

Bitcoin thefts at MTGOX (Bitcoin exchange) confirmed to be CSRF vulnerability - ezl
http://forum.bitcoin.org/index.php?topic=18709.0

======
rauljara
From the comments:

"Pretty sure Mt. Gox would have legal responsibility for coins/funds lost due
to the exploit.

Allowing users who haven't read this thread to lose funds is negligent."

IANAL, but pretty sure this is completely wrong. That is what a completely
unregulated market is like: freedom, but no recourse if something goes wrong.
I have to wonder what happens when people who are used to the benefits of
regulated markets (not saying there aren't downsides, just that there ARE
benefits) enter into a market they assume is regulated, but isn't. With
bitcoin, this is more than just a hypothetical musing.

~~~
smokeyj
People getting into bitcoin now are buying it because of it's decentralized
unregulated nature. This whole p2p economy thing is very new, so you can't
compare it to an established market like the US economy. It could easily be
argued that market regulation doesn't add much value considering the constant
and systematic recurrence of financial crisis in the US.

~~~
rauljara
That is not so easy an argument to make as you seem to think it is. Several of
the major sources of the recent financial crisis (the derivatives market, the
rating of junk financial products as AAA, and the over leveraging of major
financial firms) all suffered from lack of regulation (derivatives, rating
agencies), or relatively recent deregulation (the over-leveraging).

~~~
byrneseyeview
Actually, the whole point of rating that stuff AAA was a regulatory arbitrage.
Buying AAA-rated CDOs and buying credit default swaps against them was a
capital-efficient way to lever up. And that level of leverage was only
possible due to central banking backstops.

If deregulation caused the crisis, why weren't hedge funds (the least
regulated entities out there) a big part of it? I seem to remember a bunch of
the major investment banks (much more regulated) losing money because of their
positions in mortgages (a very strongly-regulated investment).

It's really hard to describe the financial crisis without talking about
decisions that only make sense in the context of gaming regulations.

~~~
TheCowboy
Hedge funds may not have been a big part of this crisis. But the next to last
major financial crisis is a case study in this:
<http://en.wikipedia.org/wiki/Long-Term_Capital_Management>

Hedge funds were also more a result of a lack of regulation, or side-stepping
current regulations by being defined differently, not so much a matter of
deregulation. See it as regulators not stepping up or not allowed to step up
and adapt.

It's not like regulation serves to make any financial crisis avoidable. But
smarter, more adaptable regulation can limit the depth of the rot, help shore
up the integrity and health of the financial system, and possibly allow for a
softer landing.

------
teyc
I've been thinking about bitcoins.

If there is some way clearing houses can prove they own a certain quantity of
bitcoins, then, the bitcoins don't need to be physically transferred. This has
some advantages. Firstly, the bitcoins can be secured off the grid. Secondly,
the transfers between clearing houses are simply bookkeeping entries, meaning
there is less bitcoins that need to be actually exchanged. In the event of
fraud, there is some traceability and reversibility, since clearing houses can
implement rules similar to what banks already do. For instance, monies
deposited cannot be withdrawn straight away, until it is clear that there are
no other claims on the money.

~~~
kseudo
I think on a very low scale this is what Youtipit
does(<http://www.youtipit.org>). People deposit their coins, tip them
internally and this is handled by our bookkeeping system. If someone wants
their coins out they simply withdraw them and the transaction goes out to the
block chain. This has many of the advantages that you have stated (also tips
are instantaneous, no need for confirmations)

If you give it a look I would like to hear your opinions on it.

~~~
omouse
So you basically have an internal currency that just happens to be bitcoin?
Kinda like when you store $$ in a PayPal account?

~~~
kseudo
You make it sound like a bad thing...But yes thats exactly what we have :-).
Except with us there are no fees: no deposit fees, no withdraw fees, no fees
to tip. If you can get over the fact that it is bitcoin based, its probably
the cheapest way to reward someone online. This would not be possible without
bitcoin. In fact we built the system to use USD and EUR initially but
eventually realized that financial/legal costs were making the project totally
unviable. Changing to bitcoin allowed us to continue and play with this idea
of the 'Online street performer' and develop it somewhat.

I think what we do shows that there are some positive applications for bitcoin
and it does open opportunities for online business. Unfortunately most of the
press dwells on 'bitcoin for drugs' stories, why cant they to story about
Youtipit!

... probably because there are far more people interested in buying drugs than
tipping online :-0

------
chopsueyar
Nice tip:

 _^There's no need to install an entirely separate browser. Make a new
profile, just for Mt. Gox, and run it from a shortcut like this: firefox.exe
-P "NewProfileNameHere" -no-remote

_ Then you can do the same for your other profile and run both at the same
time, with no interaction. _

~~~
pavel_lishin
Does Chrome support multiple profiles? I know you can launch an Incognito
window, but Incognito windows share cookies, etc.

~~~
palish
Incognito windows share cookies? That doesn't sound right... I would have
thought incognito would prevent CSRF.

~~~
bdhe
Yes, incognito windows and tabs share cookies. The cookies are deleted once
you close the incognito window of course and are not shared between the
incognito window and the regular browser window. But as long as one incognito
window is open your cookies are still there.

 _Edit:_ You can easily test this by logging into GMail in Incognito mode and
then going to youtube/google maps etc. and notice that you're still logged in.
Even if you open a new incognito window.

~~~
palish
Right. So open an incognito window; go to MtGox; do your business; then close.

------
derrickpetzold
It is incredibility poor form that websites are still vulnerable to these
attacks. Django made CSRF protection mandatory back in 2009.

<http://code.djangoproject.com/wiki/CsrfProtection>

and if you operating a website that is still is use today it must also guard
against these attacks. See

[http://www.squarefree.com/securitytips/web-
developers.html#C...](http://www.squarefree.com/securitytips/web-
developers.html#CSRF)

there is absolutely no excuse for this other than incompetence or ignorance.
Take your pick.

------
woodall
OWASP write up on CSRF. [https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_%...](https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_%28CSRF%29)

------
unreal37
Misleading headline, as no actual bitcoins were stolen from this exploit
according to the owner of MtGox.

~~~
hugh3
How would they know? (Serious question)

~~~
ScottBurson
My guess is they're looking at the HTTP referrer field in their server logs.
Normally, a CSRF exploit shows up as an HTTP request originating from a
different site (i.e., other than mtgox.com). I think the referrer can be
spoofed, though, which would disguise the exploit in the logs.

~~~
tlrobinson
The referrer isn't spoofable in any normal browsers (and CSRF attacks occur
within the user's browser).

------
DevX101
Any security researchers have link to a study detailing the prevalence of
security lapses among a large sample of websites?

I hear about these attacks, and I'd be curious to know how vulnerable the
sites I visit are.

~~~
lukeschlather
As Lulzsec so clumsily illustrated, you can't know because most
vulnerabilities are silently patched, or undiscovered (but still in use
without the site's knowledge.) Any such index would more likely penalize the
most honest than the most vulnerable.

~~~
derrickpetzold
Are you saying its better not to know? It wouldn't be hard determine is a site
is CSRF vulnerable.

