The best you could hope for is that you post a link, someone click it, they have sufficient balance to make a transaction, all this before a mod catches it. The result is that the victim makes a shitty purchase. ...and that's the bug they acknowledged and paid you for. The others are nonsense.
Exactly, that's only a proof of concept. How much people could I get to click on my link ? If I have luck, I fall on someone with 100+ BTC balance, which is not that rare. But I can also use Open URL Vulnerability, which will set the Referer as poloniex.com and redirect to the GET buying/selling request. They never paid me neither replied to my ticket reporting this vulnerability. |
|
|
|
I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.
That's the point ! There is no need of valid hash to confirme those actions ! Check yourself ! Here is a capture of the complete request !  |
|
|
|
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.
Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments. They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them. You should really consult security pentester. They will all agree with my arguments. As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ? Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum. I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much. Proof of concept links, you wouldn't have had valid hashes. "..what is your goal from making this information public?" That's the major problem ! There is no csrf tokens or "valid hashes" that protect those links. You should really read my paper better, or maybe my english was wrong. My goal is to ring the alarm at the Poloniex team and expect them to have a better protection of there customers funds. This isn't FUD, a simple 4 page PDF will not destroy a big company in 1 day. |
|
|
|
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.
Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments. They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them. You should really consult security pentester. They will all agree with my arguments. As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ? Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum. I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much. |
|
|
|
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.
Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong in my review and arguments a little more ... |
|
|
|
Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat
I'm waiting reply since 27 days. I've been pushing my ticket via moderator more than 6+ times. They are literally having fun of me. That's why I wanted to share this review to show the irresponsability of their team. Do you have some proof regarding the above statement, If you can provide that we do need to be more cautions while using poloniex to trade. But how will such a famous site ignore their security vulnerability, Which might cause them to loose members. Yep we had our lessons from mt gox bitfinex but we will never remember anything after the heat reduces, But as far as bitcoins and altcoins trading we have to rely on some trading platforms online. I can provide screen, but we cannot really consider it a proof as the source code can be edited to modify data. I have also some e-mail that I sent to Poloniex. |
|
|
|
Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat
I'm waiting reply since 27 days. I've been pushing my ticket via moderator more than 6+ times. They are literally having fun of me. That's why I wanted to share this review to show the irresponsability of their team. |
|
|
|
Post it in public, so POLONIEX could get hacked and almost $1 Billion dollar worth of ALTS/BTC get hacked.
GOOD JOB!!!
I didn't release any unfixed Poloniex vulnerability but I think that customers have to know Poloniex is unsecure and do not even reply to people reporting them vulnerability  |
|
|
|
|
Maybe you could speak about the tech ? Invest your time in a crypto currency and help developping coins to support the blockchain and anonymous technology instead of spending your time speculating about Nav price.
|
|
|
|
|
Is there any BTC rewards for the person which will get his real name and surname ?
|
|
|
|
Well, the obvious "news" which is totally fake as everything since the start of this pump has been release on twitter : https://twitter.com/1CreditOfficial/status/782626234996064256I can't really understand why people ... BELIEVED in and "incredible", "unprecedented" news. I mean, it was so FUCKING OBVIOUS. Every one on this thread (and here I think about dnaleor thanks man) is saying since days that 1CR doesn't have any devs and you guys just don't read or I don'k know Twitter account, 1CR website are just stuff designed by the whale and manipulator. There will be no beta game, no whitepaper, nothing ! Stop dreaming and come back to the heart. Sorry, but it's only your fault and your stupidity if you are taking loss on 1CR. Polo moderator say it every minutes: INFORM YOURSELF |
|
|
|
What I see in poloniex is that ethereum is on the top of most traded coins in the last 24h
So the price is more than $12 (~0.02+) and to go to one dollar is impossible for now.
Thank you...
yeah there is a very nice pump going on right now and it is a very good opportunity to make some money from this coin. but i think ethereum is doomed eventually especially with bug after bug which is being found in the code, it nearly looks like a swiss cheese these days full of holes. Could you tell me how much vulnerabilities were found on Windows ? hundreds. maybe thousands. And Bill Gates is still the second richest man in the world. |
|
|
|
Do we look at the same chart ? :p ETH/BTC is snot saying the same. And I guess Ethereum is more linked to BTC than to DOL.  |
|
|
|
Haven't posted in a while because its pretty choppy on low volume. Everybody is waiting next week for DEVCON 2.  Unzoom your chart my friend, something can't be a "strong" support on a 6H timeframe  We're talking crypto, not forex.  |
|
|
|
It is 2 years old. Crypto and DW change so much in 2 years. You cannot rely on this article. |
|
|
|
|
I think crypto is the future. A lot of us on this website obviously do.
The major problem is that there is no safe coin atm. Bitcoin is still moving a lot (as we have seen in the last days) and altcoins are highly manipulated by some whales.
I told my family cryptocurrency was the future, take car of it and be ready. But I would not advise them to invest right now.
|
|
|
|
No one has organised shit towards the polo trollbox. Its a bit of fun, tell geezup to get a life.
Organised campaign lol, is he for real. Its not often the most anticipated launch of a project happens. Were just excited. It shouldn't look bad on the project, people are demonstrating 'people power'. That mod needs to get a grip
So, because you are happy, we have to put up with hundred of trollers. This was fun, the first days, this isn't anymore. It's a bummer. |
|
|
|
A message from our dear moderator. I havn't really look after Lisk, but as far as I know, it seems to be a nice project. It's dommageable to vehicule a bad picture of lisk, by spamming everywhere.  |
|
|
|
-[ANNOUNCEMENT]-
REALLY NEAT VISUAL CHANGES!
Earlier this week, daWallet presented me with an offer to have a really neat visual modification done to the BURST wallet, I took him up on the offer and paid for the developer to make it happen...
We ended up with...
https://wallet.burst-team.us:8125/new/index.html
I personally could stare at it all day, love it!
Let me know what you all think!
For those of you who don't want to click links, here's a video of the awesomeness.
I'll be doing another vid on How to Use Assets and a few other things tomorrow!
https://youtu.be/W0fzT3deZ6E I like it, but it is not following my mouse, just staying on the middle, near the input box. Windows 8 (heurk) - Google Chrome (...), devs will kill me :p |
|
|
|
|
Show Posts
