Friday, September 27, 2013

LocalBitcoins now available in Spanish

LocalBitcoins is now available in Spanish. You can access the Spanish version of the website through this link: https://localbitcoins.com/es/

Currently 99% of the site is translated. You should manage to use the site even if you do not speak any English. LocalBitcoins team is still working on minor issues. For example, the name of the places are still available only in English. If you spot any missing translations you can report those to our support team.

We have also Spanish support staff working for us to answer the support requests and resolve disputes. Also don't forget our Spanish community discussion forums!

LocalBitcoins.com en español

LocalBitcoins.com está ahora disponible también en español. Para acceder a nuestras páginas en español, puedes utilizar el siguiente enlace: https://localbitcoins.com/es/

Por el momento, tenemos disponibles el 99% de nuestras páginas en español. El uso de nuestra web debería ser posible sin ningún conocimiento de inglés. El equipo de LocalBitcoins.com está aún trabajando en algunos pormenores con la traducción, por lo que puede haber fallos en las traducciones o algunas frases pueden estar aún en inglés. Si encuentras alguna de estas frases, por favor, notifícalo a nuestro equipo de soporte.

Tenemos también un nuevo miembro del equipo que se encarga de las solicitudes de soporte en español, por lo que no dudes en contactarnos también en castellano para responder a tus dudas y resolver disputas. Y por supuesto, ¡no te olvides de nuestros foros de discusión en español!

Why Spanish?

Bitcoin has proven itself as the digital currency without borders. We see a lot of Bitcoin related activity in South America where Spanish is the dominant language. There, the internet infrastructure is quite well developed, but online payment options might be limited. Bitcoin, as the inflation safe way of storing value, may be a better tool for the savings than the government issued fiat currency.

Some highlights

Affiliate bonuses

To celebrate the opening of Spanish version of the site and drive Spanish speaking traffic to the site, LocalBitcoins.com has almost doubled its affiliate bonuses for the next two months.

Previously the affiliate revenue was 20% for each trade participant (buyer and seller) for one year - You could earn 40% from the trade revenue this way.

Now affiliate payouts will be 35% from each referred trader up to two months, so you can earn up to 70% if both the buyer and the seller join LocalBitcoins.com through your link.

Read more about this in LocalBitcoins.com affiliate program. We have updated the affiliate info page for Spanish linking tips and Spanish <iframe> banners. We suggest you advertise in Spanish speaking medias and link using the address https://localbitcoins.com/es/ which takes the users directly to Spanish version of the site.

Programa de afiliados

Para celebrar el lanzamiento de nuestras páginas en español, y generar más tráfico hispanoparlante a nuestro sitio web, en LocalBitcoins.com tiramos la casa por la ventana y casi doblamos nuestras bonificaciones de afiliados.

Previamente, los ingresos de afiliados eran de un 20% por cada participante (comprador y vendedor) por un periodo de 1 año. Es decir, nuestro programa de afiliados te ofrecía la posibilidad de llevarte un 40% de nuestra comisión por intercambio.

Durante los próximos 2 meses, te ofrecemos la posibilidad de llevarte el 35% de los ingresos por cada participante comercial que atraigas a nuestro sitio, con lo que puedes conseguir el 70% de nuestros ingresos comerciales si tanto el comprador como el vendedor se registran a nuestro sitio a través de tu enlace de afiliado.

Infórmate sobre el programa de afiliados de LocalBitcoins.com. Hemos actualizado nuestro página de afiliados con consejos para enlaces de afiliados en español, y ahora también proporcionamos versiones en español de nuestros banners <iframe>. Te recomendamos la promoción en medios hispanoparlantes y enlazarnos utilizando la dirección https://localbitcoins.com/es/, que dirige a los usuarios directamente a nuestras páginas en español.

LocalBitcoins wants to go further, to every city in the world

Now when the Spanish is done, the next big localization goal of LocalBitcoins team is Chinese. If you have insight in Bitcoin and want to help LocalBitcoins to reach Chinese users,  please contact our team.

Affiliate bonuses raised

To celebrate the opening of Spanish version of the site and drive Spanish speaking traffic to the site, LocalBitcoins has almost doubled its affiliate bonuses for next the months. However this change affects everyone, not just new/spanish affiliates.

Previously the affiliate revenue was 20% for each trade participant (buyer and seller) for one year - You could earn 40% from the trade revenue this way.

Now affiliate payouts will be 35% from each referred trader up to two months, so you can earn up to 70% if both the buyer and the seller join LocalBitcoins.com through your link.

Read more about this in LocalBitcoins.com affiliate program.

Monday, September 16, 2013

Post-mortem: bitcoin stealing attack against LocalBitcoins

There was an attack against LocalBitcoins.com on Friday 13.9.2013 to steal bitcoins from the wallets of LocalBitcoins.com users. Thanks to the responsive LocalBitcoins community, the attack was quickly detected, the support team was notified and the attack was blocked. All affected users have now been reimbursed for their losses.

A user using a relatively old LocalBitcoins.com user account sent maliciously file attachments through LocalBitcoins.com internal messaging to the traders. People opening the attachment might have lost bitcoins they had in their LocalBitcoins wallet. This was due to an error in LocalBitcoins.com messaging system which should block all kind of malicious file attachments. Total 82 bitcoins was stolen.

Only the users who had not enabled two-factor authentication were affected. LocalBitcoins.com always reminds the users who have bitcoins in their wallet to enable two-factor authentication which protect against both technical and social account hacking attempts.

LocalBitcoins.com security has now been strengthened and similar attacks are not possible in the future. LocalBitcoins.com internal messaging is safe and the users are encouraged to use it. People should be always very careful when communicating outside localbitcoins system.

 

LocalBitcoins reimbursement policy

LocalBitcoins credits the lost bitcoins to its users when there is a clear error in LocalBitcoins.com service, allowing somebody who is not authenticated on the site to access the wallet.

LocalBitcoins.com does not credit the lost bitcoins when the loss is caused by the actions of user. Usually actions like this include, but are not limited to,
  • Giving username and password to some external (phishing) site or losing the control of the password when having the computer infected by malware.
  • Releasing bitcoins from an escrow to a buyer even though the payment is not properly confirmed and cleared.
  • Payment problems outside LocalBitcoins control, such as afterwards reversed transactions
LocalBitcoins.com cannot protect the users against phishing and file attachment attacks outside LocalBitcoins.com service. Thus, always be careful when opening emails, SMS messages, links and attachments coming directly from another person. Always enable the two-factor authentication when you are actively dealing with bitcoins on any services you are using.

 

Attack details

The attack was performed by uploading a specially crafted image file. The file attachment had PNG image file headers, but contained HTML payload and .htm extension. The HTML payload included JavaScript code performing HTTP POST request to send bitcoins out from LocalBitcoins wallet.
  • LocalBitcoins.com uses Django web framework which includes security features to block invalid image uploads. However, in this particular case, the image verify method let the specially crafted file through because it contained valid PNG headers. The standard Python Imaging Library verify method does not check for extra payload at the end of image file.
  • When the web browser downloaded the file, it interpreted the attachment as a HTML file, even though the beginning of the file was garbage due to PNG headers.
  • Because the file was served from LocalBitcoins.com domain, the download was considered as safe and it passed through cross-site request forgery protections.
  • When the user opened the attachment, the web browser executed JavaScript inside the file and managed to perform a Send from wallet action if the two-factor authentication was not enabled. With two-factor authentication an additional security code is needed to execute a wallet transaction.

 

Actions taken to prevent further attacks

Since the attack, LocalBitcoins.com team has strengthened the site security with additional layers to prevent similar attacks in the future.
  • Uploaded image files are rewritten to be clean image files, so that any extra payload or codec bug exploits in the web browsers are not possible.
  • Extra checks are performed to make sure that the image content matches the attached file extension.
  • LocalBitcoins wallet pages performs more aggressive HTTP referrer checks to prevent triggering wallet actions from JavaScript code.