14 DAY TRIAL // Security researcher Egor Homakov has identified a couple of vulnerabilities on the website of Mt.Gox, one of the world’s largest Bitcoin exchange services, that could have been exploited to hijack user accounts.
The expert says that his exploit leveraged a cross-site scripting (XSS) vulnerability in payments.mtgox.com, which he found in a matter of 5 minutes. This flaw, in combination with a session fixation vulnerability, allowed him to perform any actions on a targeted account.
The security hole was reported to Mt.Gox on January 11. The Bitcoin exchange addressed it today.
Homakov highlights the fact that the vulnerability is easy to find so it’s possible that cybercriminals have exploited it in the wild before being fixed.
“In no time bitcoin got some good value, but security level of bitcoin websites didn't play along,” the researcher said.
Additional technical details on the Mt.Gox account hijacking exploit can be found on Homakov’s personal blog.