Editor’s Note: Disable JavaScript before withdrawing your funds from LocalBitcoins.com
There have been numerous reports of funds being missing from the popular bitcoin trading website LocalBitcoins.com, the most popular of which was posted on reddit recently. None of these reports have been confirmed by LocalBitcoins staff. LocalBitcoins staff is aware of and is investigating the issue . The post on reddit suggested that this is not related to the recent heartbleed bug , as the user who reported the missing funds has changed their password since.
In addition, the Redditor claims that his newly changed password was random and 30+ characters, not something that could be easily brute forced. On top of that, he also had two factor authentication on at the time.
Attack Vector
Disable JavaScript when withdrawing your Bitcoins from LocalBitcoins. It seems the attack is an XSS attack as the fraudulent withdrawals all occur in the duration after an attempted real withdrawal. Stay tuned for more information. A Man In The Middle Attack has not yet been ruled out.
RelatedNews
Join The Discussion
IRC Chat right here: https://localbitcoins.com/irc
LocalBitcoins Forums: https://localbitcoins.com/forums/#!/
Do you have any idea about what’s going on? Have your bitcoins been transferred on LocalBitcoins? Tell us in the comments below.
LocalBitcoins Adds Holding Risk To Transaction Risk
A few weeks ago, one of our authors, Venzen, had an experience via LocalBitcoins.com that he wrote about here on our site. LocalBitcoins.com’s CEO discussed the possibility of a security risk to LocalBitcoins :
GP: Cryptocoinsnews.com recently posted an article ‘Localbitcoins.com Transaction Risk Alert’. As the headline suggests, the journalist who wrote the article gave a strong impression that there is something wrong with the LocalBitcoins service itself. What is your take on this?
NK: Well, you can definitely argue that LocalBitcoins.com is not perfect by any means, and there are plenty of improvements to do. However, I dare to say that although the experience of that particular customer was really unfortunate, some of the shortcomings expressed by the writer might be rather difficult to solve by us. It is true that LocalBitcoins is not particularly good for high frequency trading, and therefore utilizing rapid movements with bitcoin price might now work so well with localbitcoins. Also, using the service with bad internet connection might be difficult. With this particular case the other party was not available at the correct moment, so we might need to figure out how to inform our users better what are the things to be considered before the trade especially if conditions of the trade are challenging (bad internet connection, long distance to the bank, etc.).
The rest of the article focused on LocalBitcoins.com’s work to bring Bitcoin ATMs to Europe. Needless to say, LocalBitcoins should probably focus more on their website security than their physical expansion.
Edit 1: 4/17/14 4:43 PM EST. LocalBitcoins has released an official statement regarding the reports. They said that it appears less than 30 users were affected, with less bitcoins reported missing. The release says that none of these users had two factor authentication enabled, and that nothing indicates that it was a security flaw on LocalBitcoins’ side. Rather, the breach might have been through phishing or malware . There have been three reported cases in the last month where users who had two factor authentication’s accounts were compromised. Not enough details are known about these cases to draw conclusions.
If the above link for the press release isn’t working for you, copy and paste this link into your browser: http://localbitcoins.blogspot.fi/2014/04/initial-response-regarding.html
