BTER exposes your passwords and they don’t care

Problem has been fixed by Bter. I’d like to thank them for their support.

Article is still available for historical reasons.

Be careful when you use a bitcoin exchange BTER. It can expose your password, allowing anyone who sniffs it to withdraw your money. This includes anyone connected to your WiFi, your ISP, NSA or your router. Or a tor exit node if use it.

What is happening?

If you go to any financial site, you’re immediately redirected to a secure, encrypted https version. That way man-in-the-middle cannot see your password when you log in and cannot steal your cookies.

stampunenc → stampenc

Bitfinex goes a step further and even asks the user to make sure they’re using https:

finex-httpsinfo

 

What is BTER doing wrong?

bterlogin

Why isn’t the login page encrypted?

If you connect explicitly to https://bter.com you’ll get to a secure, encrypted version of their website. However if you do like me and always type your url’s by hand, you’ll get to http://bter.com. BTER is the only bitcoin exchange I know, that doesn’t redirect you to a secure version.

shark-bter

Password, captured with a sniffer.

It means that your username, password, cookies and “fund password” can be stolen, so basically everything that is needed to withdraw your money. Even if you use 2 factor authentication, an attacker can simply make a man-in-the-middle attack, which wouldn’t be possible with https.

What does BTER support think about this?

It looks like they don’t care about this. Look at BTER exposes your passwords and they don’t care [e-mail copy] to see my e-mail exchange with Bter staff.

What you should do about this?

  1. If you’re not sure that you always used https version of BTER, change your passwords as soon as possible using encrypted version: https://bter.com.
  2. Install a plugin that makes you use https when it’s available: HTTPS Everywhere
  3. Spread the word. It’s a critical bug that staff isn’t willing to fix. I’m sure someone already lost their money due to an unauthorized withdrawal.
  4. Write to BTER admins that their site should be secure by default, not on demand: email admin@mail.bter.com or make a ticket request.

6 thoughts on “BTER exposes your passwords and they don’t care

  1. Pingback: BTER leaks your passwords and they don’t care [e-mail copy] | bcdev.net

  2. bc Post author

    @Bob:
    Ask yourself honestly, “Do anyone wants their BTC stolen?”. No. So “freedom of choice” in the aspect of security is wrong. Security always should be a default choice. On BTER it isn’t. Thus many people have false sense of security. Including me for a long time.

    Reply
  3. stathis

    Thank you for publishing this! This is a serious security “bug” (bad practise), that a 5 y old could fix in 30 min. I don’t want to imagine how they handle their wallets, or more complex stuff if they allow this happen.

    Reply
  4. Pingback: BTER exposes your passwords and they don’t care-Just found this article on /r/bitcoin. Don't shoot the messenger. :) | Much Doge News .comMuch Doge News .com

  5. Bter

    Hi,

    Thanks a lot for your report.
    We used to force all users to use SSL connection until some users complained that their mobile devices don’t support SSL very well.
    So we give the choose to our users. However, we still use SSL connection as the link of our LOGO. If you click it you will be directed to the SSL url.
    Users are also secured by the IP restriction which protects users who leak their cookies.
    But anyway, we agree that security is very important for an exchange like us. We are going to force all users to use SSL again.

    Thanks again for your care!

    Best,
    Bter.com

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *