security flaw Issue #860

[thekelsey]

ripple guys read your emails

Issue #860

I know the Ripple security flaw via which this guys XRP's where stolen. Be trying to tell you guys via email because saying it here will allow others to use the exploit!

[justmoon]

I exchanged emails with @thekelsey and he provided a pretty good assessment on what likely caused some of the thefts which lines up with our own internal assessment. It's not a single security breach, but a combination of factors - weak passwords, inability to change passwords, unlimited login attempts, people using the same password on Ripple as they do on forums, etc. (I'm intentionally leaving some things off the list until we can fix them.)

There are some concrete steps that we can take to warn users who are at risk of being hacked and we'll continue to work on the login improvements (limited attempts per user) that we were planning already.

Aside from the technical measures, I'll see if we can get a blog post out to give people some advice on password security, specifically how it relates to Ripple. Holding a large number of XRP securely right now requires some cooperation from users. Don't use short/weak/guessable passwords, don't use your Ripple password anywhere else, don't log in from anywhere other than ripple.com/client, don't use any custom software that you find on forums unless you understand the code. If you're developing, don't use your real account for testing.

Keep in mind that Ripple is in beta, many improvements that we need for a really polished user experience are still in the works, so be sure you understand the risks and that you have a greater responsibility as a user.

Thanks again to @thekelsey for responsible disclosure.

[noelmal]

Hope you put this guy in for a decent bounty
"1k – 2MM+ credits depending on the severity of the bug or exploit found. Security exploits will get rewards toward the high end of that range."