Mt. Gox’s security flaws costed millions. Could AI have spotted them?

Former Mt. Gox CEO Mark Karpelès probably wishes he had access to today’s artificial intelligence when he bought Mt. Gox from its founder, Jed McCaleb, in 2011

That’s because Karpelès has just fed an early version of Mt. Gox’s codebase into Anthropic’s Claude AI. What he got back was an analysis that broke down the key vulnerabilities that led to the defunct exchange’s first major hack, while labelling it “critically insecure.”

In a Sunday X post, Karpelès said he uploaded Mt. Gox’s 2011 codebase to Claude, alongside various data, including GitHub history, access logs and data “dumps released by” the hacker

Source: Mark Karpelès The analysis from Claude AI said Mt. Gox’s 2011 codebase represented a “feature-rich but critically insecure Bitcoin exchange.”

“The developer (Jed McCaleb) demonstrated strong software engineering capabilities in terms of architecture and feature implementation, creating a sophisticated trading platform in just 3 months,” the analysis reads, adding, however, that:

“The codebase contained multiple critical security vulnerabilities that were targeted in the June 2011 hack. Security improvements made between ownership transfer and the attack partially mitigated the impact.”

Karpelès took over the reins of the Japan-based Mt. Gox in March 2011 after buying the exchange from founder and developer Jed McCaleb. The exchange then suffered a hack around three months later that saw 2,000 Bitcoin (BTC) drained from the platform

“I didn’t get to look at the code before taking over; it was dumped on me as soon as the contract was signed (I know better now, due diligence goes a long way),” added in a comment on his X post

Claude AI’s post-mortem of Mt. Gox

According to Claude AI, the key vulnerabilities consisted of a mixture of code flaws, a lack of internal documentation, weak admin and user passwords and retained account access of prior admins after new ownership handover.

The hack was sparked by a major data breach after Karpelès’ WordPress blog account and some of his social media accounts were compromised

“Contributing factors included: the insecure original platform, undocumented WordPress installation, retained admin access for ‘audits’ after ownership transfer, and a weak password for a critical admin account,” the analysis reads

The analysis also outlined that some changes pre- and post-hack “mitigated some attack vectors,” preventing the attack from being a lot worse than it could have been

Such changes included an update to a salted hashing algorithm to provide greater password protection, fixing an SQL injection hacking code in the main application, and implementing “proper locking around withdrawals.”

“The salted hashing prevented mass compromise and forced individual brute forcing, but no hashing algorithm can protect weak passwords. The withdrawal locking prevented the more severe outcome of tens of thousands of BTC being drained via the $0.01 withdrawal limit exploit,” the analysis reads, adding:

“This codebase was targeted in a sophisticated attack in June 2011. Security improvements had been made in the 3 months since ownership transfer, which affected the attack outcome. This incident demonstrates both the severity of the original codebase’s vulnerabilities and the partial effectiveness of remediation efforts.”

Related: The ghost of Mt. Gox will stop haunting Bitcoin this Halloween

While the analysis suggests AI could have helped shore up specific coding flaws, the core of the breach was the result of poor internal processes, weak passwords, and a critical lack of network segmentation that let a blog breach threaten the entire exchange

Unfortunately, AI cannot prevent human error

Mt. Gox still impacts the market a decade later

Despite being defunct for over a decade, Mt. Gox has continued to have an impact on the market over the past couple of years, as large sums of Bitcoin (BTC) have been repaid to creditors, resulting in significant potential selling pressure on the market, though this hasn’t happened as many have feared

Ahead of the Oct. 31 repayment deadline later this month, the exchange holds around 34,689 BTC

Magazine: Mysterious Mr Nakamoto author: Finding Satoshi would hurt Bitcoin

• #Blockchain
• #Technology
• #AI
• #Hacks
• #Mt. Gox Add reaction