Problem has been fixed by Bter. I’d like to thank them for their support.
Article is still available for historical reasons.
Be careful when you use a bitcoin exchange BTER. It can expose your password, allowing anyone who sniffs it to withdraw your money. This includes anyone connected to your WiFi, your ISP, NSA or your router. Or a tor exit node if use it.
What is happening?
If you go to any financial site, you’re immediately redirected to a secure, encrypted https version. That way man-in-the-middle cannot see your password when you log in and cannot steal your cookies.
Bitfinex goes a step further and even asks the user to make sure they’re using https:
What is BTER doing wrong?
If you connect explicitly to https://bter.com you’ll get to a secure, encrypted version of their website. However if you do like me and always type your url’s by hand, you’ll get to http://bter.com. BTER is the only bitcoin exchange I know, that doesn’t redirect you to a secure version.
It means that your username, password, cookies and “fund password” can be stolen, so basically everything that is needed to withdraw your money. Even if you use 2 factor authentication, an attacker can simply make a man-in-the-middle attack, which wouldn’t be possible with https.
What does BTER support think about this?
It looks like they don’t care about this. Look at BTER exposes your passwords and they don’t care [e-mail copy] to see my e-mail exchange with Bter staff.
What you should do about this?
- If you’re not sure that you always used https version of BTER, change your passwords as soon as possible using encrypted version: https://bter.com.
- Install a plugin that makes you use https when it’s available: HTTPS Everywhere
- Spread the word. It’s a critical bug that staff isn’t willing to fix. I’m sure someone already lost their money due to an unauthorized withdrawal.
- Write to BTER admins that their site should be secure by default, not on demand: email firstname.lastname@example.org or make a ticket request.