Pages:
Author

Topic: Reports of MtGox being hacked ARE REAL (Fixed) - page 4. (Read 41607 times)

hero member
Activity: 868
Merit: 1000
Now that we know the attack vector, can we search for bitcoin related websites that were taking advantage of it?

Yess, you can start with the buttcoins website, it just advertised for a wallet stealing site.
jr. member
Activity: 56
Merit: 1
Now that we know the attack vector, can we search for bitcoin related websites that were taking advantage of it?
newbie
Activity: 67
Merit: 0
But I agree this is not an acceptable situation, but deal with it as adults, and remember anyone who creates a tool that can be used for mischief can also be held responsible for this.

He's been trying to get ahold of him for a week.
newbie
Activity: 67
Merit: 0
Both bugs are fixed now. I have just verified it.

Seconded.
hero member
Activity: 868
Merit: 1000
I see some of you devs talking about releasing a script for the script kiddies that can be used to empty users mtGox accounts, only because you haven't been able to get hold of MagicalTux.

If you do a whois listing of mtgox.com you will find contact information, also a phone number.

Before you all go apeshit over this issue, be aware that mtGox is probably flooded with requests, so it can be difficult to get hold of them quickly.

But I agree this is not an acceptable situation, but deal with it as adults, and remember anyone who creates a tool that can be used for mischief can also be held responsible for this. It is better to try to get hold of MagicalTux or someone else at mtGox instead of trying to make the matter worse.

I feel sorry for anyone that have lost their funds, and hope everyone take proper security precations.

Edit: I see now it is claimed that the issues in question has been fixed. Good.
sr. member
Activity: 337
Merit: 285
Both bugs are fixed now. I have just verified it.
full member
Activity: 145
Merit: 100
So what this means...

If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.

To protect yourself, use a seperate browser for mtgox ONLY.

If you normally use firefox, install chrome and use that for mtgox.  If you use chrome, install firefox.

If you use both, install a seperate copy of firefox portable if you're on windows.

for chrome, you can open mtgox in incognito-mode and that will work too, right?
sr. member
Activity: 462
Merit: 250
nvm..
legendary
Activity: 1050
Merit: 1003
Seems to me they should take the market offline until this is fixed.

Pretty sure Mt. Gox would have legal responsibility for coins/funds lost due to the exploit.

Allowing users who haven't read this thread to lose funds is negligent.

full member
Activity: 210
Merit: 100
firstbits: 121vnq
So the exploit has been fixed?
newbie
Activity: 67
Merit: 0
I have independently confirmed that MtGox has a GIGANTIC CSRF vuln that lets me empty your account.

MagicalTux, you should know better than that. Honestly.

Also confirmed. This isn't acceptable.
sr. member
Activity: 364
Merit: 250
So they are taking my cookies? NOZ! Angry

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.

Nope.avi.
CSRF != XSS.

XSS = put my javascript on your site

CSRF = put a form on my site that POSTs to your site, for added fun auto-submit it with JavaScript
member
Activity: 64
Merit: 10
Not sure if this is relevant, but I've noticed that TradeHill does not automatically log you out after a period of inactivity.  I noticed that one morning when I hopped on my computer, I did not have to log in - I was still logged in from the night before.
full member
Activity: 196
Merit: 101
So they are taking my cookies? NOZ! Angry

Basically, when you visit their site they secretly load an iframe that contains mtgox.com. The URL of the iframe points to an XSS hole, which injects Javascript to send document.cookie (which stores your session info) to a site they own. They can then put the cookie data into their browser, and assume your session and log into mtgox.

I don't know this specific exploit but that is how it generally works.
sr. member
Activity: 364
Merit: 250
I have independently confirmed that MtGox has a GIGANTIC CSRF vuln that lets me empty your account.

MagicalTux, you should know better than that. Honestly.
newbie
Activity: 28
Merit: 0
So they are taking my cookies? NOZ! Angry
kgo
hero member
Activity: 548
Merit: 500
So what this means...

If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.

To protect yourself, use a seperate browser for mtgox ONLY.

If you normally use firefox, install chrome and use that for mtgox.  If you use chrome, install firefox.

If you use both, install a seperate copy of firefox portable if you're on windows.

There's no need to install an entirely separate browser. Make a new profile, just for Mt. Gox, and run it from a shortcut like this:
firefox.exe -P "NewProfileNameHere" -no-remote

Then you can do the same for your other profile and run both at the same time, with no interaction.

Yeah, that'll work.  I was trying to provide a simple solution for people who aren't techies.
full member
Activity: 140
Merit: 100
So what this means...

If you go to another site with exploit code while you're logged into mtgox, this site can perform operations on your mtgox account.

To protect yourself, use a seperate browser for mtgox ONLY.

If you normally use firefox, install chrome and use that for mtgox.  If you use chrome, install firefox.

If you use both, install a seperate copy of firefox portable if you're on windows.

There's no need to install an entirely separate browser. Make a new profile, just for Mt. Gox, and run it from a shortcut like this:
firefox.exe -P "NewProfileNameHere" -no-remote

Then you can do the same for your other profile and run both at the same time, with no interaction.
full member
Activity: 140
Merit: 100
I want to add that phantomcircuit is an op for #bitcoin on IRC, where other folks have confirmed it as well. So don't let his mere 15 posts on the forum here dissuade you as he does speak with authority.
full member
Activity: 196
Merit: 101
By the way on mtgox.com you can register names like " apple" with a space in front, separate from an account "apple". Maybe this can lead to an exploit.
Pages:
Jump to: