kaerf



Offline



Activity: 631

Merit: 500







Hero MemberActivity: 631Merit: 500 Re: PicoStocks, bitcoin stock exchange May 27, 2013, 09:07:58 AM #41 I see that you recognize the trading fee is a bit high...as well as poor liquidity. Any reason for keeping the trading fee @ 1%?

tytus



Offline



Activity: 250

Merit: 250







Sr. MemberActivity: 250Merit: 250 Re: PicoStocks, bitcoin stock exchange June 10, 2013, 05:13:53 PM #43

We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected. PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

kaerf



Offline



Activity: 631

Merit: 500







Hero MemberActivity: 631Merit: 500 Re: PicoStocks, bitcoin stock exchange June 10, 2013, 05:27:01 PM #44 wow. was there actually that much liquidity or did the victim have a lot of coin in his account?



it's somewhat disconcerting seeing coin from my deposit address being transfered out to the hacker's account. can you confirm that this was solely a user's password that was compromised and the server(s) itself were not compromised (there may be indications of attack in the logs).

tytus



Offline



Activity: 250

Merit: 250







Sr. MemberActivity: 250Merit: 250 Re: PicoStocks, bitcoin stock exchange June 10, 2013, 08:35:45 PM #47 Quote from: ZoladkowaGorzka on June 10, 2013, 08:25:46 PM Strange?

Shareholder's password got compromised and you graciously refund the loss. Why is that?

Was the password compromised on your fault? That's great deal of money



We will refund the loss because we are operating the account for some of our bigger customers that don't know much about bitcoins and we had the same password on few accounts which was just extremely stupid. This is clearly our fault. The system seems fine. This is clearly a human error.

We will now try to find out how the intruder discovered the passwords. We will refund the loss because we are operating the account for some of our bigger customers that don't know much about bitcoins and we had the same password on few accounts which was just extremely stupid. This is clearly our fault. The system seems fine. This is clearly a human error.We will now try to find out how the intruder discovered the passwords.

tytus



Offline



Activity: 250

Merit: 250







Sr. MemberActivity: 250Merit: 250 Re: PicoStocks, bitcoin stock exchange June 10, 2013, 08:40:56 PM #48 Quote from: kaerf on June 10, 2013, 05:27:01 PM wow. was there actually that much liquidity or did the victim have a lot of coin in his account?



it's somewhat disconcerting seeing coin from my deposit address being transfered out to the hacker's account. can you confirm that this was solely a user's password that was compromised and the server(s) itself were not compromised (there may be indications of attack in the logs).



You deposit address is there because these are the funds that went to the hot wallet.

You deposit address is there because these are the funds that went to the hot wallet.

mrb



Offline



Activity: 1512

Merit: 1019







LegendaryActivity: 1512Merit: 1019 Re: PicoStocks, bitcoin stock exchange June 10, 2013, 08:42:19 PM #49 Quote from: tytus on June 10, 2013, 05:13:53 PM

We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address? A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address?

tytus



Offline



Activity: 250

Merit: 250







Sr. MemberActivity: 250Merit: 250 Re: PicoStocks, bitcoin stock exchange June 10, 2013, 08:45:51 PM #50 Quote from: mrb on June 10, 2013, 08:42:19 PM Quote from: tytus on June 10, 2013, 05:13:53 PM

We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address?

A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address?

He/She obtained access to 2 accounts that had the same password. One had shares of proph and the other had funds. He bought shares of "proph" for nothing [sold from the firs stolen account] and sold it to the account that had BTC. The transfer was from his account. He/She obtained access to 2 accounts that had the same password. One had shares of proph and the other had funds. He bought shares of "proph" for nothing [sold from the firs stolen account] and sold it to the account that had BTC. The transfer was from his account.

tytus



Offline



Activity: 250

Merit: 250







Sr. MemberActivity: 250Merit: 250 Re: PicoStocks, bitcoin stock exchange June 11, 2013, 12:16:19 AM #53

... // Update: id is set to a numerical value

$this->Recipe->id = 2;

$this->Recipe->save($this->request->data);

...

this does not work properly as Recipe->id is overwritten by data;

The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).

The intruder used this page for the attack:



Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected. We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data ( http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html ):... // Update: id is set to a numerical value$this->Recipe->id = 2;$this->Recipe->save($this->request->data);...this does not work properly as Recipe->id is overwritten by data;The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.

kaerf



Offline



Activity: 631

Merit: 500







Hero MemberActivity: 631Merit: 500 Re: PicoStocks, bitcoin stock exchange June 11, 2013, 01:53:25 AM #54 Quote from: tytus on June 11, 2013, 12:16:19 AM

... // Update: id is set to a numerical value

$this->Recipe->id = 2;

$this->Recipe->save($this->request->data);

...

this does not work properly as Recipe->id is overwritten by data;

The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).

The intruder used this page for the attack:



Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.

We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data ( http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html ):... // Update: id is set to a numerical value$this->Recipe->id = 2;$this->Recipe->save($this->request->data);...this does not work properly as Recipe->id is overwritten by data;The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.

ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?



this bit of code:

$this->Recipe->save($this->request->data);



looks awfully scary...if it happens in one place, it's likely to happen in other parts of the code. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.

ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?this bit of code:$this->Recipe->save($this->request->data);looks awfully scary...if it happens in one place, it's likely to happen in other parts of the code. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.