Bitcoin Forum

I went ahead and created a PowerPoint for my lawyer (I was just asking if there was anything I could "do", but there isn't)... the PowerPoint is a little less clusterfucky than this Bitcointalk thread.  I'm going to leave the original post under the next post, but here is a link to the PowerPoint that breaks down how Blockchain.com and HackerOne.com fucked me on a painfully obvious and dangerous 2fa dump logic error.

Powerpoint with the full story:  https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing (https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing)

tl;Dr I reported a problem, they said it was working as intended, they fixed the problem that night, they stiffed me.

Needless to say, we are not going to go forward with any formal complaints and I still hope Blockchain just pays me my fucking bug bounty!

I would NOT trust HackerOne or Blockchain.com's exchange team (previously known at "The Pit") at this point.  (It should be noted that Blockchain.com dropped "The Pit" name and it is now just Exchange)

I will update this thread when the companies decide to make this right.  They did eventually offer me $50 for trying and required I give my social security to collect it... lol (read the power point)

https://i.ibb.co/C7FV88L/hackerone-and-blockchain-com-bug-bounty-sucks.png

(original post, heavily updated and semi confusing... please reference powerpoint in the OP, thank you.)

*I give my full permission for anyone to use any text or any images from this thread.*

I signed up for an account on Blockchain.com's new "military-grade (https://i.imgur.com/RU6v1BF.png)" exchange called "The Pit (https://pit.blockchain.com/)".

I noticed right off the bat that I was able to get their exchange to show my 2fa backup codes without prompting me for my 2fa code. (I only needed to enter my password)

I emailed Blockchain.com's support and reported the problem.  Blockchain.com's support told me to open a "HackerOne" bug bounty report if I wanted to get paid.... I figured, "Why not?  I could use the money to test their site further / link my bank account with a wire!"  (I should have fucking known better and just been OK without getting compensated, but I was worried Blockchain.com's customer support person wouldn't forward on the problem if I didn't open a HackerOne ticket and I didn't want some poor Blockchain.com customer to get pwned because of Blockchain's critically flawed security design.)

https://i.imgur.com/nSROcGV.png
(you can see I'm sketched out about this "HackerOne" stuff from the start)

I created the issue on HackerOne:

https://i.imgur.com/PeQdGhb.png

HackerOne staff responded:

https://i.imgur.com/3tKFxpV.png

Yikes!!!!!!!  But OK... if that's how you want to have your website, go for it... I guess...

HOWEVER, today I checked Blockchain.com's website and low n behold:

https://i.imgur.com/r9CDNJI.png
(users are now prompted for 2fa after the password screen) 10/16/2019

I'm not overly worried about Blockchain... I imagine they will make it right, but this fucking dipshit at HackerOne that said that's how the feature is supposed scares the shit out of me!!!!! At least I learned fast to avoid Hackerone.com before FreeBitcoins.com hired them.  It's scary to see that other cryptocurrency companies use HackerOne!

I do want to say "Good job" to Blockchain.com's security team for fixing this problem within a week.

I will update when and if HackerOne or Blockchain.com compensates me for this report.

Edit:  "They" reopened my closed bug report and offered me $50, requiring me to fill out my social security for said $50.  First they claimed the feature was functioning as it was supposed to at first and then later claimed they knew about the bug the whole time to being reported!!!!!!  Ya, right.  ::)  I strongly recommend keeping on reading.

Double Edit:  I am now calling this a scam.  I believe it's just a case of one or more employees trying to cover their ass (https://bitcointalk.org/index.php?topic=5193539.msg52802584#msg52802584).  I will continue updating and such.

Now they are saying that the bug was known before my report... ya right!!! If it was, that's disgusting that they advertised Military-grade security with a bug known like that...

https://i.imgur.com/CyFkEdM.png

Links & news articles related to this:

https://www.reddit.com/r/Bitcoin/comments/djpg2m/bug_bounty_scam_blockchaincom_hackeronecom_didnt/ (https://www.reddit.com/r/Bitcoin/comments/djpg2m/bug_bounty_scam_blockchaincom_hackeronecom_didnt/) (50 upvotes with 92% upvotes so far.  Thanks for voting <3)

https://www.reddit.com/r/btc/comments/djpfu9/scam_blockchaincom_hackeronecom_didnt_pay_a_major/ (https://www.reddit.com/r/btc/comments/djpfu9/scam_blockchaincom_hackeronecom_didnt_pay_a_major/) (this one got nuked by a /r/btc mod)

https://twitter.com/SnailsInTheMail/status/1185212527925436416 (https://twitter.com/SnailsInTheMail/status/1185212527925436416)

https://forum.bitcoin.com/post294928.html# (https://forum.bitcoin.com/post294928.html#)

That's annoying.  Obviously you should get something.  Not even a thank you is basically a middle finger.

I always assumed these bug bounty sites were given some sort of retainer or billed the actual site with the bug for any bounties they paid.

This makes me think maybe they just charge a flat rate or something for their 'service', maybe package it with a security audit.

If a bug bounty site has a financial incentive to not pay out bounties, like in the example above, they're actually doing a disservice to the sites being tested, the sites users, and the bug reporters.  That's fucked up.

Blockchain.com customer support email this morning.  In the previous email, I let them know HackerOne said this was how the feature intended to function & I also included a link to this thread.

https://i.imgur.com/wL94hvp.png

I went ahead and sent Marco Santori a link to this thread on his personal website.  If I was the President of an exchange I would want to know about this. Plus I noticed a typo on Mr. Santori's website, so I figured I'd get two birds stoned at once (https://www.youtube.com/watch?v=Jfq3c4Cf1Fs).

https://i.imgur.com/yGkeIff.png


Super annoying.  O well, life's annoying!  I've got faith in Blockchain.com.

https://i.imgur.com/Rm1Zxqo.gif

Whoa.... $50 for a critical infrastructure error and the HackerOne people STILL claiming it's normal practice & Google does it (Google doesn't don't worry) to display 2fa backup codes without re-authenticating both 2fa and password if the account has both.  What is the point of 2fa in that case?  This is NOT how military-grade 2fa security works at all.

https://i.imgur.com/sHAojpE.png

Severity "none"  :o :o :o :o :o :o w-t-f  :-X  

"Pipelined for fix" also catches my eye because this fix has already taken place, as indicated in my OP.  These HackerOne people are liars.

"Note that other services, including Google, do not require 2FA code to reveal the backup codes." This is NOT true.  Google absolutely requires 2fa to reveal 2fa codes. (see further down the thread)

(this paragraph is a 10/19/2019 edit) "recognition of your effort to prioritize this fix" At least they are calling it a fix and not a fucking feature! Imagine this story:  You have $10,000,000 on your account and you want to go to a coffee shop to trade.  You know you aren't going to withdraw, so you leave your 2fa at home in your safe.  Your account is covered by 2fa.  You use Lastpass because your passwords are 30 characters long.  While your sitting in the coffee shop, some punk grabs your computer and takes off.  By the time you get done with the police and hot coffee shop girls making sure you're OK, that punk could have withdrawn $10,000,000 without my bug report (half in BTC and half in fiat as per The Pit's withdraw limits (http://"recognition of your effort to prioritize this fix"[url=https://i.imgur.com/MKcEhRQ.png)).  My bug report just stopped that from happening because now that punk has to have your 2fa code to display your 2fa back up. Please keep in mind, I'm not 100% what the withdraw user experience & security features are like on "The Pit".  I was only on the site for a few minutes to find this.  IF it's like any other website + that bug that only required your password to dump and turn your 2fa... you'd be a fucked duck. End of edit.

According to Blockchain.com's bug bounty they pay $2000 and more for critical infrastructure errors/errors that result in users funds... both of which this bug absolutely is.

https://i.imgur.com/dDw5x9E.png

Also, the icing on the cake... HackerOne is demanding my personal information for a $50 bounty!!!!!!!!!!!  ::) ::) ::) ::) ::) ::) ::) ::) ::) ::)

https://i.imgur.com/srHY2Pe.png

Since when does US tax law require personal information for a $50 payment to a nonemployee independent contractor?  In order to get a 1099 tax form in America, you have to earn over $600 in a year! (I'm not a CPA)

https://i.imgur.com/QrAFBTY.png

Edited:

Here is the actual shit they are trying to force me to fill out to get $50...

https://i.imgur.com/6FSPM9T.png

https://i.imgur.com/Eobk8jb.png

https://www.taxgirl.com/2009/03/19/ask-the-taxgirl-can-i-refuse-to-complete-a-form-w-9/

My response to HackerOne staff:

https://i.imgur.com/yWIbABH.png

My follow up email to Blockchain.com staff:

https://i.imgur.com/mUaTD8I.png

You might want to edit out your name in the letter. I presume you don’t want to dox yourself.

Fascinating reading though & the bounty paid is a joke by the way.

I've been a namefag for a while.  It's all good!  Thank you though <3 I appreciate you pointing it out.


I don't know if I should laugh, cry, an hero or bang my head against the wall.   ;D :P ::)

https://i.imgur.com/X7lhwPs.png

Here is the file I attached (blockchain.info.png) with proof Google requires 2fa before dumping 2fa backup codes:

https://i.imgur.com/eVuQ1JD.png

Google absolutely does prompt for both account password and 2FA code before allowing you to do anything with your 2FA settings if 2FA is enabled.

If your account doesn't, it's likely because you have left "Don't ask again on this computer" checked. It is checked by default every time you provide a 2FA code.

Allowing any logged in account to access its 2FA backup codes without providing a 2FA code means that if anyone gains temporary access to your account they can disable 2FA at any point in the future. That's clearly "a credible attack".

Thank god I'm not losing my marbles...  I appreciate the second set of eyes Doog.

Wow, just wow.

https://i.imgur.com/nCT52Gf.png

It went from a "working feature, how else would the recover their 2fa if lost?" to "Something they were already planning on fixing."  ::) No fucking way.  This was a horrible security flaw that someone fucked up royally & fixed as soon as I reported it.  I can't even imagine purposely leaving 2fa to be dumped with a password only.

"not a critical security flaw as per the industry-accepted defination of the term"  It should be noted that this is a MAJOR CRITICAL HOLY FUCK security flaw as per industry-accepted definition. Not to re-authenticating a user's 2fa or give the user a "remember this computer" option (which you shouldn't use ffs!) such as what Google does and is most certainly not military-grade "locked down" or likely even good enough for Neopets.

https://i.imgur.com/bMTqV8B.png

Blockchain.com's bug bounty is a scam or some employees there are very confused about what the industry standard is for 2fa security, holy shit.  I'm going to officially say that at this point.  Updated in the OP.

Hold on... still a glimmer of hope...

https://i.imgur.com/rJbrMX5.png

https://i.imgur.com/fExHQLb.png

Jesus Christ on a stick.  Unreal.  I'm totally flabbergasted and at a lost for words.

Needless to say, I will not be claiming that $50 by filling out any tax forms I'm not required to!  Fuck that noise.

https://media2.giphy.com/media/ra75UYT9LjKSY/giphy.gif

https://i.imgur.com/tLvsvnZ.png

https://twitter.com/SnailsInTheMail/status/1185212527925436416

I am now calling this a scam as of this post due to Blockchain and HackerOne not honoring their Bug Bounty terms of payment. After going back and forth with Blockchain's & HackerOne's customer support, I also believe they made claims that they knew are flat out lies. Please read through and make your own decision.  I have done my best to document everything here.
 
Something feels real off to me about it.  I find it hard to believe that their security team was aware of this problem and purposely chose not to fix it... or at least chose not to fix it until I reported it.

BlockchainPIT on their telegram channel is now editing their messages!

I'm so fucking thankful I took screenshots.

https://i.imgur.com/3bDWRiv.png

Before they edited their response was:


Edit:  Lol I'm just noticing that part of the edit in their telegram removed the "to ensure it's sorted correctly." lol *facepalm* srsly?

Double edit:  I'm not saying editing is bad.  I make about a million edits and typos each post... but to remove the part that says they will get it sorted correctly is kinda funny in a sick way. lol

Seems like this would be good story for some of those clickbait crypto news sites.

Their handling of the situation is what I would generously class as a complete joke. Being able to get 2FA Backup codes without proving you have access to a 2FA method makes about as much sense as being able to change the password on an account without knowledge of its existing password. It's ridiculous and a failure of basic security principles, and it's pretty worrying that a "military-grade" exchange made such a basic error. If they're making basic security errors like that then they have clearly invested very little in reviewing their security practices which is completely antithetical with claiming that your security is top-notch.

Shame on them.

My only update for today:

https://i.imgur.com/bYpA9NK.png

Please considering voting at https://www.reddit.com/r/Bitcoin/comments/djpg2m/bug_bounty_scam_blockchaincom_hackeronecom_didnt/

I'm sorry but you act like r/ChoosingBeggars (https://www.reddit.com/r/ChoosingBeggars/).
They clearly won't pay and even if they pay, the reason will be:

- F*ck, this guy talks so much, pay his shit and make him shut up.

I'll live.  I'm not begging.  No need to apologize.  I treated this exactly how I would want my website to be treated as well.

I just think it's wild to claim military security and have 2fa backups dump without reauthenticating.  Then on top of that claim that is how it's supposed to function.  Then offer $50 but demand personal information.  It's just an experience that needs to be documented IMO.  That's worth far more than the $6,000 cap on bug bounties.


How about:

- Hey, this guy found a major flaw in our securities logic that put our customers at risks that could/would result in coins being lost & customers possibly physically hurt. We fixed it asap. Our bug bounty says $2,000-$6,000.  Lets do what we say we will do.

Not:

- Uhhh the feature performs as intended.
(1 day later)
- Actually we fixed it because we already knew about it and Google does it this way too.  (Google does not)
- Here is $50 for trying so hard, but... we need all your personal info to pay you $50 or you get jack shit!  Welcome to the Bitcoin community, thanks for making our website and community more strong... let us know if you see anything else! *an heros  ::)*

I just can't stand getting fed bullshit & lies.  Please don't confuse my bitching as begging.  End of the day, I would have given them this for free... I just dislike the deceptive bullshit.

If you just skimmed the OP and thread I can see how you would think that.  You're wrong though.

It doesn't matter how obvious or easy to fix a bug is.  It only matters how critical it is.

The fact the bug existed and the way it was handled is a pretty big deal imo. 

Still demanding sensitive personal information for a $50 payment in BTC on a critical bug that would have resulted in user funds being lost that they said wasn't a bug, but fixed anyways.

Actually, believe it or not... I believe bb (KYLE) has paid everyone that has demanded their investment back and all his current people are up to date payment wise.

If KYLE owes you money from his shit, please contact me and I'll reach out to him.  

(Mind you, none of that had anything to do with me... I just helped him a tiny bit manage the crisis.)

Bayareacoins is my lover, not my best friend. Get your facts straight bitch. :)

Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3

Cheers Fuckface. :D

I was actually going to correct him to "Butt Buddies" rather than besties, but I figured I'd keep our love in the cummy-shadows bb ;) <3.

Mwahaha

Thanks for responding... Im glad to see everyone is squared away for the moment and lots of luck with STEEM bb.  Don't let Justin Sun buttfuck your community too bad!  #resistcommunism

I just wanna know why he help you with your shitty scam.
I have info that he didnt pay all bitcoins and he ignore investor's:)
That's why i make this post, but if you wanna to deal with lowlife scammer it is ok, but people shouldn't trust you Bay.

My extent of helping bb was encouraging him not to kill himself when he messaged me that he gambled it all away.  I also encourage him to keep pushing on and making people right.  Pay the urgent ones first and the chill people interest later.

If he killed himself... no one's getting paid for sure.

Edit:  One time I let bb be a camgirl on MyFreeCams on a spare account... it was unrelated to this KYLEMAX nonsense, but still had to do with webcamming I guess you could say! We just pretended he was a girl with cancer lol kind of fucked up, but o well.:P


Open a new thread and address the issue because as far as I understand, that isn't the case.


That's part of what makes Bitcoin so amazing, I am able to transact with bb safely as long as he sends first... it keeps the playing field honest.

KLYE and I are lovers... we are not business partners and our trust doesn't have anything to do with each other. (har har)

I don't understand why someone wouldn't trust me due to bb, but if they don't... it's probably not someone I want to deal with anyways.  :P

I feel like I've addressed your post even though it was nonrelated to the OP of this thread.  If you wish to discuss this further, please create a new thread and PM me the link!  Thank you!

Powerpoint added to the OP that more clearly breaks down what happened and how it happened.

https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing (https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing)

HackerOne reached out to me yesterday and let me know I no longer qualified for the $50 they were awarding me for "trying".  Keep in mind they were trying to requiring my social security and personal information for that $50! lol!

https://i.imgur.com/Ql781SJ.png

lol...  ::)

I also noticed Blockchain.com has dropped "The Pit" name from most of the website except for the Terms of Service and long typed legal things.

Read the whole story:  https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing (https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing)

They treated the whole situation in the worst way possible. The very least thing they could have done was to acknowledge that their implementation of 2FA was pointless, instead of pretending it worked as intended. What's the point of second factor auth as an additional barrier, if anyone can gain access to that barrier once the previous barrier(s) the 2FA is supposed to harden are broken? This doesn't make sense.

Generally, I think someone who leaves his computer in a coffee shop with the trading platform open, logged in, and hell, even with the password manager open, deserves some kind of lesson, though. This is not how you're supposed to opsec when dealing with crypto. But the way they treated this whole thing is just ridiculous. Best part is how they play offended by revoking the 50 bucks now.

A user doesn't just have to leave a computer reckless unintended for this flaw to be dangerous!

Imagine just being shot in the face, and the person picks up your computer!  There are thousands of ways "something" could go wrong with this flaw.

These security flaws in systems designed for people to keep millions of dollars of value that can be sent nonreversible with a few clicks put people at severe risks.

Good traction on another Reddit post today.

I had a white hat hacker recommend that I post my experience on /r/netsec today.

https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/ (https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/)

Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing (https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing)

Enjoy and thank you! :)

Edit: looks like it got removed off /r/netsec by a mod.  The post had 170 upvotes @ 94%... good ole reddit  ::)

Post is still up, but a bunch of comments have been removed

https://www.removeddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

https://i.imgur.com/QmpU5VC.png

https://i.imgur.com/nRyLxok.png

 ::) *an heros*

bump

Blockchain.com now claiming that the issue I reported was a bug... but... they knew about it prior to my report! LOL

https://i.imgur.com/uH5WutX.png

Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.

So either...

A:  They fucked me.

B:  They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.

Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.

"We've paid out over $30,000" ...what a lame and stupid defense.

I bet it's 'A'. Them fixing the security issue same day as you reported it and then claiming they were aware of it doesn't add up.

Sorry I didn't follow the full thread, but did you ever proceed with the legal action against them? I am not sure you stand any legal recourse in this case but just curious how it turned out if you did.

I talked to my lawyer, but the type of judge it would need to go in front of requires a grievance of at least $70,000.

I didn't really lose anything here and I didn't lose much time... We decided we wouldn't waste a Federal Judges time or my money.

Soooo regardless of being wronged... there isn't really shit I can do about it except warn others!

(I agree, A is likely what happened... it's at least best-case scenario for them IMO.)

This website also talks about 2FA flaw of Blockchain.com
Not sure if it's the same flaw or similar one.

https://blockchaindotcomsucks.com