1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <dhuff@jrbobdobbs.org>)
id 1QYsuA-0002qe-MK; Tue, 21 Jun 2011 04:49:38 +0000
X-ACL-Warn:
Received: from mail-gy0-f175.google.com ([209.85.160.175])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1QYsu9-0002Nc-BX; Tue, 21 Jun 2011 04:49:38 +0000
Received: by gyd12 with SMTP id 12so639024gyd.34
for <multiple recipients>; Mon, 20 Jun 2011 21:49:31 -0700 (PDT)
Received: by 10.236.116.131 with SMTP id g3mr9277040yhh.384.1308631771345;
Mon, 20 Jun 2011 21:49:31 -0700 (PDT)
Received: from [10.253.253.32] (cpe-70-124-63-160.austin.res.rr.com
[70.124.63.160])
by mx.google.com with ESMTPS id u64sm4064899yhm.55.2011.06.20.21.49.29
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 20 Jun 2011 21:49:30 -0700 (PDT)
Sender: Doug <mith@jrbobdobbs.org>
From: Doug Huff <dhuff@jrbobdobbs.org>
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg=pgp-sha1; boundary="Apple-Mail-27--387914981"
Date: Mon, 20 Jun 2011 23:49:26 -0500
In-Reply-To: <76D936F8-2746-4CEE-861A-A99D1BAD11D7@jrbobdobbs.org>
To: full-disclosure@lists.grok.org.uk,
Bitcoin Dev Development <bitcoin-development@lists.sourceforge.net>,
Bitcoin <bitcoin-list@lists.sourceforge.net>, "Mt.Gox" <info@mtgox.com>
References: <76D936F8-2746-4CEE-861A-A99D1BAD11D7@jrbobdobbs.org>
Message-Id: <D091767C-EF92-4B63-9C29-924F32AE34D7@jrbobdobbs.org>
Content-Transfer-Encoding: 7bit
X-Pgp-Agent: GPGMail 1.3.3
X-Mailer: Apple Mail (2.1084)
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
0.0 HS_INDEX_PARAM URI: Link contains a common tracker pattern.
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
-0.2 AWL AWL: From: address is in the auto white-list
X-Headers-End: 1QYsu9-0002Nc-BX
Subject: Re: [Bitcoin-development] More plausible mtgox.com post-mortem
(Bitcoin fun week!)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2011 04:49:38 -0000
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-27--387914981
Content-Type: multipart/signed; boundary=Apple-Mail-26--387914984;
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail-26--387914984
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Oh ya, forgot this tidbit. Thanks gmaxwell!:
Not mentioned here is that fact that dozens of MTGOX hashed passwords =
were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 =
am=20
=
(http://forum.insidepro.com/viewtopic.php?t=3D9124&postdays=3D0&postorder=3D=
asc&start=3D75&sid=3D1a9e31567fe815c0eea63c40c39fb707 post by =
"georgeclooney")
Since the overwhelming majority but not all of the hashes match the =
mtgox database that was posted on this forum (now deleted) and elsewhere =
I suspect that this post may have been generated from an earlier dump =
than was disclosed on the forums and everywhere else after the big =
event.
This appears to be significantly ahead of the prior claimed breach, and =
is consistent with the great many other mtgox users claiming that their =
accounts were robbed prior to the big event on Sunday, which I believe =
would have been too early to be results of the mtgox database leak =
according to the official timeline re: auditor compromise.
On Jun 20, 2011, at 11:17 PM, Doug Huff wrote:
> I have two independent sources claiming known SQLi vulnerabilities in =
MtGox.
>=20
> One of said SQLi vulnerabilties was confirmed to be patched on the =
16th.
> The other was not patched, to anyone's knowledge, at the time of the =
market crash and database leak. The one that was not patched could have =
plausibly been used to dump the user table.
>=20
> The details follow in these chat logs. POC for the referenced xss+csrf =
is also provided. Whether or not it is still an issue is not known for =
sure at this time as the site cannot be accessed.
>=20
> It has also been found that MtGox exposes it's admin user interface =
even if a user does not have the admin flag set on their account. As of =
now it is thought that most actions attempted to be used will throw =
permission errors. Once again. This cannot be confirmed at this time. =
https://mtgox.com/app/webroot/code/admin
>=20
> MagicalTux, now that your claim "The site was not compromised with a =
SQL injection as many are reporting, so in effect the site was not =
hacked." Please respond. The truth this time.
>=20
> MagicalTux's official response at the time of this writing is also =
attached. It is available at:
> =
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-=
compromised-account-rollback
>=20
> These logs are not modified except for user's hostmasks at their =
request due to MagicalTux's new found policy of committing libel against =
his users based on login logs, since he apparently doesn't keep order =
book logs for orders that go through immediately, by his own admission. =
Classy.
>=20
> Mirrors:
> http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log)
> http://privatepaste.com/47a50cab5b (sig)
> http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log)
> http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig)
> http://privatepaste.com/e4bacfae37 (PovAddict log)
> http://privatepaste.com/9dc5daf8a0 (sig)
> http://www.mediafire.com/?bflr76anvv835ib (PovAddict log)
> http://www.mediafire.com/?rl250c2dahw7dx9 (sig)
> http://privatepaste.com/6dad3927d6 (XSS + CSRF)
> http://privatepaste.com/45e5aa0d30 (sig)
> http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)
> http://www.mediafire.com/?uv7be34198pseoo (sig)
--=20
Doug Huff
--Apple-Mail-26--387914984
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXDCCBN0w
ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix
GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR
Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w
NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx
FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx
ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz
dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx
B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8
om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG
TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl
yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j
BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59
MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j
b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu
Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw
DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8
NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s
APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK
N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU
TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggV3MIIEX6AD
AgECAhEA3puo39RJhNVx/ssfdXafbjANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT
VCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVU
Ti1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw0xMTA1MDEwMDAw
MDBaFw0xMjA0MzAyMzU5NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGRodWZmQGpyYm9iZG9iYnMub3Jn
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZPhVmPPoaj999EiZAp6e/giHUrh0Pq2
/LjCFtVgP7clqtoStYyz7i9LojgmRqKu6cswpltUICp+rRskK6ISYRYkNf9w587D2xtqHVVjmoH8
afW/B0db4v+wC7wjzh+hFlXZ3q7sZApMqsFgAS3mdF+iEe5nNt9kGD7OhNlVimvNqcpIhJhRBhpW
7vi7/Rt8uVciDOYVARJq7Tb1zZe88wTFkVri075/nFYfikCgU3GccxvcnR9QwC7xoyGFtE/z8qjv
1h1Tn+eS7eEYQveQxMFNnEPHfoihpiSQpQUzEAJK96dwj8ED2CXtNpV6pQ9PCu2HWjXIVpZj+YNN
eOSRbwIDAQABo4ICFjCCAhIwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0O
BBYEFGBmA3ruGdgBmCodBzi9QrRBvjz/MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAG
A1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0g
BD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2Rv
Lm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVRO
LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDov
L2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp
bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTAfBgNVHREEGDAWgRRkaHVmZkBqcmJvYmRvYmJzLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAj/Ck
hfsc3p7aoCSIMGOTVBzBjJBtCwWTUF1d/pnJ7ynWCiEOypIGGe0im5+Y1WH8+fVNgIwlifRSoZ1R
oloxXRuqiraKCevG5OC41Evkp67HmrrhlerLxUvoKLg7sDWfYtmQ24whfYEsd3Fm2u6KxoXboyyb
fdDhl5BLhWy+5kHHlIaoZjUoHHXOMuOZdhreIcJI54+wehddzwtdrhF0h2KUTm3tvA0e2kTX4Kzz
3JWIzFSsCmTdTx2UdiOBJmWZ8dgdskOSKRYByvSBT+/BsbF+JbJcjCHqDiEmmXQeTNuRDYeCPfkq
/HRSrEZMi/RORls1HSA79IOXjvj8RkAKyDGCA/8wggP7AgEBMIHEMIGuMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRS
VVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMt
VVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx
/ssfdXafbjAJBgUrDgMCGgUAoIICDzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
DQEJBTEPFw0xMTA2MjEwNDQ5MjdaMCMGCSqGSIb3DQEJBDEWBBSTCIaEX9V2MVTqxg5RrInHyos0
MDCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV
BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNV
BAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGll
bnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx/ssfdXafbjCB1wYLKoZIhvcN
AQkQAgsxgceggcQwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBM
YWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDov
L3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50
aWNhdGlvbiBhbmQgRW1haWwCEQDem6jf1EmE1XH+yx91dp9uMA0GCSqGSIb3DQEBAQUABIIBAHe5
4s0nkiqOok+ybE0Dp5Gdumj5nTkZtIBl1zyGcsenZngokTzTJGHiv1OI+0CHkdCVvWFAhuC/vEsy
pcUtQJwVQlkhb0T08I9i+C3FqTFX7NM9FxQobnVREI3Ru8S2NpDSFt3PfzZ/1zr05HnlhFVKT8VY
igpVkruk887rG5lap+CFYqpNyhMfRXlznsmtNk4XngYgnhzCH+Bbq0dyhrEEdzSHBsVvUL6FptJE
7ZcsaFwbYxFgeebORF9dYb3u5odDZwSdNqTH4emlJvBVBvyRAd2UGOB0L1efuCOfHPjgeVXcgdwm
fz9WBopovfWkKLj4VUv9HHaxx/ksIqQbQJkAAAAAAAA=
--Apple-Mail-26--387914984--
--Apple-Mail-27--387914981
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJOACLXAAoJEEPHkQabDWHPNMwP/11MNFugBf3gMYSfcGWYoBAx
2FwzPixkJeTNdtH3Xp5alDrFJUuwNXWMvPvw/CS5Te76MHd1IjDUrJgpPOkNQqa8
mwI3+cH+L2f2yFpbLYIxERGoJpU9e3+fYPa0IeYP2oHESXL+cht0UnEVr7216M+7
qAOM8FNxl6WrYUr6Wa6iy6C4br7Zb4nS0w/xQuXH6sB0zv1VMdP17ZjFnF5wpLWb
fWzakX+RRKJwcWU0+p+9vJZu1637rs7jRLTchxPvFfq+3jzhoDYnZJ9qRFPnIKk2
ljvhmIrJ+3WwZ5VcQ+1WgAysdQrP/ut6tP22c/6JsexLfDyasBk4RBlzv4z7BWFu
JlMCja00AGWHEFjOluRhTdfT2qq0SueOJOAxUb4UCD1BCsmQB5+cjWOccl1ACK5o
eOOjr2nVEquRwb6hDRZx7u7Tit/m7SNWi6L3UwrBHjE8cB7NP0eMgHUEgnFDy6E5
FXM+iW9fUJKVvWtij7WRfP9Ti3xYf/MAWzTfEZakIL9HPJuPUfgTfmGELzPWkaCR
B0SiL/3PAVLPFiRjSbVJUvv1AuXtmjkYxuFExDNGuu9O6ka78e+Iw1M4+GN+32zd
L4MmrAqobOeoB2qdl3+qjZFtn4t8nSQ1n0bBajIjqppJK6YLbt0ePkobbqd9UhFj
jjeqiCOj0EV7p6w1/yzj
=OxBY
-----END PGP SIGNATURE-----
--Apple-Mail-27--387914981--
|