
MyBitcoin Incident Report - August 4th 2011 - jayzee
https://www.mybitcoin.com/
======
daeken
While sad, this doesn't surprise me in the least. I reported probably half a
dozen vulnerabilities, none of which I believe were ever fixed. I tried to
stress the impact of the vulnerabilities (which ranged from CSRF to XSS to, I
believe, SQLi, although I can't recall whether that was MyBitcoin or
elsewhere) and it just didn't sink in.

If you're going to deal with money in any way, please for the love of god,
think about security. Even if you're not going to have an external security
test, at least internalize the OWASP Top 10, how to recognize and discover
them, and their mitigations.

~~~
cookiecaper
I also found mybtc unresponsive to mail -- I made a Python interface, whose
source I had planned on releasing, to their SCI and needed help with one
portion of it, sent a mail asking about it, and received no reply.
Disappointing. :(

~~~
kiba
Mybitcoin doesn't understand the value of communicating early when a crisis is
ongoing.

------
doublextremevil
When will people learn that trusting a (possibly unreliable) third party with
your money was exactly the sort of thing that bitcoin was supposed to obviate?

~~~
rick888
well, naturally, we are seeing why banks exist. Because people need a safe
place to put their money.

~~~
drivebyacct2
But banks offer better protection for my money than can be afforded in a home
settings. Quite the opposite with BitCoins. My TrueCrypt volume with keyfiles
that I keep on my person and in a safebox with my BitCoins inside is far
superior to... well... ANY internet-connected service.

~~~
SkyMarshal
Out of curiosity, what size do you set your TC volume to, and what size is
your wallet.dat? Is the possibility of wallet.dat exceeding the size of
backup.tc a problem?

~~~
drivebyacct2
I can't imagine anyone's wallet.dat being that large... Plus you can always
create new TC volumes. My wallet is under 200K right now. Alternatively,
especially for such a small file, plenty of other per-file encryption schemes
would be just as applicable.

------
jhuckestein
How would one prove that they didn't just make the bitcoins disappear
themselves, only to sell them anonymously a while later?

~~~
dfc
It would be hard. Even if the disclose the wallet address that was compromised
it would be hard to prove that the transfers were not done by the alleged
hackers.

I wonder if this is the reason for the drop in btc price lately.

~~~
kaerast
I believe this incident probably is the reason for the drop in price, along
with the incident at Bitomat just before. It's just people reacting to
vulnerabilities in the market though, so far there has been no evidence to
suggest any of these bitcoins have been sold. If they were to be sold off in
bulk then it would cause a much larger crash.

~~~
dagw
_If they were to be sold off in bulk then it would cause a much larger crash._

Is there any reason why they couldn't just sit on them for a couple of month,
and then start to sell them off slowly over the space of a few more month

------
alanfalcon
The best line from the release:

"We are sure that, unknowingly to us, that our processing system has been used
for nefarious purposes."

How can you be sure of something that is unknown to you? They're trying to
disclaim responsibility while acknowledging the reality of what BTC is used
for in some situations, I suppose, but it's a very strange way to phrase it.
Then again, they're in "receivership" but declining to appoint an actual
receiver.

~~~
there
_[T]here are known knowns; there are things we know we know. We also know
there are known unknowns; that is to say we know there are some things we do
not know. But there are also unknown unknowns – the ones we don't know we
don't know._

------
dreamdu5t
Looks like the online wallet niche just got a little more breathing room...

------
wglb
Who thought you would have to backup money?

~~~
wccrawford
Even if it was backed, up, the attacker would simply have transferred the BTC
to a different wallet so they couldn't be recovered.

I mean, if you could, then you could duplicate BTC. lol That would be some
flaw.

