Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QYsuA-0002qe-MK; Tue, 21 Jun 2011 04:49:38 +0000 X-ACL-Warn: Received: from mail-gy0-f175.google.com ([209.85.160.175]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1QYsu9-0002Nc-BX; Tue, 21 Jun 2011 04:49:38 +0000 Received: by gyd12 with SMTP id 12so639024gyd.34 for ; Mon, 20 Jun 2011 21:49:31 -0700 (PDT) Received: by 10.236.116.131 with SMTP id g3mr9277040yhh.384.1308631771345; Mon, 20 Jun 2011 21:49:31 -0700 (PDT) Received: from [10.253.253.32] (cpe-70-124-63-160.austin.res.rr.com [70.124.63.160]) by mx.google.com with ESMTPS id u64sm4064899yhm.55.2011.06.20.21.49.29 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 20 Jun 2011 21:49:30 -0700 (PDT) Sender: Doug From: Doug Huff Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-27--387914981" Date: Mon, 20 Jun 2011 23:49:26 -0500 In-Reply-To: <76D936F8-2746-4CEE-861A-A99D1BAD11D7@jrbobdobbs.org> To: full-disclosure@lists.grok.org.uk, Bitcoin Dev Development , Bitcoin , "Mt.Gox" References: <76D936F8-2746-4CEE-861A-A99D1BAD11D7@jrbobdobbs.org> Message-Id: Content-Transfer-Encoding: 7bit X-Pgp-Agent: GPGMail 1.3.3 X-Mailer: Apple Mail (2.1084) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HS_INDEX_PARAM URI: Link contains a common tracker pattern. 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars -0.2 AWL AWL: From: address is in the auto white-list X-Headers-End: 1QYsu9-0002Nc-BX Subject: Re: [Bitcoin-development] More plausible mtgox.com post-mortem (Bitcoin fun week!) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2011 04:49:38 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-27--387914981 Content-Type: multipart/signed; boundary=Apple-Mail-26--387914984; protocol="application/pkcs7-signature"; micalg=sha1 --Apple-Mail-26--387914984 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Oh ya, forgot this tidbit. Thanks gmaxwell!: Not mentioned here is that fact that dozens of MTGOX hashed passwords = were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 = am=20 = (http://forum.insidepro.com/viewtopic.php?t=3D9124&postdays=3D0&postorder=3D= asc&start=3D75&sid=3D1a9e31567fe815c0eea63c40c39fb707 post by = "georgeclooney") Since the overwhelming majority but not all of the hashes match the = mtgox database that was posted on this forum (now deleted) and elsewhere = I suspect that this post may have been generated from an earlier dump = than was disclosed on the forums and everywhere else after the big = event. This appears to be significantly ahead of the prior claimed breach, and = is consistent with the great many other mtgox users claiming that their = accounts were robbed prior to the big event on Sunday, which I believe = would have been too early to be results of the mtgox database leak = according to the official timeline re: auditor compromise. On Jun 20, 2011, at 11:17 PM, Doug Huff wrote: > I have two independent sources claiming known SQLi vulnerabilities in = MtGox. >=20 > One of said SQLi vulnerabilties was confirmed to be patched on the = 16th. > The other was not patched, to anyone's knowledge, at the time of the = market crash and database leak. The one that was not patched could have = plausibly been used to dump the user table. >=20 > The details follow in these chat logs. POC for the referenced xss+csrf = is also provided. Whether or not it is still an issue is not known for = sure at this time as the site cannot be accessed. >=20 > It has also been found that MtGox exposes it's admin user interface = even if a user does not have the admin flag set on their account. As of = now it is thought that most actions attempted to be used will throw = permission errors. Once again. This cannot be confirmed at this time. = https://mtgox.com/app/webroot/code/admin >=20 > MagicalTux, now that your claim "The site was not compromised with a = SQL injection as many are reporting, so in effect the site was not = hacked." Please respond. The truth this time. >=20 > MagicalTux's official response at the time of this writing is also = attached. It is available at: > = https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-= compromised-account-rollback >=20 > These logs are not modified except for user's hostmasks at their = request due to MagicalTux's new found policy of committing libel against = his users based on login logs, since he apparently doesn't keep order = book logs for orders that go through immediately, by his own admission. = Classy. >=20 > Mirrors: > http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log) > http://privatepaste.com/47a50cab5b (sig) > http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log) > http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig) > http://privatepaste.com/e4bacfae37 (PovAddict log) > http://privatepaste.com/9dc5daf8a0 (sig) > http://www.mediafire.com/?bflr76anvv835ib (PovAddict log) > http://www.mediafire.com/?rl250c2dahw7dx9 (sig) > http://privatepaste.com/6dad3927d6 (XSS + CSRF) > http://privatepaste.com/45e5aa0d30 (sig) > http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF) > http://www.mediafire.com/?uv7be34198pseoo (sig) --=20 Doug Huff --Apple-Mail-26--387914984 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXDCCBN0w ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8 om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59 MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8 NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggV3MIIEX6AD AgECAhEA3puo39RJhNVx/ssfdXafbjANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVVMxCzAJ BgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT VCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVU Ti1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw0xMTA1MDEwMDAw MDBaFw0xMjA0MzAyMzU5NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGRodWZmQGpyYm9iZG9iYnMub3Jn MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZPhVmPPoaj999EiZAp6e/giHUrh0Pq2 /LjCFtVgP7clqtoStYyz7i9LojgmRqKu6cswpltUICp+rRskK6ISYRYkNf9w587D2xtqHVVjmoH8 afW/B0db4v+wC7wjzh+hFlXZ3q7sZApMqsFgAS3mdF+iEe5nNt9kGD7OhNlVimvNqcpIhJhRBhpW 7vi7/Rt8uVciDOYVARJq7Tb1zZe88wTFkVri075/nFYfikCgU3GccxvcnR9QwC7xoyGFtE/z8qjv 1h1Tn+eS7eEYQveQxMFNnEPHfoihpiSQpQUzEAJK96dwj8ED2CXtNpV6pQ9PCu2HWjXIVpZj+YNN eOSRbwIDAQABo4ICFjCCAhIwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0O BBYEFGBmA3ruGdgBmCodBzi9QrRBvjz/MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAG A1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0g BD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2Rv Lm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVRO LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDov L2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNv bS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv bTAfBgNVHREEGDAWgRRkaHVmZkBqcmJvYmRvYmJzLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAj/Ck hfsc3p7aoCSIMGOTVBzBjJBtCwWTUF1d/pnJ7ynWCiEOypIGGe0im5+Y1WH8+fVNgIwlifRSoZ1R oloxXRuqiraKCevG5OC41Evkp67HmrrhlerLxUvoKLg7sDWfYtmQ24whfYEsd3Fm2u6KxoXboyyb fdDhl5BLhWy+5kHHlIaoZjUoHHXOMuOZdhreIcJI54+wehddzwtdrhF0h2KUTm3tvA0e2kTX4Kzz 3JWIzFSsCmTdTx2UdiOBJmWZ8dgdskOSKRYByvSBT+/BsbF+JbJcjCHqDiEmmXQeTNuRDYeCPfkq /HRSrEZMi/RORls1HSA79IOXjvj8RkAKyDGCA/8wggP7AgEBMIHEMIGuMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRS VVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMt VVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx /ssfdXafbjAJBgUrDgMCGgUAoIICDzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0xMTA2MjEwNDQ5MjdaMCMGCSqGSIb3DQEJBDEWBBSTCIaEX9V2MVTqxg5RrInHyos0 MDCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNV BAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGll bnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx/ssfdXafbjCB1wYLKoZIhvcN AQkQAgsxgceggcQwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBM YWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDov L3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgRW1haWwCEQDem6jf1EmE1XH+yx91dp9uMA0GCSqGSIb3DQEBAQUABIIBAHe5 4s0nkiqOok+ybE0Dp5Gdumj5nTkZtIBl1zyGcsenZngokTzTJGHiv1OI+0CHkdCVvWFAhuC/vEsy pcUtQJwVQlkhb0T08I9i+C3FqTFX7NM9FxQobnVREI3Ru8S2NpDSFt3PfzZ/1zr05HnlhFVKT8VY igpVkruk887rG5lap+CFYqpNyhMfRXlznsmtNk4XngYgnhzCH+Bbq0dyhrEEdzSHBsVvUL6FptJE 7ZcsaFwbYxFgeebORF9dYb3u5odDZwSdNqTH4emlJvBVBvyRAd2UGOB0L1efuCOfHPjgeVXcgdwm fz9WBopovfWkKLj4VUv9HHaxx/ksIqQbQJkAAAAAAAA= --Apple-Mail-26--387914984-- --Apple-Mail-27--387914981 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJOACLXAAoJEEPHkQabDWHPNMwP/11MNFugBf3gMYSfcGWYoBAx 2FwzPixkJeTNdtH3Xp5alDrFJUuwNXWMvPvw/CS5Te76MHd1IjDUrJgpPOkNQqa8 mwI3+cH+L2f2yFpbLYIxERGoJpU9e3+fYPa0IeYP2oHESXL+cht0UnEVr7216M+7 qAOM8FNxl6WrYUr6Wa6iy6C4br7Zb4nS0w/xQuXH6sB0zv1VMdP17ZjFnF5wpLWb fWzakX+RRKJwcWU0+p+9vJZu1637rs7jRLTchxPvFfq+3jzhoDYnZJ9qRFPnIKk2 ljvhmIrJ+3WwZ5VcQ+1WgAysdQrP/ut6tP22c/6JsexLfDyasBk4RBlzv4z7BWFu JlMCja00AGWHEFjOluRhTdfT2qq0SueOJOAxUb4UCD1BCsmQB5+cjWOccl1ACK5o eOOjr2nVEquRwb6hDRZx7u7Tit/m7SNWi6L3UwrBHjE8cB7NP0eMgHUEgnFDy6E5 FXM+iW9fUJKVvWtij7WRfP9Ti3xYf/MAWzTfEZakIL9HPJuPUfgTfmGELzPWkaCR B0SiL/3PAVLPFiRjSbVJUvv1AuXtmjkYxuFExDNGuu9O6ka78e+Iw1M4+GN+32zd L4MmrAqobOeoB2qdl3+qjZFtn4t8nSQ1n0bBajIjqppJK6YLbt0ePkobbqd9UhFj jjeqiCOj0EV7p6w1/yzj =OxBY -----END PGP SIGNATURE----- --Apple-Mail-27--387914981--