|
I would like to reserve white paper tranlsation in French.
|
|
|
|
That "paper" is atleast 5-6 months old and it has been disproved many times.
Not sure what's up with those polo fud campaigns.
I'm not affiliated with any exchance or anyone that might be interested in a "fud" campaign. I wonder where you see my paper has been disproved ? Except from the reddit post "Poloniex is secure", which is to be considered carrefully because from Poloniex itself, I can't find any other. So basically, to answer your question, there is no such fud campaings, only truths. |
|
|
|
Laughing at people with STR  Well, Polo has millions, and the site still crash when the price start dropping  Remember why the trollbox is there guys. Much talking on temp tollbox, less complaint on forums, which are persistant  Still waiting for my bounties from polo tho |
|
|
|
Clean site man, dece! But what does YOUR site bring to the table one of the 10 others we already have dosen't?  I think he said it ... Most cryptocurrency price tracking websites lack a good mobile experience.
These websites aren’t responsive, which makes them clumpsy to use.
So we created an alternative that is fast, optimized for mobile and without annoying ads.
Feedback : On PC, when I want to use my scroll wheel to get back to top eg, it instead click on the coin, that's annoying  |
|
|
|
|
Do you want volume, ui and profit ? Take poloniex.
Do you want security ? Take Kraken.
It's simple as this.
Poloniex :
Pros :
- Really nice UI
- Good api
- Remove shitty coins
- Insane volume
Cons :
- Weak security (they have been hacked multiples times)
- No bug bounty program
- They have also been vulnerable to ddos multiple times
Kraken :
Pros :
- High security (never hacked, no weakness indicator)
- Bug bounty program
- Good volume
Cons :
- Bad ui (my opinion)
|
|
|
|
Yobit not answering tickets and have some vulns, take care. BOUM !  |
|
|
|
Hi, Yobit has several options to protect against withdrawals in case your account has been compromised. In letter settings, it has an option called : "Send confirmation letter at withdrawal request". This one can be deactivated without the user agreement. When you try to disable this option, Yobit send a mail to ask you for deactivation. If you click on the link contained on the email, it deactivate the option. Most of mail agent have something called "Link Preview" activated by default. They load the page to get the user a preview of the page. Yobit do not check if the user is authentificated when disabling the option. This result in the fact that when opening the mail, even if you do not click the link, the letter at withdrawal request will be deactivated. Proof of Concept, using a famous mail agent, Outlook :  This also work for apikey creation. You can create withdrawal apikey the same way, by the user just viewing the mail. Timeline of disclosure : 02/11/2016 : Reported the vulnerability to Yobit support. No answer. Not fixed. 27/12/2016 : Public disclosure. |
|
|
|
Hi, There answer seems clear, they have problem with the LSK wallet and they ask for more time. No need to alert all medias for a 6 days delay. In my opinon, the delay you should let them for a transaction problem is 15 days (if they answer to your tickets, what they do) and you should ask for a compensation on a 7+ days delay for a transaction. Again, I see nothing alarming in there answer, just ... patience ...  |
|
|
|
Hello Those previous days, I have been working on a poloniex trading bot. Most of the bot actually are running on your computer, this means - You can't move with your computer or your bot software will stop - You have to leave your computer on 24/24 - You are scared about internet problem That's why I come with a new thing. A bot controlled via the Discord chat application ! I first let you see a quick video demonstration which show only 2 features, but believe me, there is gonna be muuuuch more ! In fact, I have a server running my nodejs bot, listening to commands you write on discord. It is also connected to the push API of Poloniex. So you just have to type a command to set your strategy. After writing to Poloniex about the 6 maximum api call per ip (all api call will be done from my server, so it would be problematic to have this tight limit if a lot of people use it), they said they could increase my number of api call in such a case, so it's a fairly good news  I would like to know if people was interested in this project. Which features would you like to be implemented ? Do you think it is a good idea ? Would you use it ? I would be glad to know it on this google form ! |
|
|
|
|
1) Go to kraken and deposit USD|EUR
2) Buy bitcoins on kraken
3) Withdraw your bitcoins from kraken to Poloniex (biggest altcoins volume market)
When you want to cash-out :
4) Sell all your altcoins on Poloniex for bitcoins
5) Withdraw your bitcoins from poloniex to kraken
6) Sell your bitcoins on kraken
7) Withdraws your $$ from kraken
|
|
|
|
Yes, this is totally correct |
|
|
|
So, I just used my huge paint skilled for a little explanation :p  So if you decide to buy 0.08 BTC, you have to set a buy to 0.00039818 of 0.8 BTC which will result in the following buy : 20.42 STEEM at 0.00039818 BTC/STEEM + 180 STEEM at 0.00039819 |
|
|
|
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ? Is this really true though? First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts: <form name="c" id="c" action="https://domain.com/page" method="post">
<input type="hidden" name="parameter1" value="10000" />
</form>
<script type="text/javascript">
window.onload = function () {
var form = document.getElementById("c");
form.submit();
};
</script> This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF. The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header " X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header? The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.Overall it seems like the PDF is a bit exaggerated IMO The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that so thanks for sharing that. Your wrong, they aren't equally vulnerable. As a matter of fact, it wouldn't have been possible to do the attack I described if they were using POST. They are not verifying the header X-Requested-With: XMLHttpRequest as you supposed. They check for the Referer header (poloniex.com), which only allow an attack via trollbox link (so again, it isn't possible with post) Glad to see my reports learnt you some security things btw :p |
|
|
|
Poloniex is safe according to their post on reddit.
They were unlucky that I didn't release all the vulnerability in one row.
Oups ! goo.gl/xcbG5G
This open url vulnerability just got patched. But well, it was just another proof that Polo wasn't safe, even after the reddit post. |
|
|
|
|
Poloniex is safe according to their post on reddit.
They were unlucky that I didn't release all the vulnerability in one row.
Oups ! goo.gl/xcbG5G
|
|
|
|
So you rely on a post posted by the website himself ? Sure, they will say Yes, we fucked up, withdraws your coins. That's just stupid. Again, it isn't FUD, I like to believe after that, they will consider their customers and increase security. |
|
|
|
Answer to Poloniex reddit post : https://www.reddit.com/r/CryptoCurrency/comments/57q9gf/poloniex_is_secure_were_good/-- Anyone who is familiar with web services should know that multithreading, in and by itself, is not a vulnerability. In fact, it is necessary when processing more than one request at any given time. Our trading engine processes 200-300 transactions per second, and that's on a slow day.
You're totally off the mark. Never said multithreadying is a vulnerability, as well as get request. It's the way you use them wich is a vulnerability. It becomes one when multiple thread can share the same ressources at the same time. -- For those who may be concerned with us using GET in any context: We agree that POST is best practice, and we currently use POST for sensitive information. We have plans to move more requests to POST, but in the meantime, it’s worth noting that GET is not inherently insecure and POST is not inherently secure. What matters much more is how each is used.
I wonder how you can say that after what I did write in my reports. I reported you every GET request you did was easily shared with the moderator clickable link. This wouldn't be possible using POST request. Same for Open URL Vulnerability. So YES, you're using GET request in the bad way, and if you can't see that, I feel only much worried. -- This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes
As I wrote, I'm not a professionnal pentester. I feel the need to test my payloads before reporting them, because I'm never sure it will work. I have been posting exactly 3 messages using the moderator client-side privilege. I wonder where you see in my article that I did a falsefy report ! Quoting me : "Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."This is exactly what it did, and I specified that it was moderation client privilege only. If you think I wrote as moderator just to be spectacular, remember that I only posted 3 messages, and then directly reported the vulnerability as suggested by the moderators. Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective?
And this is your principal mistake. Because I didn't neither I do hide myself. Some research on any search engines could easily lead you to my identify. Moreover, I would like to remind you that I shared my personnal identy with the support. I would be very interested knowing which company did a security audit of your website ? Btw, I'm still waiting your answer, tickets #66023. Pending since 29 days now. Tic tac tic tac ... but if your story is a mash-up of half-truths and inaccuracies, what are you really after?
|
|
|
|
dont worry guys, DEx are starting to make there way into the crypto world. and there will always be vulnerabilities in centralized exchanges. soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.
cant wait to see the true dawn of decentralized trading!!!
This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex. Thanks. |
|
|
|
|
Show Posts
