Bitcoin Box

Ads

The MtGox Attack

author: Theodore Minick
published: 2011-07-05 22:08:50 UTC

It was an exciting week.

• On the 19th, someone executed a huge sell order, which pushed the price down to one cent.
• Shortly thereafter, it was revealed that the sell order was done by a hacker, as the account database had been leaked.
• It didn't take long for people to take advantage of it.
• Thankfully, Gmail also got the list, and implemented security measures.
• The next day, Kevin Day published his side of the story, Prompting MagicalTux of MtGox to do the same.
• Thankfully, this whole mess alerted other trading sites to potential vulnerabilities.
• On the 21st, Kevin moved the disputed coins to an escrow account.
• MtGox claimed the attack was "force majeure", and that that would be their defense on any suits.
• They soon had the account claims page up, and were accepting requests.
• On the 23rd, MtGox offered proof that they still had possession of all the Bitcoins.
• On the 25th, MtGox finally started letting people check their accounts.
• They're slowly bringing things back online, now.

But the real tragedy of all this is that the day before the hack, there was a general warning about MtGox's security holes, which, apparently, was still late to the party. Also, because of poor password security (on both ends) there have been repercussions. (and that's the nice thread)

But how did this happen? The official story, from MtGox, is that an untrustworthy 3rd party auditor leaked the data, and a hacker used it to crash the market. But, as Kevin points out in his post,

This means they expect us to believe:

• A Mt Gox user had more than 500,000 bitcoins stored in their Mt Gox account (more than $8 million by Sunday's prices).
• This user chose a password that was able to be guessed by a password cracker from the encrypted hash of their pass. (This means their password was likely quite simple)
• This user managed to amass this many bitcoins without being involved in the community enough to hear everyone screaming about the password file being leaked to the world.

This is certainly a possibility, but several other users on the forums have reported SQL injections, which would definitely explain the attack, and even the source of the coins. In the SQLi attack scenario, the Bitcoins were 'created out of thin air' by adding the balance to the hacked user's account.

Unfortunately, even the cause of the attack is a mystery. Either MtGox made a bad hiring decision, or they did a bad job of building their website.

To throw gas on the fire, The counter-claim from MtGox's MagicalTux was that:

Kevin had only one chance that day to place his 0.01 buy order. So either he had a lot of luck, and somehow knew it was the right time to place a 0.01 buy order, or something smells fishy in there. It's not up to me to decide, but I will report this as it has become a public matter.

Why, exactly, they felt the need to cast blame on Kevin, I'm not certain. Especially when they had IP logs that showed the Hacker logging in from China, and Kevin from the US. Granted, it is a relatively trivial matter to mask your IP, but in that case, why not mask both of them, and claim your account was hacked as well? No, I believe Kevin to be as much a victim of this hack as we are, albeit one who thought he was rich, for a second.

To fix the Hack, MtGox Rolled back the trades. This caused a lot of consternation, which Kevin summed up nicely:

On top of how misleading I felt they were being about what I knew occurred, I felt it was far worse that they were using this argument for why they wanted to undo the trades. From reading their public statements, they're making it sound like they're reverting the trades because they want to prevent a hacker from profiting from it. This is simply not true, the vast majority, if not all of the buy orders that picked up coins at a low price were regular users like myself. Any profit this hacker was going to make, he's already done so. The majority of the buy orders that got executed were standing orders from legit users that had been in the system for quite some time, and those are the orders he's threatening to revert.

I see his point. However, whichever method the attacker took, it was still a hack, which means that someone lost Bitcoins. Worse, the Bitcoins that were sold may have been fraudulently created, which would mean that if Kevin cashed out all of his new-found millions, it would bankrupt MtGox, and possibly make them unable to repay the other customers. So whether they came from some rich customer with a weak password, or were minted from thin air, they need to go back to where they came from. A rollback was the right thing to do in my opinion.

It's not clear as to whether or not they actually went through with their stated intention of going to the authorities with the attack, but I hope they did not. Just as I hope that no one takes a case against MtGox. The 'authorities' won't care about helping anyone in the Bitcoin community, as plenty of people have pointed out. Worse, they could actually take it seriously, and start to view Bitcoin as a threat. Now, as I outlined in my last article, actually taking down Bitcoin may well prove impossible, but they can certainly start a propaganda campaign against it.

My vote is for a 3rd-party auditor (hopefully, a more trustworthy one, this time) to examine the logs and come out with the truth, if anything is done. At this point, with everything returned to the way it was before the attack, and people trading again, I'd say the damage is repaired, and it may just be best to move on. MtGox has reworked their security, and considerably locked down their password database, and may well be the most secure trading site on the net now.

Random Articles

blog comments powered by Disqus