Jesus Christ on a stick. Unreal. I'm totally flabbergasted and at a lost for words. Needless to say, I will not be claiming that $50 by filling out any tax forms I'm not required to! Fuck that noise.
|
|
|
Hold on... still a glimmer of hope...
|
|
|
Wow, just wow. It went from a "working feature, how else would the recover their 2fa if lost?" to "Something they were already planning on fixing." No fucking way. This was a horrible security flaw that someone fucked up royally & fixed as soon as I reported it. I can't even imagine purposely leaving 2fa to be dumped with a password only. "not a critical security flaw as per the industry-accepted defination of the term" It should be noted that this is a MAJOR CRITICAL HOLY FUCK security flaw as per industry-accepted definition. Not to re-authenticating a user's 2fa or give the user a "remember this computer" option (which you shouldn't use ffs!) such as what Google does and is most certainly not military-grade "locked down" or likely even good enough for Neopets. Blockchain.com's bug bounty is a scam or some employees there are very confused about what the industry standard is for 2fa security, holy shit. I'm going to officially say that at this point. Updated in the OP.
|
|
|
Google absolutely does prompt for both account password and 2FA code before allowing you to do anything with your 2FA settings if 2FA is enabled. If your account doesn't, it's likely because you have left "Don't ask again on this computer" checked. It is checked by default every time you provide a 2FA code. Allowing any logged in account to access its 2FA backup codes without providing a 2FA code means that if anyone gains temporary access to your account they can disable 2FA at any point in the future. That's clearly "a credible attack". Thank god I'm not losing my marbles... I appreciate the second set of eyes Doog.
|
|
|
Here is the file I attached (blockchain.info.png) with proof Google requires 2fa before dumping 2fa backup codes:
|
|
|
You might want to edit out your name in the letter. I presume you don’t want to dox yourself.
I've been a namefag for a while. It's all good! Thank you though <3 I appreciate you pointing it out. Fascinating reading though & the bounty paid is a joke by the way.
I don't know if I should laugh, cry, an hero or bang my head against the wall.
|
|
|
My response to HackerOne staff: My follow up email to Blockchain.com staff:
|
|
|
Whoa.... $50 for a critical infrastructure error and the HackerOne people STILL claiming it's normal practice & Google does it (Google doesn't don't worry) to display 2fa backup codes without re-authenticating both 2fa and password if the account has both. What is the point of 2fa in that case? This is NOT how military-grade 2fa security works at all. Severity "none" w-t-f "Pipelined for fix" also catches my eye because this fix has already taken place, as indicated in my OP. These HackerOne people are liars. "Note that other services, including Google, do not require 2FA code to reveal the backup codes." This is NOT true. Google absolutely requires 2fa to reveal 2fa codes. (see further down the thread) (this paragraph is a 10/19/2019 edit) "recognition of your effort to prioritize this fix" At least they are calling it a fix and not a fucking feature! Imagine this story: You have $10,000,000 on your account and you want to go to a coffee shop to trade. You know you aren't going to withdraw, so you leave your 2fa at home in your safe. Your account is covered by 2fa. You use Lastpass because your passwords are 30 characters long. While your sitting in the coffee shop, some punk grabs your computer and takes off. By the time you get done with the police and hot coffee shop girls making sure you're OK, that punk could have withdrawn $10,000,000 without my bug report (half in BTC and half in fiat as per The Pit's withdraw limits). My bug report just stopped that from happening because now that punk has to have your 2fa code to display your 2fa back up. Please keep in mind, I'm not 100% what the withdraw user experience & security features are like on "The Pit". I was only on the site for a few minutes to find this. IF it's like any other website + that bug that only required your password to dump and turn your 2fa... you'd be a fucked duck. End of edit.According to Blockchain.com's bug bounty they pay $2000 and more for critical infrastructure errors/errors that result in users funds... both of which this bug absolutely is. Also, the icing on the cake... HackerOne is demanding my personal information for a $50 bounty!!!!!!!!!!! Since when does US tax law require personal information for a $50 payment to a nonemployee independent contractor? In order to get a 1099 tax form in America, you have to earn over $600 in a year! (I'm not a CPA) Edited:
Here is the actual shit they are trying to force me to fill out to get $50...
https://www.taxgirl.com/2009/03/19/ask-the-taxgirl-can-i-refuse-to-complete-a-form-w-9/
|
|
|
Blockchain.com customer support email this morning. In the previous email, I let them know HackerOne said this was how the feature intended to function & I also included a link to this thread. I went ahead and sent Marco Santori a link to this thread on his personal website. If I was the President of an exchange I would want to know about this. Plus I noticed a typo on Mr. Santori's website, so I figured I'd get two birds stoned at once. That's annoying.
Super annoying. O well, life's annoying! I've got faith in Blockchain.com.
|
|
|
(original post, heavily updated and semi confusing... please reference powerpoint in the OP, thank you.) *I give my full permission for anyone to use any text or any images from this thread.*I signed up for an account on Blockchain.com's new " military-grade" exchange called " The Pit". I noticed right off the bat that I was able to get their exchange to show my 2fa backup codes without prompting me for my 2fa code. (I only needed to enter my password) I emailed Blockchain.com's support and reported the problem. Blockchain.com's support told me to open a "HackerOne" bug bounty report if I wanted to get paid.... I figured, "Why not? I could use the money to test their site further / link my bank account with a wire!" (I should have fucking known better and just been OK without getting compensated, but I was worried Blockchain.com's customer support person wouldn't forward on the problem if I didn't open a HackerOne ticket and I didn't want some poor Blockchain.com customer to get pwned because of Blockchain's critically flawed security design.)(you can see I'm sketched out about this "HackerOne" stuff from the start) I created the issue on HackerOne: HackerOne staff responded: Yikes!!!!!!! But OK... if that's how you want to have your website, go for it... I guess... HOWEVER, today I checked Blockchain.com's website and low n behold: (users are now prompted for 2fa after the password screen) 10/16/2019I'm not overly worried about Blockchain... I imagine they will make it right, but this fucking dipshit at HackerOne that said that's how the feature is supposed scares the shit out of me!!!!! At least I learned fast to avoid Hackerone.com before FreeBitcoins.com hired them. It's scary to see that other cryptocurrency companies use HackerOne! I do want to say "Good job" to Blockchain.com's security team for fixing this problem within a week. I will update when and if HackerOne or Blockchain.com compensates me for this report. Edit: "They" reopened my closed bug report and offered me $50, requiring me to fill out my social security for said $50. First they claimed the feature was functioning as it was supposed to at first and then later claimed they knew about the bug the whole time to being reported!!!!!! Ya, right. I strongly recommend keeping on reading.Double Edit: I am now calling this a scam. I believe it's just a case of one or more employees trying to cover their ass. I will continue updating and such.Now they are saying that the bug was known before my report... ya right!!! If it was, that's disgusting that they advertised Military-grade security with a bug known like that... Links & news articles related to this: https://www.reddit.com/r/Bitcoin/comments/djpg2m/bug_bounty_scam_blockchaincom_hackeronecom_didnt/ (50 upvotes with 92% upvotes so far. Thanks for voting <3) https://www.reddit.com/r/btc/comments/djpfu9/scam_blockchaincom_hackeronecom_didnt_pay_a_major/ (this one got nuked by a /r/btc mod) https://twitter.com/SnailsInTheMail/status/1185212527925436416https://forum.bitcoin.com/post294928.html#
|
|
|
I went ahead and created a PowerPoint for my lawyer (I was just asking if there was anything I could "do", but there isn't)... the PowerPoint is a little less clusterfucky than this Bitcointalk thread. I'm going to leave the original post under the next post, but here is a link to the PowerPoint that breaks down how Blockchain.com and HackerOne.com fucked me on a painfully obvious and dangerous 2fa dump logic error. Powerpoint with the full story: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharingtl;Dr I reported a problem, they said it was working as intended, they fixed the problem that night, they stiffed me. Needless to say, we are not going to go forward with any formal complaints and I still hope Blockchain just pays me my fucking bug bounty! I would NOT trust HackerOne or Blockchain.com's exchange team (previously known at "The Pit") at this point. (It should be noted that Blockchain.com dropped "The Pit" name and it is now just Exchange) I will update this thread when the companies decide to make this right. They did eventually offer me $50 for trying and required I give my social security to collect it... lol (read the power point)
|
|
|
Blah, didn't get done tonight... shooting for tomorrow right before the 16:00 UTC time Poloniex kill time.
Miss our projected time... hoping to have our exchange "live" live in less than 5 hours. I will update soon. (Also, Poloniex withdraws are working great for me atm too. Maybe Polo listened to dooglus single line of code fix finally after 10 months... lol. smh.
|
|
|
Blah, didn't get done tonight... shooting for tomorrow right before the 16:00 UTC time Poloniex kill time.
|
|
|
22 Hours till the Poloniex delist! Buy (cheap) or sell CLAMS fast and easy with no KYC with my service https://freebitcoins.com/swap/ if you use the max amount... wait about 10 minutes and it should be available to trade again. Swap does offer an API to automate your buying or selling. Will CLAM make it? Will CLAM be developed? Will CLAM be at conferences? Are we all hopelessly fucked? Find out next! Hard times are coming because when poloniex delist clam yobit will be the only exchanger listed by coinmarketcap, that means they will decide they coin price and at that moment clam will go down to 0.00007... So, hard times for the coin, i hope better times come for it. I wish good luck for the clam holders. Do NOT use YoBit. You will lose your CLAMS. FreeBitcoins will be on CoinMarketCap soon I'm sure... we are about to launch tonight I think... more news soon.
|
|
|
22 Hours till the Poloniex delist! Buy (cheap) or sell CLAMS fast and easy with no KYC with my service https://freebitcoins.com/swap/ if you use the max amount... wait about 10 minutes and it should be available to trade again. Swap does offer an API to automate your buying or selling. Will CLAM make it? Will CLAM be developed? Will CLAM be at conferences? Are we all hopelessly fucked? Find out next!
|
|
|
id someone already try this service? is it legit? can we trust in btcpop?
I've never tried their service. They seem legit from what I heard. They also credit stakes from my understanding. Swap is working just fine at the moment. If you use the max amount of coins. Just wait for another confirmation and it should be refilled! We also offer an API too for trading.
|
|
|
|