Full Disclosure: More plausible mtgox.com post-mortem (Bitcoin fun week!)

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

More plausible mtgox.com post-mortem (Bitcoin fun week!)

From: Doug Huff <dhuff () jrbobdobbs org>
Date: Mon, 20 Jun 2011 23:17:49 -0500

I have two independent sources claiming known SQLi vulnerabilities in MtGox.

One of said SQLi vulnerabilties was confirmed to be patched on the 16th.
The other was not patched, to anyone's knowledge, at the time of the market crash and database leak. The one that was
not patched could have plausibly been used to dump the user table.

The details follow in these chat logs. POC for the referenced xss+csrf is also provided. Whether or not it is still an
issue is not known for sure at this time as the site cannot be accessed.

It has also been found that MtGox exposes it's admin user interface even if a user does not have the admin flag set on
their account. As of now it is thought that most actions attempted to be used will throw permission errors. Once again.
This cannot be confirmed at this time. https://mtgox.com/app/webroot/code/admin

MagicalTux, now that your claim "The site was not compromised with a SQL injection as many are reporting, so in effect
the site was not hacked." Please respond. The truth this time.

MagicalTux's official response at the time of this writing is also attached. It is available at:
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

These logs are not modified except for user's hostmasks at their request due to MagicalTux's new found policy of
committing libel against his users based on login logs, since he apparently doesn't keep order book logs for orders
that go through immediately, by his own admission. Classy.

Mirrors:
http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log)
http://privatepaste.com/47a50cab5b (sig)
http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log)
http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig)
http://privatepaste.com/e4bacfae37 (PovAddict log)
http://privatepaste.com/9dc5daf8a0 (sig)
http://www.mediafire.com/?bflr76anvv835ib (PovAddict log)
http://www.mediafire.com/?rl250c2dahw7dx9 (sig)
http://privatepaste.com/6dad3927d6 (XSS + CSRF)
http://privatepaste.com/45e5aa0d30 (sig)
http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)
http://www.mediafire.com/?uv7be34198pseoo (sig)

Attachment: #bitcoin-hax_20110620.log
Description:

Attachment: #bitcoin-hax_20110620.log.asc
Description:

Attachment: magicaltux-response.txt
Description:

Attachment: mtgox-ss.txt
Description:

Attachment: mtgox-ss.txt.asc
Description:

Attachment: PovAddict_20110620.log
Description:

Attachment: PovAddict_20110620.log.asc
Description:



-- 
Douglas Huff

Attachment: smime.p7s
Description:

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

More plausible mtgox.com post-mortem (Bitcoin fun week!) Doug Huff (Jun 21)
- Re: More plausible mtgox.com post-mortem (Bitcoin fun week!) Doug Huff (Jun 21)