Man, I saw this shit coming after the crash earlier this week. Then poor Allinvains Hacks...:[
No worries all protected her, Still lovin Them BTC.
No worries all protected her, Still lovin Them BTC.
I think it's a guy, just with a girly name.
Topic: Reports of MtGox being hacked ARE REAL (Fixed) - page 3. (Read 41582 times)
I think it's a guy, just with a girly name.
Man, I saw this shit coming after the crash earlier this week. Then poor Allinvains Hacks...:[
No worries all protected her, Still lovin Them BTC.
No worries all protected her, Still lovin Them BTC.
Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.
Yep, same here.
I demand that strong feelings be expressed, and highly recommend a general panic. Mass hysteria is our only option!
Is anyone having a problem logging in now? What I mean is, I can log in, then see the trade screen and my balance is shown in the upper right, but when I go to another page, such as account settings, it says I'm not logged in, and asks for me to log in again.
EDIT: It's fixed by MagicalTux. Sounds like it was just a website bug, not a security thing.
EDIT: It's fixed by MagicalTux. Sounds like it was just a website bug, not a security thing.
in my understanding any web site is vulnerable to such attack? is this correct?
Not correctly-designed ones.
(I don't blame MagicalTux, since he didn't write the code.)
Could you or anyone please point me where one can read how it can be dealt with on a server side?
That info is on the wiki page for CSRF. Basically the server side needs to put a unique token on each page and check for the presence of it on postback. Also doing an HTTP Referrer check helps a lot. There are other things as well but those are the main two.
The noscript add-on says it has "limited" CSRF protection. I'm not sure what that means.
Is there a firefox plugin that will
Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.
I don't know this specific exploit but that is how it generally works.
Nope.avi.
CSRF != XSS.
XSS = put my javascript on your site
CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript
how can this be dealt on a client side besides what's been mentioned above, is there a method to detect/disable both vulnerabilities without turning off cookies and js?
Is there a firefox plugin that will make each tab have it's own session? That would take care of the problem.
So they are taking my cookies? NOZ! 
Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.
I don't know this specific exploit but that is how it generally works.
Nope.avi.
CSRF != XSS.
XSS = put my javascript on your site
CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript
how can this be dealt on a client side besides what's been mentioned above, is there a method to detect/disable both vulnerabilities without turning off cookies and js?
Mtgox is not the only CSRF'able site.
http://forum.bitcoin.org/index.php?topic=18020.0
http://forum.bitcoin.org/index.php?topic=18020.0
Not sure if this is relevant, but I've noticed that TradeHill does not automatically log you out after a period of inactivity. I noticed that one morning when I hopped on my computer, I did not have to log in - I was still logged in from the night before.
The fact that tradehill doesn't log you out has no impact on your security, IF tradehill properly implemented security measures to prevent CSRF
Is it just me or does all this seem just a little bit sensational.
Watch how Bitcoin brings computer security to the masses. Just another undiscovered benefit.
It has certainly impacted me personally. I have learned a lot about security in the past two weeks on this site, and I have already begun migrating from Windows to Ubuntu.
in my understanding any web site is vulnerable to such attack? is this correct?
Not correctly-designed ones.
(I don't blame MagicalTux, since he didn't write the code.)
Could you or anyone please point me where one can read how it can be dealt with on a server side?
were there any other sites that been exploited with these things in the past?
in my understanding any web site is vulnerable to such attack? is this correct?
in my understanding any web site is vulnerable to such attack? is this correct?
Sorry for the OT post, but I couldn't help myself.
Watch how Bitcoin bring computer security to the masses. Just another undiscovered benefit.
+1, thought exactly the same thing.
in my understanding any web site is vulnerable to such attack? is this correct?
Not correctly-designed ones.
(I don't blame MagicalTux, since he didn't write the code.)
were there any other sites that been exploited with these things in the past?
in my understanding any web site is vulnerable to such attack? is this correct?
in my understanding any web site is vulnerable to such attack? is this correct?
So they are taking my cookies? NOZ!
Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.
I don't know this specific exploit but that is how it generally works.
Nope.avi.
CSRF != XSS.
XSS = put my javascript on your site
CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript
how can this be dealt on a client side besides what's been mentioned above, is there a method to detect/disable both vulnerabilities without turning off cookies and js?
sounds like everything is safer then ever. excellent job guys.
Both bugs are fixed now. I have just verified it.
until 5 minutes ago, the following banner appeared on bitcoincharts.com:
Now that we know the attack vector, can we search for bitcoin related websites that were taking advantage of it?
Yess, you can start with the buttcoins website, it just advertised for a wallet stealing site.
walletinspector.info has once again been replaced by a static png image. They tried to re-implement it as a "funny" javascript-only form. Linode's abuse department didn't find my pointing this out humorous. The original site before ~00:00 CST did really steal wallets and the owner tried to play it off as a harmless prank to avoid service termination.
I'm still slightly disappointed that service was not outright canceled once it was discovered the authorized user of that VPS was in fact responsible for said site and that it wasn't due to a compromise.
At least it's not harmful, for now.
and today was my first time using mtgox.... good thing i didnt want i needed to and took everything out once i finished. I even hit log out which i almost never do. Seems like some admin has removed this from the news. Good no need to cause panic over something which has been fixed.
Jump to: