HDBits Bitmetv exploit

This appeared on the bitmetv front page today:

SECURITY RISK:
Another torrent site - HDBITS - has been using their own members accounts (WITHOUT THEIR PERMISSION) whom are also members here and running an exploit through those members accounts. If you have accounts on both sites (especially where your password may be the same as here) then we advise that you change your PASSWORD and PASSKEY to avoid you account ending up possibly disabled. We apologise for this but this message is in our own members best security intrests.

Regards,
//BitMeTV.org Staff http://picz.bitmetv.org/smilies/smile1.gif

Anyone know anything more about it?

EDIT:

a bitmetv admin presented the following two lines of what is presumably an IRC log as "proof."

10.10.29 [user] THEN WHY THE F**K WAS MY PASSKEY BEING USED ON UR F**KING RSS FEED
10.10.29 » (Valerio) why do you care? it would've been unnoticible if i had moved the thing before i changed it :S

wtf ? Is this true ?

Beats me. We all know how paranoid bitmetv is. But either it's true or not, it'd be hard to just imagine it.

Sucks, Firon is an admin at HDBits. He's already had plenty of aspersions cast over him over utorrent; this won't help.

They banned one of the HDBits admins. He got mad at them... :D :lol:

Quote:

---

Originally Posted by Ne'tu

They banned one of the HDBits admins. He got mad at them... :D :lol:

---

What was the exploit?

i m sure it is true...

when i hacked them a while back, i read their staff forums, and they were fighting against that other hd tracker (bit-hdtv)... and they were downloading movies from there to post them on their own tracker and also planning on how to take them out... back then bit-hdtv had security vunreabilities so they didnt have to use their users passwords (and i dont recall seeing any table that logged them in clear text).. they just hacked them and logged in as them... its not hard though to modify the login script to store the plaintext password as well...

Quote:

---

Originally Posted by Ne'tu

They banned one of the HDBits admins. He got mad at them... :D :lol:

---

Maybe THey will kill Him soon :D

Quote:

---

Originally Posted by Jaits

i m sure it is true...

when i hacked them a while back, i read their staff forums, and they were fighting against that other hd tracker (bit-hdtv)... and they were downloading movies from there to post them on their own tracker and also planning on how to take them out... back then bit-hdtv had security vunreabilities so they didnt have to use their users passwords (and i dont recall seeing any table that logged them in clear text).. they just hacked them and logged in as them... its not hard though to modify the login script to store the plaintext password as well...

---

uhh!!..hacked them?

How very professional of HDBits, supposedly the largest HD tracker.

(if it's true, of course)

all u need is to now a little of PHP...

Quote:

---

Originally Posted by Jaits

i m sure it is true...

when i hacked them a while back, i read their staff forums, and they were fighting against that other hd tracker (bit-hdtv)... and they were downloading movies from there to post them on their own tracker and also planning on how to take them out... back then bit-hdtv had security vunreabilities so they didnt have to use their users passwords (and i dont recall seeing any table that logged them in clear text).. they just hacked them and logged in as them... its not hard though to modify the login script to store the plaintext password as well...

---

omg are they that easy to hack or what? you'd think private BT sites care about security...

Who said it was easy

Quote:

---

Originally Posted by seppypom

Who said it was easy

---

well the way the said it made it look fairly easy, for someone who has some experience in that area of course

Quote:

---

Originally Posted by Ne'tu

They banned one of the HDBits admins. He got mad at them... :D :lol:

---

They banned xREVx the HDbits @dmin right? :huh:

dudes, everything is easy when u know how to do and what to do otherwise it's damn hard.

Quote:

---

Originally Posted by gbilly72

How very professional of HDBits, supposedly the largest HD tracker.

(if it's true, of course)

---

it is true, that HDbits did post a exploit of Bitmetv.org.

Quote:

---

Originally Posted by iNSOMNiA

Quote:

---

Originally Posted by Ne'tu

They banned one of the HDBits admins. He got mad at them... :D :lol:

---

They banned xREVx the HDbits @dmin right? :huh:

---

no they ip-banned valerio (xrevx is no admin, he's not even staff)

Right now HDbits isn't saying much about it, other then to deny the accusation in their forums.

BitMeTV gave the notice, but otherwise haven't given any more info on the subject.

Hopefully some explanation will come to light soon. I'm fond of both trackers.

I dunno why I thought he was staff or something
anyway he have been banned too :dabs:

he may have been banned, but two days ago he was an admin

Quote:

---

Originally Posted by crossfade

no they ip-banned valerio (xrevx is no admin, he's not even staff)

---

Quote:

---

Originally Posted by seppypom

he may have been banned, but two days ago he was an admin

---

Ah thanks seppy, i knew i was right...as always :P
next time double check your "infos" crossfade

Quote:

---

Originally Posted by crossfade

Quote:

---

Originally Posted by Jaits

i m sure it is true...

when i hacked them a while back, i read their staff forums, and they were fighting against that other hd tracker (bit-hdtv)... and they were downloading movies from there to post them on their own tracker and also planning on how to take them out... back then bit-hdtv had security vunreabilities so they didnt have to use their users passwords (and i dont recall seeing any table that logged them in clear text).. they just hacked them and logged in as them... its not hard though to modify the login script to store the plaintext password as well...

---

omg are they that easy to hack or what? you'd think private BT sites care about security...

---

how ?? RFI/LFI ,SQL INJECTION or XSS?? :naughty:

a bitmetv admin presented the following two lines of what is presumably an IRC log as "proof."

10.10.29 [user] THEN WHY THE F**K WAS MY PASSKEY BEING USED ON UR F**KING RSS FEED
10.10.29 » (Valerio) why do you care? it would've been unnoticible if i had moved the thing before i changed it :S

Quote:

---

Originally Posted by iNSOMNiA

Quote:

---

Originally Posted by seppypom

he may have been banned, but two days ago he was an admin

---

Ah thanks seppy, i knew i was right...as always :P
next time double check your "infos" crossfade

---

where am i wrong?
valerio, who always was hdbits admin, was banned at bmtv
xrevx is just a hdbits vip

I was a member of that site but my account is probably already disabled due to inactivity. :P

So what happened finally ?

Really nothing interesting.

Ahh the pathetic mods... Running here and there all day trying to be a little more elite than others and all they end up with is getting disabled (or fighting bitterly)... What a pathetic life... Its sad to see that the private tracker community has such bitter feelings towards each other. The average user still enjoys... :D

By Hdbits
In response to the random claim that we know all your passwords and can/will use them on bitmetv if you have the same password there, I would like to point out that the only trace of your password stored in the database is your passhash.
This is a 128bit md5 hash of your password and a 20 character long random string.
For those of you who that makes no sense to, it means all that is stored is something like 1055d3e698d289f2af8663725127bd4b....which cannot be reversed back into your password.

Quote:

---

Originally Posted by kalpesh

By Hdbits
For those of you who that makes no sense to, it means all that is stored is something like 1055d3e698d289f2af8663725127bd4b....which cannot be reversed back into your password.

---

That's not exactly true. they can be reversed.

Quote:

---

Originally Posted by kalpesh

By Hdbits
In response to the random claim that we know all your passwords and can/will use them on bitmetv if you have the same password there, I would like to point out that the only trace of your password stored in the database is your passhash.
This is a 128bit md5 hash of your password and a 20 character long random string.
For those of you who that makes no sense to, it means all that is stored is something like 1055d3e698d289f2af8663725127bd4b....which cannot be reversed back into your password.

---

Yes, I already did it for one doubter here: http://filesharingtalk.com/vb3/p-ple...39/postcount22


Quote:
Originally Posted by zaguar http://filesharingtalk.com/vb3/synap...s/viewpost.gif
Really? So you've magically found a way to reverse the MD5 hashing process? If so, tell me what this string is: 1cbd3b9800b88f9cb98755e40a15c813 . Thanks.

It reverses to Liar. Found with the help of the first google hit on the search "reverse md5 hash": http://md5.benramsey.com/

On topic: I think a lot less of HDBits that they didn't come clean about what Valerio was doing.

i hope it s not true

how do i found out about my hash password

Quote:

---

Originally Posted by maxpower76

how do i found out about my hash password

---

You cant get what it is. Its only stored on the sites database itself it isnt shown to anyone for the most part unless they have db access.
Or if they find a exploit on the site like someone else who posted in this thread does to other sites.

BTW They were hacked by the clown in refrence. There was about 4 pages of logs to confirm what was said. I however will not repost anything said.
And in responce to the passhash comment I made a similiar statement in another thread about how easy that was about 2 days ago.

Quote:

---

Originally Posted by maxpower76

how do i found out about my hash password

---

if they dont use salting, from ur cookies... if they do its impossible to get the passhash from the cookie...

why they do this? sounds daft

i have never had an account with them but do have lots of sites with same username

Yeah sketchy

New info I just happened upon on this. Matt865, an admin at x264 posted the following about the situation:

Quote:

---

Originally Posted by Matt865

They may or may not store your passwords insecurely and use them, but what is true is that their admin Valerio (quoting him), "Made a rss feed for bitmetv so you can download stuff from there without an account." This caused a few members to loose their accounts there. [IMG]https://f******.net/pic/smilies/no.gif[/IMG]
I don't see why anyone should trust their word on security if the whole staff feels it is ok to exploit other sites in this way.

---

I lost my account at x264, so I don't know what they're saying on the site, but he seems to be one of the few admins anywhere in the torrent world to take a responsible position on this. Bitmetv went out of their way to push the news off their front page after only a day. FTN just locked the thread discussing this. HDBits itself refused to even admit any wrongdoing, let alone apologize and take responsibility.

To me, the only fair way to interpret this is that it's more important to most site staff to keep HDBits staff from looking bad than to protect users (and ultimately the integrity of their own tracker).

wtf?

I got an infraction once for bumping an old thread...And you know what? That was absolutely right and fair...You shouldnt bump ancient threads its just...pointless...