XRP being stolen

[webr3]

The holder of the account rMxtjDJUbdVjUrWXicQ57iFrGMCu3naTFg is breaking in to people's ripple accounts somehow, stealing their XRP, and dumping it in to BTC.

One of my chinese friends Yabo has had over 1.7 million XRP stolen from his account rwx3L95gQbDjMyVyD8c7kcuXtcFyPeT4Xu . Another user is complaining of the same thing on the chinese bitcoin forums https://bitcointalk.org/index.php?topic=221136.new .

Please advise ASAP.

[ahbritto]

Without the details of what he did, there is no way to diagnose what happened.

[webr3]

Amount: 1,702,459 XRP Path: rwx3L95gQbDjMyVyD8c7kcuXtcFyPeT4Xu → rMxtjDJUbdVjUrWXicQ57iFrGMCu3naTFg Signing key: 02DE59D9AD47F433A1E9A4F222777A8F43964CB9E7080EEE5625CB5308B9371BF6 Signature: 304502203332618C745A57025A82A0759054106F7F8A93E8BADF58D3CD2AC38F9AFF6E 420221008E6D1FEC79F5FA89872772B84396E65C94C1190CB346FA5682CAE7F82DBD866A Hash: C0E6A3D663780C08416B1D14244C453A0CF0D10FE61AFFFF0095BB8BC51A9F00 Ledger: 866124

Yabo simply logged back in to his wallet to find all his XRP gone.

[ahbritto]

Which client did he use?

How did he create his account?

Did he have a weak password?

Details would help.

[webr3]

I'm trying to get all the details I can [redacted] certainly strange activity around rMxtjDJUbdVjUrWXicQ57iFrGMCu3naTFg, if you see the XRP that's been sent to it and been dumped, many of the addresses are from different, all chinese, addresses around the web, "xrpwoman", see also https://bitcointalk.org/index.php?topic=221100.0 for more details from other users

[webr3]

which client did he use? the website (ripple.com/client), he had not logged in to the account for 3 weeks was your password strong or weak? "9 digits, letters and numbers" did you log in on any other websites or use the username + password anywhere else? "no" did anybody else know your details, or have access to your computer? "no"

[ahbritto]

From the above information. I have no idea.

It is unlikely, there is a general security hole or there would be a flood reports.

[webr3]

Are there logs of IP addresses linked to transactions or suchlike? if I find a destination tag for the account pulling the BTC out could bitstamp help, etc.

[JoelKatz]

We don't have IP logs.

[webr3]

Any info / guidance you can offer would be good, there are three main questions in light of the above:

1) Is my / our XRP safe? 2) Who did this and how? 3) Can these people get their XRP back, in BTC/$ terms it's a large amount of money.

Best, Nathan

[thekelsey]

could be those fake chinese ripple gateways?

[pc163]

i have the same issue , my xrp was stolen 3 days ago, and there was 35000xrp in my wallet, all the balance send to an account i never see before. transaction no. is Transaction # 4652584741564FCAD050E7500368F5A3193B95F892BBD29FB5CC0A000F6C5D7A

please do something it is not safe to use ripple at all, people got disappointed

[thekelsey]

@JoelKatz never saw this coming did we :( (ya going to blame users weak pw on this one?) like I was saying on rippleforum (kelsey) few dumb users lose their XRP's or anything in their account.......ripple loses its safe rep no matter if its users dumb pw or what the cause.... (btw also got to question why users have 1.7 mil XRP's) but I have already seen some rather successful XRPs scams (been watching their ripple wallets fill from them)

[1193491487]

We don't have IP logs.

[thekelsey]

also a few double ur money scams out there with alot of oneway traffic

[JoelKatz]

@thekelsey There's nothing we can do. We don't operate the network. We don't host the wallets. Users create accounts and then those are the user's accounts. We have no control over how they are accessed. I'm not sure whether these compromises are due to weak passwords, trojaned computers, or trojaned wallet programs (and we should definitely work to figure out exactly what's going on). But Ripple is a hard money system, payments in Ripple are peer-to-peer, irreversible payments.

[ahbritto]

We hope to provide a stand alone wallet shortly.

[dvda2k]

I suspect that the victims used SAME username/password across different websites and the hacker compromised one of the weak links. A few major Chinese websites/forums kept user passwords in plain text, and it was leaked in a couple of years ago. If some of you are still using the same user/pass, no wonder doomed.

[iechopisces]

We hope to provide a stand alone wallet shortly.

[JoelKatz]

I definitely agree about an easy-to-use fully offline wallet. That would solve a number of problems, particularly people who use the same username/password for their wallet as they use for other things or sites that trick people into giving their username/password.

[coltnz]

Are passwords store hashed (with salt?) as per best practise? The fact I can display my passphrase in my account suggests otherwise (unless stored in memory from login which isn't good either.

[JoelKatz]

Passwords aren't stored at all. The secret is stored inside the wallet, but the wallet is encrypted with the username and password.

[JoelKatz]

I double checked all of these transactions to be absolutely sure they were properly signed. They are. The thief is getting people's secrets somehow.

[melvincarvalho]

A 9 digit passphrase is NOT safe. See:

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your- passwords/

On 2 June 2013 21:49, JoelKatz notifications@github.com wrote:

I double checked all of these transactions to be absolutely sure they were properly signed. They are. The thief is getting people's secrets somehow.

— Reply to this email directly or view it on GitHubhttps://github.com/rippleFoundation/ripple-client/issues/838#issuecomment-18812516 .

[melvincarvalho]

On 2 June 2013 08:04, coltnz notifications@github.com wrote:

Are passwords store hashed (with salt?) as per best practise? The fact I can display my passphrase in my account suggests otherwise (unless stored in memory from login which isn't good either.

There's no salt, unless you call the username salt, but this can be found often from the forum thread.

One obvious attack vector would be to brute force the payward vault, but you will incur latency over HTTP requests. The logs at payward may be revealing ...

— Reply to this email directly or view it on GitHubhttps://github.com/rippleFoundation/ripple-client/issues/838#issuecomment-18802758 .

[JoelKatz]

@coltnz "The fact I can display my passphrase in my account suggests otherwise (unless stored in memory from login which isn't good either." How else would you perform transactions? You need the secret to perform transactions.

[1399122401]

官方要在内部设置一个交易密码,即使帐号丢了，也还有一层的保障,同时我们也要做好自身的防护.

[livvo]

My address is the one which also been stolen

[bitstampe]

so pity

[coltnz]

why can't the secret always be hashed (and salted) before use?

On 3 June 2013 11:35, JoelKatz notifications@github.com wrote:

@coltnz https://github.com/coltnz "The fact I can display my passphrase in my account suggests otherwise (unless stored in memory from login which isn't good either." How else would you perform transactions? You need the secret to perform transactions.

— Reply to this email directly or view it on GitHubhttps://github.com/rippleFoundation/ripple-client/issues/838#issuecomment-18816411 .

[JoelKatz]

Because then the hashed and salted secret would be the "real secret" which would then be stored in the clear. The "secret" is whatever you need to perform transactions. That's what you need to protect and that's what a thief will try to steal. Whatever that secret is, that's what you need to store, because that's what you need to perform transactions.

Hashing and salting are techniques used when one party controls another party's access to something. It doesn't work when there aren't two parties.

[vhpoet]

We are doing an investigation on those thefts. Please send me an email to vhpoet@gmail.com (subject:lostxrp) whoever lost money. I will send you some questions to answer. I'm closing this issue as it's not a client related bug.