Author: Doug Huff 2011-06-21 04:49:26
Published on: 2011-06-21T04:49:26+00:00
In 2011, dozens of MTGOX hashed passwords were quietly disclosed on a hash cracking forum by "georgeclooney" on June 17th. The majority of the hashes matched the MTGOX database that was posted on various websites and forums after the big event. Many MTGOX users claimed their accounts were robbed prior to the big event on Sunday, which is consistent with the possibility that this post was generated from an earlier dump than was disclosed officially. On June 20th, Doug Huff wrote an email in which he mentioned two independent sources claiming known SQL injection vulnerabilities in MtGox. One of them was confirmed to be patched on the 16th but the other one was not patched at the time of the market crash and database leak. It is also found that MtGox exposes its admin user interface even if a user does not have the admin flag set on their account. As of now, most actions attempted to be used will throw permission errors, but it cannot be confirmed at this time. The details for the referenced xss+csrf are provided, and whether or not it is still an issue is unknown as the site cannot be accessed. MagicalTux's official response at the time of writing is attached in the email.
Updated on: 2023-05-26T18:27:33.102914+00:00