Title: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 10, 2013, 08:19:26 PM 1Broker.com (http://1Broker.com) is running for more than 2 months now and it's amazing to look into the access logs. Nearly every day someone tries his/her luck by finding SQL injections, vulnerable services, the admin panel ...
Obviously the more people try the better, so I decided to give rewards even if someone only finds partial SQL injections, harmless XSS problems, endless loops, browser specific bugs ... It is hard to specify what is a bug, but everything what is unknown and surprises me will be rewarded. This gives you an overview of how much you can expect:
Edit (April, 10th): Due to the extreme BTC/USD volatility in the last weeks we will dynamically determine the reward for a reported problem. Rules:
This is good chance for all talented hackers to earn money without breaking the law or moral principles. Have fun, exxe Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Bitsky on January 10, 2013, 11:34:56 PM https://1broker.com/?c=about_tos
In my opinion, "withdrawal requests" sounds better than "withdraw requests". https://1broker.com/?c=about_security The left picture has no thumbnail; it's only resized via height/width in html, meaning the preview is a 355kB download. "No externaly resources are loaded when logged in" I haven't created an account, so I cannot check, but are the Godaddy seal and Twitter/FB/G+/Google-Analytics removed after login? https://1broker.com/ Actually, I assumed the ticker would refresh via ajax now and then. Sticking CSS/JS into separate files (and selective caching) would reduce the pagesize what increases loading speed and reduces traffic. It would also be nice if the info boxes close when clicking anywhere on the page and not only on "OK" Clicking on "Login" without any values filled in drops the user to an error page which looks like a leftover from the devs (also, that html isn't valid at all) The site doesn't validate as html5. Cosmectic maybe, but personally I'm picky about such things. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 11, 2013, 01:31:19 AM https://1broker.com/?c=about_tos Hit! 0.025In my opinion, "withdrawal requests" sounds better than "withdraw requests". https://1broker.com/?c=about_security Not a bug, but thanks.The left picture has no thumbnail; it's only resized via height/width in html, meaning the preview is a 355kB download. "No externaly resources are loaded when logged in" The godaddy seal is a local gif and yes!I haven't created an account, so I cannot check, but are the Godaddy seal and Twitter/FB/G+/Google-Analytics removed after login? Actually, I assumed the ticker would refresh via ajax now and then. Yeah these things are not perfect but I wouldn't call them bugs. Anyway, your post was really useful. Thanks!Sticking CSS/JS into separate files (and selective caching) would reduce the pagesize what increases loading speed and reduces traffic. It would also be nice if the info boxes close when clicking anywhere on the page and not only on "OK" Clicking on "Login" without any values filled in drops the user to an error page which looks like a leftover from the devs (also, that html isn't valid at all) The site doesn't validate as html5. Cosmectic maybe, but personally I'm picky about such things. Rewarded you with: 0.125 BTC Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: John (John K.) on January 11, 2013, 12:49:14 PM Well, the last two rewards do not seem really substantial enough for what they're worth. What makes you think a hacker finding that kind of exploit would not try to empty your wallets and/or more malicious actions?
That said, there's still some minor wording errors here and there: https://1broker.com/?c=faq Quote On weekends and on holidays currently all markets, except BTC/USD, are closed. All markets are closed on weekends and holidays except BTC/USD.https://1broker.com/?c=about_security Quote Instantly after creation all private keys of these addresses are gpg (CAST-128) encrypted with a long cipher and backed up at several highly secured locations. GPG should be caps in this case. A comma between creation and all would be appropriate too.Quote No external resources are loaded when logged in. External. Also, a subject here would improve the sentence; i.e.: when users are logged in.Quote Every user can look into a detailed access log of the account. Every user can look into a detailed access log of their accounts.Quote Session cookies are protected from XSS attacks and are only sent with enabled TLS connection. With an enabled TLS connection, or through a TLS connection.Quote HSTS prevents users from man-in-the-middle attacks. Protects. https://1broker.com/?c=about_privacy Quote ...Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site,.. the User's.Quote 1Broker may collect and use Users personal information for the following purposes: the User's.https://1broker.com/?c=about_tos Quote If necessary, 1Broker is completely sold and the amount of purchase is divided and payed out to our customers. If necessary, 1Broker will be completely sold, and the proceeds divided and paid out to our customers.Quote If a customer lost high amounts during an unscheduled outage he can contact us and we will try to find a solution for both parties. Loses.Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 11, 2013, 01:38:35 PM Well, the last two rewards do not seem really substantial enough for what they're worth. What makes you think a hacker finding that kind of exploit would not try to empty your wallets and/or more malicious actions? I'm still hoping that there are good people in this world.Quote 1Broker may collect and use Users personal information for the following purposes: the User's.Quote Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above. Thanks! :) Sent you: 0.225 BTC Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: wachtwoord on January 11, 2013, 01:43:02 PM Quote 1Broker may collect and use Users personal information for the following purposes: the User's.Users' is for the pleural and User's is for the singular form. The users' is short for: "the users his" The user's is short for: "the user his" So you are correct users' is correct here (the personal information of the users) Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: John (John K.) on January 11, 2013, 01:51:10 PM ... Quote 1Broker may collect and use Users personal information for the following purposes: the User's.Quote Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above. Thanks! :) Sent you: 0.225 BTC Thanks! Yep, it's Users'. Typo here. You're missing the apostrophe though. :P https://1broker.com/?c=about_security Quote Addresses of offline storage only store small amounts to avoid attack scenarios while importing them back to the server wallet. A rewording should go like this: Offline storage addresses only hold small amounts to avoid potential attacks when imported back to the server wallet. However. this is still quite vague, and implies that offline addresses only store small amounts when in fact you're storing nearly all of your customers' in offline generated Bitcoin addresses. Consider changing this sentence. I'll make an account and play with it later. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 11, 2013, 05:21:16 PM https://1broker.com/?c=about_security Another 0.025 sent, but this is obsolete anyway. Creating offline raw transactions is the better way of doing this, so I'll remove this.Quote Addresses of offline storage only store small amounts to avoid attack scenarios while importing them back to the server wallet. A rewording should go like this: Offline storage addresses only hold small amounts to avoid potential attacks when imported back to the server wallet. However. this is still quite vague, and implies that offline addresses only store small amounts when in fact you're storing nearly all of your customers' in offline generated Bitcoin addresses. Consider changing this sentence. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 11, 2013, 05:28:33 PM Unknown unexpected behavior (e.g. endless loops, links to 404 pages, UI issues ...) I have created account using the same nickname as here - subSTRATA - but I ended up with nickname substrata. >:( Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: flatfly on January 11, 2013, 08:07:32 PM Hi,
I've created an account to try the platform out... a couple of things already: - at registration, email addresses with a plus sign (such as johndoe+1@gmail.com) are not recognized, while perfectly valid. - also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"... - when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English. Either "You do not have enough funds" or just "Not enough funds!" Cheers Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 11, 2013, 09:21:12 PM - at registration, email addresses with a plus sign (such as johndoe+1@gmail.com) are not recognized, while perfectly valid. Thanks & fixed- also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"... Known problem. The message system needs improvements (sometimes).- when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English. Fixed.Either "You do not have enough funds" or just "Not enough funds!" Rewarded you with 0.1 BTC Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: flatfly on January 12, 2013, 09:40:11 AM - at registration, email addresses with a plus sign (such as johndoe+1@gmail.com) are not recognized, while perfectly valid. Thanks & fixed- also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"... Known problem. The message system needs improvements (sometimes).- when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English. Fixed.Either "You do not have enough funds" or just "Not enough funds!" Rewarded you with 0.1 BTC Thanks! Website seems to be down right now, are you aware of this? Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: fghj on January 12, 2013, 12:47:50 PM I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg
What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0? I saw oO0 and l but no I. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 12, 2013, 01:57:01 PM Autocomplete attribute is not disabled in HTML form / input element containing password type input. Passwords may be stored in browsers This is intentional. I don't want to overrule users here. Some people want to handle their passwords with Lastpass or a Firefox master password. (including myself) The autocomplete=off is really annoying sometimes. (However, Master Key inputs have the autocomplete=off parameter of course)and retrieved. <FORM AUTOCOMPLETE = "off"> or <INPUT ... AUTOCOMPLETE = "off"> Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate and private. 0.1 BTC for the private attribute in Cache control of images (very few attack possibilities, if any) You want it to your 1Broker account or to a specific Bitcoin address? I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible)What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0? I saw oO0 and l but no I. Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too) Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: fghj on January 12, 2013, 03:24:23 PM I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible)What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0? I saw oO0 and l but no I. Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too) 1AWHB4h1ZprDZpBkALPxEuPtvaZRwzrG5D That would be embarrassing if OCR couldn't read it too, and someone had to manually process this backup. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 12, 2013, 03:49:25 PM Autocomplete attribute is not disabled in HTML form / input element containing password type input. Passwords may be stored in browsers This is intentional. I don't want to overrule users here. Some people want to handle their passwords with Lastpass or a Firefox master password. (including myself) The autocomplete=off is really annoying sometimes. (However, Master Key inputs have the autocomplete=off parameter of course)and retrieved. <FORM AUTOCOMPLETE = "off"> or <INPUT ... AUTOCOMPLETE = "off"> Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate and private. 0.1 BTC for the private attribute in Cache control of images (very few attack possibilities, if any) You want it to your 1Broker account or to a specific Bitcoin address? 1Broker account please, I'm currious how long will it take me to lose everything due to my (stock)exchange bad luck. ;D BTW, fees page (https://1broker.com/?c=about_fees) could be more clear - 0.00 BTC does not neccessarly equal "no BTC will be taken". 8 decimal places would remove doubt. Quote Quote Quote I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible)What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0? I saw oO0 and l but no I. Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too) 1AWHB4h1ZprDZpBkALPxEuPtvaZRwzrG5D That would be embarrassing if OCR couldn't read it too, and someone had to manually process this backup. Thanks and 0.1 sent! Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 12, 2013, 11:04:52 PM Balance shown on right side should be accurate to 8 digits. I just tried to ForEx a little with BTC/USD, clicked on "Short", copy Known problem. Full precision is not shown everywhere, because it wouldn't look good. However, I changed it to Math.floor() instead of Math.round() => you won't see that problem again. Additionally, now it also shows a full precision tooltip onmouseover.pasted balance value shown - 0.0976 - to "Amount/Margin" field, clicked on "Open Order" and ended surprised with "Insufficient funds!" message. It took me a while to find out I actualy have less than 0.0976 BTC! https://i.imgur.com/NSyR6.png Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 13, 2013, 05:05:48 PM I closed position at BTC/USD, got 0.09603989 BTC, placed all on "Short" with leverage at 5 and immidiately lost 0.0028 BTC (-2.95%). ??? Every CFD has a Bid and an Ask price. If you open a short position you sell for the bid price. The -2.95% shows what you would get if you close the position (buy it back for the ask price).I haven't noticed any price change inbetween moment of closing and opening position. What I am missing there? The bid is always lower than the ask price price so everytime a position is opened you start with a small loss. (... and higher leverages result in a greater initial loss of course) This is called the spread which exists in all financial markets around the world. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: 53rv3r on January 16, 2013, 08:44:48 AM On https://1broker.com/?c=about_privacy there are 7 occurrences of "Personal identification information." The conventional way to state this according to http://en.wikipedia.org/wiki/Personally_identifiable_information is in one of four ways:
Personally Identifiable Information Personally Identifying Information Personal Identifying Information Personal Identifiable Information Other sources for this nomenclature: http://www.doncio.navy.mil/ContentView.aspx?id=2428 http://www.dol.gov/dol/ppii.htm#.UPZoVaG8HrE http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: marketersales on January 16, 2013, 08:59:33 AM Anyone confirms this is legit?
Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 16, 2013, 10:39:56 PM On https://1broker.com/?c=about_privacy there are 7 occurrences of "Personal identification information." The conventional way to state this according to http://en.wikipedia.org/wiki/Personally_identifiable_information is in one of four ways: Personally Identifiable Information Personally Identifying Information Personal Identifying Information Personal Identifiable Information Other sources for this nomenclature: http://www.doncio.navy.mil/ContentView.aspx?id=2428 http://www.dol.gov/dol/ppii.htm#.UPZoVaG8HrE http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf Thanks for the research. Wanted to send 0.025 BTC but bitcoind says to your signature address: Code: <./bitcoind validateaddress 19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: 53rv3r on January 17, 2013, 12:35:23 AM Thanks for the research. Wanted to send 0.025 BTC but bitcoind says to your signature address: Code: <./bitcoind validateaddress 19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv hmm, 9 transactions have been successfully processed to this address: http://blockchain.info/address/19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv edit: I think if you capitalize the last V it works: 19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsV I don't know how that happened. thank you, btw! Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 17, 2013, 10:28:46 PM edit: I think if you capitalize the last V it works: Worked :)19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsV Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: 53rv3r on January 18, 2013, 04:01:03 AM Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: QA on January 21, 2013, 06:07:13 AM https://1broker.com/?c=contact
it says "bug- and feature requests send to:" with a '-' after 'bug' In Searching: Not sure if it's bug: when search for 'inc', there's a name "Nokia Oyj" on the bottom, with 0 bid and ask, and it doesn't show in any categories In 'Open order': (Chrome Version 24.0.1312.52) 1. it seems that leverage has 1~15 range, as it keeps jumping to 15 input a larger number, but input as 0.1 is allowed, which will jump to 1 when clicking -/+ again, it's confusing. 2. not sure if desired: when right click on the -/+ for leverage, the number auto-decrease/increase, and click again will stop it 3. if input any invalid charactors in leverage, like '-', '*', when there's an amount, the feedback says "In words: If the price of *** goes up by 1% you will win NaN BTC", the NaN looks too Javascript suggestion: highlight the current one if selected: Account Info Access Log Transaction Log Account Settings Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on January 22, 2013, 06:04:40 PM Sorry for the delayed answer.
Quote https://1broker.com/?c=contact Good finds! Thanks!it says "bug- and feature requests send to:" with a '-' after 'bug' In Searching: Not sure if it's bug: when search for 'inc', there's a name "Nokia Oyj" on the bottom, with 0 bid and ask, and it doesn't show in any categories Quote 1. it seems that leverage has 1~15 range, as it keeps jumping to 15 input a larger number, but input as 0.1 is allowed, which will jump to 1 when clicking -/+ again, it's confusing. Intentional. The more auto corrections, the more annoying it can get when editing the value. You can see a list of the maximum leverages here: https://1broker.com/?c=cfdsQuote 2. not sure if desired: when right click on the -/+ for leverage, the number auto-decrease/increase, and click again will stop it In general a slider would be better here and will be implemented sometime.Quote 3. if input any invalid charactors in leverage, like '-', '*', when there's an amount, the feedback says "In words: If the price of *** goes up by 1% you will win NaN BTC", the NaN looks too Javascript Right.Quote suggestion: Yeah this needs a redesign.highlight the current one if selected: Account Info Access Log Transaction Log Account Settings Sent you 0.125 BTC. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: 001sonkit on February 10, 2013, 11:42:15 AM Hi, glad I found this service despite I am only holding a really tiny amount of coins.
Just a bit of suggestion to your service. 1; Upon transaction sent, show the user that the transaction is confirming and the amount of it. Just to have the newcomers to know things are happening behind. 2; Create a dashboard page, having data centralized is much more easy to navigate. 3; API, of course, which could grab the Bitcoin community attention + increase your service popularity. Wish you good business. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on February 10, 2013, 09:34:27 PM Quote 1; Upon transaction sent, show the user that the transaction is confirming and the amount of it. Just to have the newcomers to know things are happening behind. Good suggestion. Added it to the TODO list.Quote 2; Create a dashboard page, having data centralized is much more easy to navigate. I'll think about this.Quote 3; API, of course, which could grab the Bitcoin community attention + increase your service popularity. It is on the long-term TODO list.Quote Wish you good business. Thanks :)Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: whitenight639 on February 15, 2013, 03:25:30 AM https://1broker.com/?c=about_tos
Quote Account Hack If our system has/had no weaknesses which make a hack of a customer account possible we will not refund stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place. This is Bad Grammar, and doesn’t make sense are you trying to say the following: Quote Account Hack If our system has or is found to have weaknesses which make compromising customer account(s) possible we will not refund the stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place. OR are you trying to say: Quote Account Hack Our system has no known weaknesses which make a hack of a customer account possible, we will not refund stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place. If it was me I would word it totally differently though, Quote Account Security We advice that you keep your login details secure and never reveal them or write them down. You use our service at your own risk and liability, every effort has been taken in ensuring your account is secure and our servers and software are tested regularly. As such, should your account be compromised as a result of your negligence we accept no liability and will not refund your account. P.s I can re-write the rest of you Legal pages if you like. 12j2DRmNAW9ZQRGbSFvZUT56PuGNRj1bW7 Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: pinger on February 15, 2013, 04:57:15 AM Nothing found apart of Leet ports and Gangnam Style cookies :p
I'm not really skilled I guess Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on February 15, 2013, 05:48:09 PM Quote Nothing found apart of Leet ports and Gangnam Style cookies :p Good :P Thanks for trying!I'm not really skilled I guess Quote If it was me I would word it totally differently though, Very good! Rewarded you with 0.075 BTCQuote Account Security We advice that you keep your login details secure and never reveal them or write them down. You use our service at your own risk and liability, every effort has been taken in ensuring your account is secure and our servers and software are tested regularly. As such, should your account be compromised as a result of your negligence we accept no liability and will not refund your account. In general our language quality is not what I expect it to be. Therefore, I'm now searching for an English native speaker who helps us to rewrite some things, write "news" and helps with language problems in general. Of course this person gets some BTCs for his/her work. If anyone is interested to do this small job (<1h/week) convince me that you have the required language skills, especially with formal/marketing language. If more persons want to do this I will try to pick the best one in the next few days. Can I count you in, whitenight639? Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: whitenight639 on February 15, 2013, 08:44:53 PM Yes you can count me in, and thanks for the payment :-) Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Tekkna on April 09, 2013, 01:03:24 AM I would also be interested in re-writing text (Unless, of course, Whiteknight gets the position) I am a native English speaker, and used to do something similar for Japanese speakers in a language exchange (I help fix their English, they fix my Japanese).
I suppose for an example of my work you could see the amazon gift codes I'm selling in my signature. NOTE: Some of these are probably not exactly worth a bounty, but still a good idea to change, I may post more after my account is verified. Something I notice quite a bit recently, is the lack of liquid layouts, my screen isn't that small, but I get some cut off for some reason: http://i49.tinypic.com/307vqrq.png Quote https://1broker.com/?c=about_fees toThere are no hidden fees whatsoever. Everything we charge from you is listed on this page. Quote There are no hidden fees whatsoever, everything we charge is listed on this page charge from you -> charge youYou use a lot of periods, when the sentence would be more fluid with commas. Quote We profit from the spread, the difference between the bid and ask price. This means you will usually start with a very small initial loss, when a new position is openend. toQuote We profit from the spread, the difference between the bid and ask price. This means you will usually start with a very small loss, when a new position is opened. openend -> openedvery small initial loss -> very small loss | Redundant Quote You can contact us via email: support@1Broker.com Administrative stuff, technical questions, bug and feature requests send to: exxe@1Broker.com You may not want to use "Administrative stuff", stuff is informal (although, some sites are going for a very informal approach in their documentation) https://1broker.com/?c=faq Quote 1Broker offers a service where you can trade for live market-prices toQuote 1Broker offers a service where you can trade for live market prices No dash in market-pricesIn the account sign up: Quote If you don't click on the confirmation link your account gets deleted in the next few days. toQuote If you don't click on the confirmation link within 2 days, your account will be terminated. More professional (includes time frame, more formal language)When unverified: Quote Your account is currently blocked! toQuote Your account has not been verified! Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: sega01 on April 09, 2013, 03:33:01 PM Not sure how serious this is, but it looks like your bitcoind is listening on port 8333 (default) for incoming Bitcoin-esque connections. It's said that it's much easier to double spend when someone connects directly to your node and another at the same time.
On my DNS tunnel service, I have the daemon setup like this, to only connect out: bitcoind -noupnp -par=1 -daemon -nolisten. Granted, I'm not quite sure how relevant this for your environment. Not sure why you have portmapper open or port 41689, either. Let me know what you think. Best of luck with the service! Cheers, Teran Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Dron007 on April 10, 2013, 11:20:55 PM There is Mater Key at the registration form. Looking at the JavaScript code I can see that validation will fail if key is exactly equal to 10000 or to 99999. But these values can be generated by the random generator. So the code should be changed to the following:
if (!(document.getElementById("masterkey").value >= 10000 && document.getElementById("masterkey").value <= 99999)) { document.getElementById("error").innerHTML+="- Please generate a Master Key!<br>"; ok = false; } instead of if (!(document.getElementById("masterkey").value > 10000 && document.getElementById("masterkey").value < 99999)) ... Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Remember remember the 5th of November on April 10, 2013, 11:36:26 PM At OP,
Not really a big deal, but when I entered some invalid characters I got greeted by a blank page with a red box with an error message, but when done to this URL, the error message appears ontop of the normal page, with no footer. https://i.imgur.com/OFnkrKN.png Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on April 11, 2013, 06:05:37 PM I would also be interested in re-writing text (Unless, of course, Whiteknight gets the position) I am a native English speaker, and used to do something similar for Japanese speakers in a language exchange (I help fix their English, they fix my Japanese). Whiteknight already agreed to help, but I will keep you in mind in case I need advice from multiple people.I suppose for an example of my work you could see the amazon gift codes I'm selling in my signature. NOTE: Some of these are probably not exactly worth a bounty, but still a good idea to change, I may post more after my account is verified. Something I notice quite a bit recently, is the lack of liquid layouts, my screen isn't that small, but I get some cut off for some reason: [...] Concerning the cut offs: Can you tell me what your screen resolution is? Thanks for the problems reported. These things will be fixed with the next update. Sent 0.025 BTC to 1AKtor49AFFHF8kVH4SAgd23eTPVy91iDB Not sure how serious this is, but it looks like your bitcoind is listening on port 8333 (default) for incoming Bitcoin-esque connections. It's said that it's much easier to double spend when someone connects directly to your node and another at the same time. Since, we do not accept 0-conf transactions there should be no big problems with double spending.On my DNS tunnel service, I have the daemon setup like this, to only connect out: bitcoind -noupnp -par=1 -daemon -nolisten. Granted, I'm not quite sure how relevant this for your environment. Not sure why you have portmapper open or port 41689, either. Let me know what you think. Best of luck with the service! The open portmapper port is indeed strange and I've contacted the support who told me that this was part of their default configuration upon server setup. Nevertheless, the port is now closed. There is Mater Key at the registration form. Looking at the JavaScript code I can see that validation will fail if key is exactly equal to 10000 or to 99999. But these values can be generated by the random generator. So the code should be changed to the following: Will be fixed in the next update. Since this statistically only causes a small bug in every 4500th registration I hope you are okay if I don't pay a reward for this. :PAt OP, Not really a big deal, but when I entered some invalid characters I got greeted by a blank page with a red box with an error message, but when done to this URL, the error message appears ontop of the normal page, with no footer. https://i.imgur.com/OFnkrKN.png This is known and a result of our code structure and error handling. Since a "normal" user won't see such things there is no need to fix this, imho. Thank you all! Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Tekkna on April 11, 2013, 07:17:27 PM Quote Whiteknight already agreed to help, but I will keep you in mind in case I need advice from multiple people. Concerning the cut offs: Can you tell me what your screen resolution is? 1024x768 is my monitor resolution (I think that's really skinny for monitors, but still, would prepare you for mobile users). Received payment from exxe successfully :) Thank you, I am willing to provide any help you need. Also, were my scans correct in guessing that you are using >Postgre 8 on a nginx server? Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on April 11, 2013, 08:06:05 PM 1024x768 is my monitor resolution (I think that's really skinny for monitors, but still, would prepare you for mobile users). Okay, maybe I will look into the resolution problem, but don't expect too much. A mobile app is on the TODO list anyway.Received payment from exxe successfully :) Thank you, I am willing to provide any help you need. Also, were my scans correct in guessing that you are using >Postgre 8 on a nginx server? Nginx is easy to see (https://1broker.com/404), but the PostgreSQL guess is wrong. :D Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Tekkna on April 11, 2013, 08:23:06 PM Yeah, I didn't put too much stock in the scan, but worth a guess I suppose :)
It's not a killer bug, and everything functions properly still, just slightly annoying. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: marticps on April 11, 2013, 10:18:26 PM About UI, you should edit a bit the CSS. You should add ALT attribute in the images in order to help textual browsers, search engines... and improve accessibility (that's very important (http://www.feedthebot.com/titleandalttags.html)).
Also, you should avoid the use of presentation tags in HTML, since you should use the HTML only for semantics and CSS for presentation. Here's two lists of design errors you have on your website: http://validator.w3.org/check?uri=https%3A%2F%2F1broker.com%2F&charset=%28detect+automatically%29&doctype=Inline&group=0 (http://validator.w3.org/check?uri=https%3A%2F%2F1broker.com%2F&charset=%28detect+automatically%29&doctype=Inline&group=0) http://try.powermapper.com/Reports/7a211e9d-1ed9-4b5b-8194-7da9afccb2ae/report/map.htm (http://try.powermapper.com/Reports/7a211e9d-1ed9-4b5b-8194-7da9afccb2ae/report/map.htm) For me, the most important ones are the following (some of them are repeated):
All these errors you have in the website design will make you have a lower Google rank and will difficult users to navigate through the site. (Most of the errors are about accessibility and SEO). Hope I helped you. BTW, if you need help in web design, I can help you. To see some references check the website on my profile. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on April 12, 2013, 07:55:28 PM Also, you should avoid the use of presentation tags in HTML, since you should use the HTML only for semantics and CSS for presentation. Yes, I'm aware that the website is far from perfect in this area. I will work on this a little bit, but there is simply not enough time to to make this how it should be (at least not in the near future).Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Dron007 on April 12, 2013, 09:19:07 PM Will be fixed in the next update. Since this statistically only causes a small bug in every 4500th registration I hope you are okay if I don't pay a reward for this. :P Ok. That's is really a minor problem. There is one more minor thing. One can use SQL LIKE template characters in the search field (% and _). It is more like a feature but as it is not documented somebody could think search is working not as expected, entering '100%' but receiving same as for '100'.Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: starsoccer9 on April 12, 2013, 09:41:46 PM found a problem relating to having a negative balance,
Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on April 12, 2013, 10:40:18 PM There is one more minor thing. One can use SQL LIKE template characters in the search field (% and _). It is more like a feature but as it is not documented somebody could think search is working not as expected, entering '100%' but receiving same as for '100'. Yeah, I'll leave it as it is.found a problem relating to having a negative balance, This is working as intended. Leveraged positions which stay open overnight/over the weekend can be force-closed with negative values and can therefore lead to negative account balances. We can't/won't force people to give us the Bitcoins they owe us, but if they want to use 1Broker again they have to. (Double accounts violate the TOS)Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: spudy12 on April 12, 2013, 11:54:19 PM Activation email ends up in the spam folder, for hotmail and gmail anyway..
activation email link says invalid if opened from another tab, however if you go back to original tab you can sign in - just thought i'd point this out. when you type in the amount to withdraw, it goes green whatever amount regardless of weather you have the funds or not.. not exactly a bug but could be confused by some people? possibly a theme on twitter that better matches your websites? (website one is really cool by the way, looks very professional) On the cfd's page (https://1broker.com/?c=cfds) next to gold you have this Quote Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts since long before the beginning of recorded history. Doesn't quite read right for me, possibly something like this is better.. Quote Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts since the beginning of recorded history. OR Quote Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts long before the beginning of recorded history. apart from that, looks and feels like a very professional site. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: BitCoins06 on April 13, 2013, 08:13:20 AM Hi , i find 2 Xpath Injection
on https://1broker.com/?c=password_forgotten1 & https://1broker.com/?c=register I will provide the parameter (the exploit) via PM for more info My Wallet 16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on April 14, 2013, 10:01:32 PM Thanks for your input spudy12.
I've updated the mail functions so hopefully it works now. I also changed the description for the gold CFD. Hi , i find 2 Xpath Injection I've not received a PM from you. In general I would be really surprised if you find a vulnerability in this area.on https://1broker.com/?c=password_forgotten1 & https://1broker.com/?c=register I will provide the parameter (the exploit) via PM for more info My Wallet 16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK Even if you found a bug, it is necessary to report it privately, if you want a reward. (and publish no details before warning me (this should be obvious)) Don't get me wrong, but such posts can destroy our image of a secure trading platform. You should remove it. best regards. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Remember remember the 5th of November on April 16, 2013, 04:28:25 AM Thanks for your input spudy12. Well if there's a bug, a security hole then obviously it's not really secure. But don't misinterpret my post. You shouldn't hide if you have security holes, but accept it and fix them ;).I've updated the mail functions so hopefully it works now. I also changed the description for the gold CFD. Hi , i find 2 Xpath Injection I've not received a PM from you. In general I would be really surprised if you find a vulnerability in this area.on https://1broker.com/?c=password_forgotten1 & https://1broker.com/?c=register I will provide the parameter (the exploit) via PM for more info My Wallet 16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK Even if you found a bug, it is necessary to report it privately, if you want a reward. (and publish no details before warning me (this should be obvious)) Don't get me wrong, but such posts can destroy our image of a secure trading platform. You should remove it. best regards. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on April 16, 2013, 09:34:46 AM Well if there's a bug, a security hole then obviously it's not really secure. But don't misinterpret my post. You shouldn't hide if you have security holes, but accept it and fix them ;). I don't want to hide something, but what the user is saying is not true.The thing is that we don't even use XML or XPath. I suspect that he ran the Acunetix security scan and the software found these structures as a potential vulnerability (which are obviously false positives): https://1broker.com/?c=password_forgotten1 https://1broker.com/?c=password_forgotten2 and https://1broker.com/?c=register https://1broker.com/?c=register2 https://1broker.com/?c=register3 Nothing to fix here. best regards. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: Tekkna on April 16, 2013, 04:48:09 PM OP seems to know what he's doing, I doubt there are any bugs in it right now.
The only mistakes so far are small English grammar errors. Title: Re: 1Broker.com - Vulnerabilty & bug bounty Post by: exxe on April 17, 2013, 11:27:09 AM Activation email ends up in the spam folder, for hotmail and gmail anyway.. Found the problem: DNS SPF record only allows the IP address of 1broker.com to send mails, but 1broker.com does not resolve into an IPv6 address and postfix used IPv6 to send mails.This was a tricky one. :P |