it every 15 minutes, thought it was up but I guess not.

I still feel kinda paranoid about logging in without a verification from mtgox.

I panic withdrew 50% of my funds yesterday after seeing this thread. (something i had originally planned to use for trading)

my php curl attempts stopped working a few hours ago, any explanation for this?

The login issue is fixed for me and it looks like several others. It sounds like it was unrelated to the security stuff.

Kudos to MagicalTux for fixing the login issue almost as soon as he heard of it.

Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.

Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.

What I find encouraging about this situation, as some others have mentioned:

- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)
- the hole was apparently closed pretty damn fast once Mt.Gox became aware/verified it

As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank


from http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access

..and those details came to light many many months after the event.

I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.

Stay with the state regulated banks and fiat currencies if you want perceived safety of regulators and so called experts looking out for you. Be prepared to take more than a modicum of self-responsibility out here, however.

Bravo, bitcoin community!

mouse, you are pretty much correct.

Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)

People, there's a reason for which bank have IT departments, security officers, response teams etc.

We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...

I believe that this type of attack is when the session token is stored as a cookie AND the server doesn't check the referrer. The normal method is to store a new session token on each post to the client, which gets sebmitted back each time (so its stored in the users webpage, not in a cookie).

This is just from memory, but if its true, then, honestly, I have no faith at all in any website that fell for this. This issue would fall under 'basic' security and has probably been around for years. Sure it might be plugged now, but what else isn't?

Same problem here.
I am extremely nervous right now. I hope it is just a glitch at Mt Gox.

Can anyone confirm it?

so as I understand it you're only vulnerable if you're compromised by another site already?  Why dont you clearly state what actions can make you vulnerable instead of making people think that mtgox has a virus on it or something (which is what most 'regular' people woul infer from this)