Patrick, take a look at you auth code on intersango. shore your own doors before you piss in other peoples pools.
Surely if there is an issue you can break in and steal the 10 BTC in the account with email
h4xm3@covertinferno.org whose password is imapassw0rd.
Shouldn't be to hard, right?
I would not steal anything. also, if I did know if a way of 'stealing' from intersango or its customers then I would have reported this to you rather than exploit it. I never said there was an authentification bypass. I would not test your systems, especially not for free.
p.s. the attack works I tested it on several nodes which were running multiple bitcoind instances (which I called peers in the chat log).
Makes sense. Thanks for the clarification. note that in my second post I said that it was a non issue, otherwise you would have reported it properly rather than irc.
p.p.s I disclosed this over a year ago but never got around to actually writing a poc because it's annoying to get the timing right on everything.
Interseting. This is a little more worrying. (from a bitcoin dev view...) so when the bug was reported, what was the response from the dev team? why hasnt it been fixed yet?
cheers,
steve