Author

Topic: What if the hacker had write access to the database? (Read 1485 times)

newbie
Activity: 38
Merit: 0
missed that thread, sorry. it's very interesting indeed...
http://forum.bitcoin.org/index.php?topic=20437.0

let's move...

ADMIN: pls close this thread.
newbie
Activity: 35
Merit: 0
@fujiwara

I've read this thread: http://forum.bitcoin.org/index.php?topic=20437.0 some 12 hours ago. Still impressed. Oh, and I'm the wrong person to ask "how can we be sure that it wasn't something like this?"

MagicalTux is.
ius
newbie
Activity: 56
Merit: 0

I *really* hope that's not true, for the sake of everyone that just reset their passwords...


That was reported (and fixed) on the 16th. Users were however not informed about the vulnerability. Two days later the database leaked..
newbie
Activity: 38
Merit: 0
thank you vrotaru, that's the kind of stuff I was looking for, .. how can we be sure it wasn't something like this?
hero member
Activity: 994
Merit: 501
PredX - AI-Powered Prediction Market
jrmithdobbs has been attacking mtgox since a long time ago, before any information was available.

I am not sure anything to do with him can be trusted on mtgox matter.
newbie
Activity: 59
Merit: 0

I *really* hope that's not true, for the sake of everyone that just reset their passwords...
member
Activity: 126
Merit: 10
Well, what if the hacker had ice cream?
newbie
Activity: 35
Merit: 0
[20:51:52] https://mtgox.com/claim?token=foo'%20OR%201='[email protected]
[20:52:07] LO FUCKIN L
[20:52:17] ya, i buy it considering how the other sqli and csrfs worked Sad
[20:53:25] so he says you can use that sqli (or another) to set how much money your account has, then withdraw it
[20:54:17] you know time frame on when it would have been done? I know one sqli was disclosed/patched on the 16th
[20:54:37] I have no idea if this was ever exploited
[20:55:37] this guy who told me about the vulns was scared of even publishing them, let alone exploit them...
[20:56:22] speaking about mybitcoin exploits:
[20:56:23] well, you know what to do... if they don't react [to your private report] in a reasonable amount of time... >Smiley
[20:56:25] i don't even know what the acceptable disclosure path is, when you're talking about what is, in effect, a bank.
[20:56:46] he patched the csrf in mybitcoin over the weekend quietly
[20:57:10] i publically disclosed csrfs in clearcoin (was going to disclose mybitcoin too but he patched while i was putting together email)
[20:57:36] at this point? the correct disclosure method is the normal full disclosure lists, the bitcoin-development list, and the forums. silmutaneously.
[21:00:13] http://stuff.povaddict.com.ar/mtgox-xss.txt here's another fun one
[21:01:03] that doesn't load for me
[21:01:19] does now, nm
[21:02:53] that's csrf not xss ;P
[21:03:13] it's both
[21:03:30] you're taken to a page that executes your injected Javascript
[21:04:15] you've just explained what happened.
[21:05:02] thats the same sqli ius disclosed and got patched on the 16th. whoever crashed the market notice it got patched. used the account he had deposited funds into. crashed the market in an attempt to get it out of the exchange by having btc lowered in value
[21:05:51] jesus christ. fuck magicaltux. lieing and/or incompetennt asshat.

http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20110620/dc3e0783/attachment-0003.obj
member
Activity: 103
Merit: 10
He would draw you a very nice picture.
legendary
Activity: 2408
Merit: 1121
Nothing against you personally, I just think all Mt. Gox threads should die in a fire, unless they are official reopening statements.

As for the database, restore from backup prior to the incident, solved.
newbie
Activity: 38
Merit: 0
I know there's already lots of threads about the incident, but I haven't read anything there about the following scenario:

Just imagine the hacker was (somehow, don't ask me how) able to actually EDIT the content of the Mt. Gox database? I just CAN'T believe someone really has 500k btc there. What if they've been just added seconds before the attack - just out of nothing. Afaik, technically spoken, these aren't bitcoins, they're just some numbers in a database. The Deposit/withdrawal process of bitcoins is another story (and usually the correct source of the db's content).

I'm thinking about this scenario because if it was true, there would be no other option than rollback the trades - unless Mt. Gox would be willing to turn btc into FIAT money. They would be short of btc actually and couldn't stand a bank run.

What do you guys think about this? Is it completely impossible a hacker gained write access to the Mt. Gox database? I'm not trying to spread a conspiracy theory, I'm just wondering no one is talking about the possibility of this happening.

Jump to: