Mt. Gox flaw opens the door for free Bitcoins

The burgeoning psuedo-currency Bitcoin has suffered another blow with the news that popular trading station Mt. Gox is vulnerable to an attack which gives traders free coins.

Bitcoin, for those who have missed our previous coverage on the matter, is a new type of virtual currency backed by computational effort rather than gold. Despite recent concerns - including the alleged theft of nearly $500,000 in Bitcoins from one user, and a database breach against Mt. Gox that saw the value of Bitcoins drop from $17 to under $0.01 - there is growing interest in the project.

Unfortunately, growing interest means growing scrutiny from opponents. With Bitcoins exchangeable for more traditional currency at trading stations like Mt. Gox, they have a real-world value that makes them a tempting target for those who would rather not work for a living.

Mt. Gox allows users to buy or sell Bitcoins for US dollars, either turning their virtual currency reserve into something they can spend in the high street or converting their real-world assets into virtual cash in the hope that the meteoric rise in value Bitcoins have been enjoying will continue.

According to a post by Doug Huff on the Full Disclosure mailing list, there's a problem: it's possible to trick Mt. Gox into selling you Bitcoins for free, making use of the site's in-built functionality to spend money that isn't actually there.

"There's a bit of luck in being able to take advantage," Huff explains in his posting - which we won't reproduce here - but the steps are far from complex and would appear to represent a major oversight on the part of Mt. Gox's operators.

Huff has alerted the site to his findings, and advised that Mt. Gox suspends all trading until the flaw is fixed.

Our attempts to raise someone at Mt. Gox have been met with an automated message warning: "Our help desk is experiencing unusually high traffic currently. We regret to inform you that you will experience some delays - currently 48-72 hrs - in us getting back to you."

If Huff's claims prove true, that's a long time to wait for someone at the service to spot the flaw and fix the hole.

UPDATE 29/06/2011 09:13:
We have received a response from a Mt. Gox spokesman claiming that the flaw, which - judging by the comments below - appears to have been a display bug rather than a true security hole, is now fixed. "A big 'yes' to bug fixed," the statement reads, "and thank you for telling us about the issues."