[100bit.co.in] Earn up to 0.1 BTC for finding bugs

[100bitcoin]

I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported???

Yes... we already have reports of the XSS and SQL injection problem. Still we would like to know which SQL injection problem you have found. You may post here or PM.

It seems, no one has found any problem in order execution so far. Would like to hear about testing report of that part...

[Roberson]

did you checkd the error i told, will i get my bounty ?

[100bitcoin]

ERROR FOUND !

http://www.100bit.co.in/recover.php

when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email.

i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php

btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw

did you checkd the error i told, will i get my bounty ?

Yes. There was a small glitch here, which is now fixed. You will get some bounty for finding this out. Can you please confirm that this issue is not appearing anymore at your end ?

[Roberson]

ERROR FOUND !

http://www.100bit.co.in/recover.php

when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email.

i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php

btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw

did you checkd the error i told, will i get my bounty ?

Yes. There was a small glitch here, which is now fixed. You will get some bounty for finding this out. Can you please confirm that this issue is not appearing anymore at your end ?

yes it looks fixed now, same page is there, so good now, waiting for bounty

[100bitcoin]

This is not a bug, but first of all, take a look to the "Lost you password" page. There's a mistake because it's Forgot Password and not Forgot Passowrd (in the header and in the button).

Thanks for pointing out. Should be fixed by now.

Then, once I registered my account I've received two direct messages on my mail account, you have to solve this automated messages problem. Maybe people receive more than one while they submit the registration form

This is because you clicked the authentication link twice. We prefer to keep it this way, because if for some reason the mail function does not work in the first click, recipient can click it again to get his/her "Account Creation" mail.

Another thing:
If you try to log-in with the ID that you wrote on the registration form and not with the ID specified on the email, you're going to see this warning:

"The email address is already registered with us"

This message it's the one that pops up in case that you try to register with an email address that's been registered before, not once you try to log-in.

As well, IMO users have to be able to log-in with their ID and not with the code (numbers) that they receive on their mail account.

Can you please re-create this situation and PM me the login credentials for which you are facing this problem ? In fact, the ID is generated only after registration. At the time of registration, user can enter name & email ID.

[100bitcoin]

your site is looking great well i checked the site but i found no bug unfortunately and thts mean your site is out of bug . Above users ^^ found the bug further i cant find . as it is a buying selling platform you should add 2FA or something else . i see that it is not so protected . and the security level is too low. also i just registered my account but now i m unable to login dont know why . i dont know thats a bug or whats is it.

1. 2FA might be implemented after some time. I would like to mention here that 100bit.co.in does not require your fund to stay deposited in any site wallet. User just need to deposit fund only when a trade is in progress. So, even if your account is compromised when you are not doing a trade, it will not financially affect you.

2. If you have registered an account, you need to authenticate it by clicking a link sent to your email ID. If you have forgot your password, you may recover it through your authenticated email ID.

[franckuestein]

Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ?

i'm talking about the "Preferred payment mode" input. franckuestein must be talking about that section too... but in the screenshot we see the ticket code injection.

Yes, what I was saying is that the problem wasn't just on the buy-order text box or in the About me box from your site, it was on the support zone of 100bit.co.in, too  

Can you please re-create this situation and PM me the login credentials for which you are facing this problem ? In fact, the ID is generated only after registration. At the time of registration, user can enter name & email ID.

Ok, now I tried to log-in with a random ID and the log-in form return only this message:
You have entered wrong login credentials or your account is not activated.

IMO, now it's ok, because then I logged in with the correct credentials and it's working.

Cheers!

[100bitcoin]

Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works

100bit.co.in is optimized for mobile view and CAPTCHA should behave the same way on laptop as well as on mobile.

In the country selection option why are there so little countries to chose from? And why it says europe as a country

We wanted to cover EURO as a currency and hence added Europe as a country. Once the technical glitches get fixed, more countries & currencies will be added gradually. If you find your country/currency is missing, you may inform us here. We will add it ASAP.

[seoincorporation]

I still waiting the payment, how much i will get for my reported bugs?

[Mehek]

seems a good site...its easy and smooth with using but i cant find the deposit or withdrawl button on my whole account...is it a bug or it is not set till now?and i cannt find any market too?otherwise it is cool..

[RealPhotoshoper]

i have try your site, register and i have found this ,



maybe you can use NOREPLY email, so no one will reply to those mail.

also i found this,

 while i input wrong captcha the form that i have filled got blank form again.At the moment we register a site using the form , when there is an error ( eg, the desired user name is already used ) , then we returned to the original register page with an error message . If you notice , all the forms are pre-filled automatically repopulate so we do not need to input all the forms , but just fix the wrong section .

Form filled itself will greatly help the user to correct the wrong form field . Imagine if we fill out a form with 15 input box , only then forced to enter again all the input boxes for one fill date format on one input people will lazy to filled out the form again you can utilizing the $ _GET variable and headers function header.

[Roberson]

No bounty yet received !

[Astargath]

Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works

100bit.co.in is optimized for mobile view and CAPTCHA should behave the same way on laptop as well as on mobile.

In the country selection option why are there so little countries to chose from? And why it says europe as a country

We wanted to cover EURO as a currency and hence added Europe as a country. Once the technical glitches get fixed, more countries & currencies will be added gradually. If you find your country/currency is missing, you may inform us here. We will add it ASAP.

Well for instance you should add Spain and Romania aswell, Poland is there thats why i was confused about Europe. So you should add all the countries in europe

[RealPhotoshoper]

no one get paid? okay i would suggest you op to use escrow , so no one worry about scamming or something else.

[100bitcoin]

I still waiting the payment, how much i will get for my reported bugs?

No bounty yet received !

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.

[Mehek]

anyone can say me that how can i deposit funds in it

[seoincorporation]

I still waiting the payment, how much i will get for my reported bugs?

No bounty yet received !

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.

Ok, but the title say "Earn up to 0.1 BTC for finding bugs", i really want to know how much i will get for my reported bugs? and if i found more bugs how much more i will get?

Have a great Easter.

[100bitcoin]

seems a good site...its easy and smooth with using but i cant find the deposit or withdrawl button on my whole account...is it a bug or it is not set till now?and i cannt find any market too?otherwise it is cool..

anyone can say me that how can i deposit funds in it

100bit.co.in does not require your fund to stay deposited in any site wallet. User just needs to deposit fund only when a trade is in progress. That is why, as a seller, you'll get a deposit address only when you start a trade with someone. As soon as the trade is over, i.e. you accept receiving FIAT/Alt coin from the buyer, your fund will be released and go to buyer's bitcoin address. So, in case of any security breach, you will remain unaffected unless you are doing trade exactly at that moment.

[amiryaqot]

I still waiting the payment, how much i will get for my reported bugs?

No bounty yet received !

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.

Ok, but the title say "Earn up to 0.1 BTC for finding bugs", i really want to know how much i will get for my reported bugs? and if i found more bugs how much more i will get?

Have a great Easter.

so how we will know about the bug that will get 0.10BTC bounty?
i also register there but did not get confirmation email from 2 hours of waiting?

[sbankerdemon]

I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported???

Yes... we already have reports of the XSS and SQL injection problem. Still we would like to know which SQL injection problem you have found. You may post here or PM.

It seems, no one has found any problem in order execution so far. Would like to hear about testing report of that part...

By order execution I think you mean the order.php page??? If yes there is XSS in that page

http://www.100bit.co.in/order.php

Code:

POST params:  order_type=Buy&order_amt_in_btc=123"""><script>alert(12)</script>&order_amt_in_currency=aaa"""><script>alert(13)</script>&currency=aaa"""><script>alert(14)</script>&order_country=aaa"""><script>alert(15)</script>&order=Post+Order&order_payment_mode=aaa"""><script>alert(16)</script>

Here when you will POST this data you will see prompt "14", "15" and "16" which proves there is XSS in params => currency, order_country and order_payment_mode.





Please let me know do this qualify for bounty if its unreported vuln?