Announcement header or pricing ticker

Security Risk Identified at BitFunder – Bitcoin Crowdfunding Site with $12M+ in Held Assets

BitFunder is one of the largest bitcoin equity exchanges. Users are able to quickly trade for bitcoin-denominated equity in a market with significantly more liquidity than on the bitcointalk.org forums, the primary alternative. BitFunder currently controls over $12 million in assets (full table is at end), the largest of these are AMC $5.7M, Kenilworth $4.7M, and ASICMINER $4.5M. Additionally, BitFunder controls an undisclosed amount of BTC that users have stored in their wallets waiting for proper investment.

top 5 market cap

Bitcointalk.org user HostRider is reporting a vulnerability in the BitFunder website that allowed a malicious script to buy shares using his account, before transferring them to another account. 9.99 BTC was allegedly used to purchase 2,869 shares of G.SDICE, which was then transferred to the account htemp. This transaction is irreversible, and presents serious risk to BitFunder users. The code itself is fairly simple to write, and can be executed from any website in which javascript is enabled:

<form id="csrf" action="https://bitfunder.com/transfer" method="post">
   <input type="hidden" name="asset" value="g.sdpt">
   <input type="hidden" name="amount" value="100">
   <input type="hidden" name="to_name" value="htemp">
</form>
<script>$("#csrf").submit()</script>

The above html will use your current BitFunder session to send 100 shares of the asset “g.sdpt” to the account “htemp”. Malicious users could embed this code on any web page to transfer shares to their own account; meaning if you have BitFunder open, any web site opened on another tab could have been able to transfer shares from your account. There were two requirements for this to execute: users must be currently logged into their BitFunder account, and the user has not enabled two factor authentication.

BitFunder has been hesitant to issue a refund since the possibility of fraud is so high. It is difficult to determine whether HostRider had their account legitimately hacked, or simply traded the shares to htemp intentionally. When the transfer occurred, two factor authentication was not required to transfer shares. The day after this was discovered BitFunder enabled two factor authentication for all share transfers by default. Two factor authentication could also be mitigated by implementing CSRF tokens into their browser sessions, which would prevent these cross-site forgeries.

BitFunder should be treated like any other banking website. Users should implement two factor authentication whenever possible and log out of any active sessions when their transactions are completed. Additionally, using private browsing sessions will reduce the likelihood of other browser tabs being able to access account information. It remains to be seen whether other similar loopholes exist on BitFunder for users that do not have these security measures enabled, so this theft should serve as a lesson for all users to enable two factor authentication as soon as possible.

full market cap2

Schedule a Demo

"*" indicates required fields