From: Doug Huff <dhuff@jrbobdobbs•org>
To: full-disclosure@lists•grok.org.uk,
Bitcoin Dev Development
<bitcoin-development@lists•sourceforge.net>,
Bitcoin <bitcoin-list@lists•sourceforge.net>,
"Mt.Gox" <info@mtgox•com>
Subject: Re: [Bitcoin-development] More plausible mtgox.com post-mortem (Bitcoin fun week!)
Date: Mon, 20 Jun 2011 23:49:26 -0500 [thread overview]
Message-ID: <D091767C-EF92-4B63-9C29-924F32AE34D7@jrbobdobbs.org> (raw)
In-Reply-To: <76D936F8-2746-4CEE-861A-A99D1BAD11D7@jrbobdobbs.org>
[-- Attachment #1.1: Type: text/plain, Size: 3261 bytes --]
Oh ya, forgot this tidbit. Thanks gmaxwell!:
Not mentioned here is that fact that dozens of MTGOX hashed passwords were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 am
(http://forum.insidepro.com/viewtopic.php?t=9124&postdays=0&postorder=asc&start=75&sid=1a9e31567fe815c0eea63c40c39fb707 post by "georgeclooney")
Since the overwhelming majority but not all of the hashes match the mtgox database that was posted on this forum (now deleted) and elsewhere I suspect that this post may have been generated from an earlier dump than was disclosed on the forums and everywhere else after the big event.
This appears to be significantly ahead of the prior claimed breach, and is consistent with the great many other mtgox users claiming that their accounts were robbed prior to the big event on Sunday, which I believe would have been too early to be results of the mtgox database leak according to the official timeline re: auditor compromise.
On Jun 20, 2011, at 11:17 PM, Doug Huff wrote:
> I have two independent sources claiming known SQLi vulnerabilities in MtGox.
>
> One of said SQLi vulnerabilties was confirmed to be patched on the 16th.
> The other was not patched, to anyone's knowledge, at the time of the market crash and database leak. The one that was not patched could have plausibly been used to dump the user table.
>
> The details follow in these chat logs. POC for the referenced xss+csrf is also provided. Whether or not it is still an issue is not known for sure at this time as the site cannot be accessed.
>
> It has also been found that MtGox exposes it's admin user interface even if a user does not have the admin flag set on their account. As of now it is thought that most actions attempted to be used will throw permission errors. Once again. This cannot be confirmed at this time. https://mtgox.com/app/webroot/code/admin
>
> MagicalTux, now that your claim "The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked." Please respond. The truth this time.
>
> MagicalTux's official response at the time of this writing is also attached. It is available at:
> https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback
>
> These logs are not modified except for user's hostmasks at their request due to MagicalTux's new found policy of committing libel against his users based on login logs, since he apparently doesn't keep order book logs for orders that go through immediately, by his own admission. Classy.
>
> Mirrors:
> http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log)
> http://privatepaste.com/47a50cab5b (sig)
> http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log)
> http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig)
> http://privatepaste.com/e4bacfae37 (PovAddict log)
> http://privatepaste.com/9dc5daf8a0 (sig)
> http://www.mediafire.com/?bflr76anvv835ib (PovAddict log)
> http://www.mediafire.com/?rl250c2dahw7dx9 (sig)
> http://privatepaste.com/6dad3927d6 (XSS + CSRF)
> http://privatepaste.com/45e5aa0d30 (sig)
> http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)
> http://www.mediafire.com/?uv7be34198pseoo (sig)
--
Doug Huff
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 3737 bytes --]
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 881 bytes --]
parent reply other threads:[~2011-06-21 4:49 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <76D936F8-2746-4CEE-861A-A99D1BAD11D7@jrbobdobbs.org>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D091767C-EF92-4B63-9C29-924F32AE34D7@jrbobdobbs.org \
--to=dhuff@jrbobdobbs$(echo .)org \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
--cc=bitcoin-list@lists$(echo .)sourceforge.net \
--cc=full-disclosure@lists$(echo .)grok.org.uk \
--cc=info@mtgox$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox