...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address.
Shiet. Now we all can panic.
TheQuin where the hell are you man your establishment has caught FIRE!
Absolutely!
If you have 2FA enabled you won't get a payment request confirmation email from freebitco.in
What you will get is a payment sent confirmation email.
The attackers targeted the bigger fish. This time...
If the attackers are able to bypass the 2FA security and to initiate withdrawals whenever they want why you are the only user reporting it till now? They would have no reason to wait before withdrawing as much funds as they can, so I think many people would already be here complaining about random withdrawals happening spontaneously. That's why your claim is a little bit surprising. Are you sure no one living with you, has been able to steal your funds? If yes, are you sure your 2FA device is safe and hasn't been compromised too?
The OP listed steps 1-8 above
My situation and reaction was identical.
I didn't say, "the attackers are able to bypass the 2FA security..."
I said they were able to bypass my profile address and insert an unknown address.
Having 2FA enabled however does work to the attackers advantage.
What I said in relation to 2FA was you won't receive a payment request confirmation if 2FA is enabled.
Maybe something had been lost in the translation.