Pages:
Author

Topic: Reports of MtGox being hacked ARE REAL (Fixed) - page 2. (Read 41607 times)

member
Activity: 70
Merit: 10
So they are taking my cookies? NOZ! Angry

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

This is exactly why I tell everyone to setup separate account for such jobs: e.g. separate firefox/browser profile used ONLY to access say mtgox.com

btw.: Trololololo

legendary
Activity: 1232
Merit: 1076
1. Britcoin was never hacked.
2. We have all the funds there.
3. A team of 4 is working fulltime on the code: https://gitorious.org/intersango/
ius
newbie
Activity: 56
Merit: 0
Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.

Even if you protect your private keys and passwords carefully it appears you could be compromised on MtGox. People expect an exchange to be secure, and that's completely reasonable (quote from MtGox frontpage: "Safe and Easy"). Security should be the number one priority for such operations - you'd rather be unable to trade due to a non-security-related bug rather than lose all of yours coins, right?

Quote
Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.

It should have been prevented (not caught) during development. But the few bits of MtGox history I picked up learnt me that MtGox was sold and is based on a code base once used for a completely different trading purpose. I hope the current maintainer(s?) aren't the same ones who wrote the insecure code. Neglecting security to "keep things running" doesn't sound like proper practise to me, regardless.

Quote
What I find encouraging about this situation, as some others have mentioned:

- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)

By who? Especially your second point shouldn't have been the responsibility of the users. In case of a security incident I expect full (and pre-emptive) transparency about the issue, it's impact and mitigation. Look at LastPass, think they did a pretty good job recently.. I haven't seen MtGox do anything like that at all.

Quote
As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank

So you're basically saying regulations and audits are pointless, backed up by a single example. Go tell your bank how they can save some cash..

Quote
I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.

We're not.
-The reference bitcoin client currently stores keys in plaintext, which is a huge vulnerability considering 'the average user' needs lots of handholding to remain secure (0.4 should at least protect you from clueless adversaries).
- Exchanges aren't as secure as they should be - CSRF vulnerabilties were reported in multiple exchanges.

Bottom line: I believe MtGox is operating understaffed on a outdated, re-used and potentially inherently insecure code base. The very least they could do is get some auditing done and hire some competent developers to fix found issues.
legendary
Activity: 1022
Merit: 1033
(I don't blame MagicalTux, since he didn't write the code.)

But he has "PHP can do ANYTHING!" in his motto which suggests that he knows some stuff about web dev. (I haven't seen non web-dev fans of PHP so far.)

And I think any decent web developer should be well aware of CSRF.

It takes approximately a minute to check whether your site has CSRF vulnerability. Then it takes approximately a minute to fix this (via referer check, which is less than perfect, but will work).

So, no, being 'alone' is not an excuse. It takes just two fucking minutes to secure your site. If you cannot find two minutes then you shouldn't be in business.

If you don't know web stuff very well then, well, pay somebody who can secure it.

There are NO excuses for for-profit enterprises.
hero member
Activity: 927
Merit: 1000
฿itcoin ฿itcoin ฿itcoin
What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)
From IRC several hours ago
Quote
09:01   MagicalTux      • thermal: we checked the logs, the CSRF found by phantomcircuit was never exploited

Doesn't look like it.
full member
Activity: 238
Merit: 100
What I want to know is, does MT Gox plan on refunding our money? (20BTC of mine was taken just a couple of days ago - and I emailed him from the mtgox website well before this post ever appeared, but i haven't gotten any reply)
sr. member
Activity: 294
Merit: 250
I have sent MagicalTux a PM about a CSS history sniffing vulnerability and haven't had a response yet.
newbie
Activity: 56
Merit: 0
Bitoption was hit with CSRF attacks today as well; no successes, though.

Re: Curl and Mt. Gox, I believe they changed their SSL Cert recently. My linux boxes didn't have a good CA chain to their authority, and resisted all attempts to add the chain in. Eventually I just imported the direct Gox one and marked it trusted. Curl finally shut up at that point.
legendary
Activity: 2198
Merit: 1311
This is why we need two-factor authentication ASAP.  I think MagicalTux said it was being worked on right now.  I hope so.
newbie
Activity: 51
Merit: 0
this is why I don't keep bitcoin/money in MtGox.
I alway do my business quick, get in and out.

Hell the wallet I sent all my coins to, I only boot when I want to trade.  Well after waiting for the block download.
full member
Activity: 121
Merit: 100
my php curl attempts stopped working a few hours ago, any explanation for this?

seconded, I actually think the server is just being hammered or something, apparently I just got through a few second ago and printed me some data, I wrote a script to ping it every 15 minutes, thought it was up but I guess not.
full member
Activity: 210
Merit: 100
Both bugs are fixed now. I have just verified it.

I still feel kinda paranoid about logging in without a verification from mtgox.

I panic withdrew 50% of my funds yesterday after seeing this thread. (something i had originally planned to use for trading)
member
Activity: 98
Merit: 10
my php curl attempts stopped working a few hours ago, any explanation for this?
full member
Activity: 140
Merit: 100
The login issue is fixed for me and it looks like several others. It sounds like it was unrelated to the security stuff.

Kudos to MagicalTux for fixing the login issue almost as soon as he heard of it.
member
Activity: 91
Merit: 10
Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)

People, there's a reason for which bank have IT departments, security officers, response teams etc.

We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...

Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.

Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.

What I find encouraging about this situation, as some others have mentioned:

- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)
- the hole was apparently closed pretty damn fast once Mt.Gox became aware/verified it

As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank

Quote
"Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique...cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

from http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access

..and those details came to light many many months after the event.

I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.

Stay with the state regulated banks and fiat currencies if you want perceived safety of regulators and so called experts looking out for you. Be prepared to take more than a modicum of self-responsibility out here, however.

Bravo, bitcoin community!

newbie
Activity: 28
Merit: 0
mouse, you are pretty much correct.
newbie
Activity: 28
Merit: 0
Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)

People, there's a reason for which bank have IT departments, security officers, response teams etc.

We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...
newbie
Activity: 56
Merit: 0
I believe that this type of attack is when the session token is stored as a cookie AND the server doesn't check the referrer. The normal method is to store a new session token on each post to the client, which gets sebmitted back each time (so its stored in the users webpage, not in a cookie).

This is just from memory, but if its true, then, honestly, I have no faith at all in any website that fell for this. This issue would fall under 'basic' security and has probably been around for years. Sure it might be plugged now, but what else isn't?
newbie
Activity: 23
Merit: 0
Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.

Same problem here.
I am extremely nervous right now. I hope it is just a glitch at Mt Gox.

Can anyone confirm it?
newbie
Activity: 42
Merit: 0
so as I understand it you're only vulnerable if you're compromised by another site already?  Why dont you clearly state what actions can make you vulnerable instead of making people think that mtgox has a virus on it or something (which is what most 'regular' people woul infer from this)
Pages:
Jump to: