Bitcoin Forum
April 17, 2014, 05:24:38 AM *
News: ♦♦ A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. More info.
The same bug also affected the forum. Changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: 1 2 [3] 4 5 6  All
  Print  
Author Topic: PicoStocks, bitcoin stock exchange  (Read 14118 times)
tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
May 26, 2013, 10:39:21 PM
 #41

Hi,

Is there an API to be able to access basic price data from the assets? Or any plans to implement one?

No yet :-( the transaction fee is too high for high frequency trading and API access would increase load on the service. We will maybe think about this when we increase liquidity and throughput.

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
1397712278
Hero Member
*
Offline Offline

Posts: 1397712278

View Profile Personal Message (Offline)

Ignore
1397712278
Reply with quote  #2

1397712278
Report to moderator
GAWMiners.com
ASIC Scrypt Miners
Guaranteed Satisfaction + Same-Day Shipping For FREE!
Simply Enter "freeshipping" at checkout

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397712278
Hero Member
*
Offline Offline

Posts: 1397712278

View Profile Personal Message (Offline)

Ignore
1397712278
Reply with quote  #2

1397712278
Report to moderator
1397712278
Hero Member
*
Offline Offline

Posts: 1397712278

View Profile Personal Message (Offline)

Ignore
1397712278
Reply with quote  #2

1397712278
Report to moderator
1397712278
Hero Member
*
Offline Offline

Posts: 1397712278

View Profile Personal Message (Offline)

Ignore
1397712278
Reply with quote  #2

1397712278
Report to moderator
kaerf
Hero Member
*****
Offline Offline

Activity: 588


View Profile

Ignore
May 27, 2013, 09:07:58 AM
 #42

I see that you recognize the trading fee is a bit high...as well as poor liquidity. Any reason for keeping the trading fee @ 1%?
tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
May 27, 2013, 09:15:56 AM
 #43

I see that you recognize the trading fee is a bit high...as well as poor liquidity. Any reason for keeping the trading fee @ 1%?
We would like to encourage long term investments. We want to focus on small startups not on high trading volume assets like BTC/USD.

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
June 10, 2013, 05:13:53 PM
 #44

PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb
We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
kaerf
Hero Member
*****
Offline Offline

Activity: 588


View Profile

Ignore
June 10, 2013, 05:27:01 PM
 #45

wow. was there actually that much liquidity or did the victim have a lot of coin in his account?

it's somewhat disconcerting seeing coin from my deposit address being transfered out to the hacker's account. can you confirm that this was solely a user's password that was compromised and the server(s) itself were not compromised (there may be indications of attack in the logs).
fently
Jr. Member
*
Offline Offline

Activity: 59

Bleh!


View Profile

Ignore
June 10, 2013, 05:39:28 PM
 #46

would appreciate 2FA
ZoladkowaGorzka
Full Member
***
Offline Offline

Activity: 134



View Profile

Ignore
June 10, 2013, 08:25:46 PM
 #47

Strange?
Shareholder's password got compromised and you graciously refund the loss. Why is that?
Was the password compromised on your fault? That's great deal of money

tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
June 10, 2013, 08:35:45 PM
 #48

Strange?
Shareholder's password got compromised and you graciously refund the loss. Why is that?
Was the password compromised on your fault? That's great deal of money

We will refund the loss because we are operating the account for some of our bigger customers that don't know much about bitcoins and we had the same password on few accounts which was just extremely stupid. This is clearly our fault. The system seems fine. This is clearly a human error.
We will now try to find out how the intruder discovered the passwords.

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
June 10, 2013, 08:40:56 PM
 #49

wow. was there actually that much liquidity or did the victim have a lot of coin in his account?

it's somewhat disconcerting seeing coin from my deposit address being transfered out to the hacker's account. can you confirm that this was solely a user's password that was compromised and the server(s) itself were not compromised (there may be indications of attack in the logs).

You deposit address is there because these are the funds that went to the hot wallet.

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
mrb
Hero Member
*****
Offline Offline

Activity: 1008

Audite me. Discite ab meam sapientiam.


View Profile WWW

Ignore
June 10, 2013, 08:42:19 PM
 #50

PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb
We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address?

tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
June 10, 2013, 08:45:51 PM
 #51

PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb
We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address?

He/She obtained access to 2 accounts that had the same password. One had shares of proph and the other had funds. He bought shares of "proph" for nothing [sold from the firs stolen account] and sold it to the account that had BTC. The transfer was from his account.

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
murfshake
Member
**
Offline Offline

Activity: 82


View Profile

Ignore
June 10, 2013, 09:30:28 PM
 #52

$145k heist with no repercussions.  Amazing and sad world we live in.
poolbath1
Member
**
Offline Offline

Activity: 108


1PooLB


View Profile

Ignore
June 10, 2013, 11:18:03 PM
 #53

would appreciate 2FA

+1

1PooLB5SkfpS39zhht3mhdAuYyUXsz8Bdd
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile

Ignore
June 10, 2013, 11:18:31 PM
 #54

PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb
We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address?

The plot thickens.

Looking forward to seeing which will be the third completely imaginary, multi-million dollar mining "investment" this guy makes, after having lost that much on bASIC and seeing how BitFury isn't going to be delivering (or at least, not on the originally promised schedule).

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
June 11, 2013, 12:16:19 AM
 #55

We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data (http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html):
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.

Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
kaerf
Hero Member
*****
Offline Offline

Activity: 588


View Profile

Ignore
June 11, 2013, 01:53:25 AM
 #56

We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data (http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html):
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.

Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.

ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?

this bit of code:
$this->Recipe->save($this->request->data);

looks awfully scary...if it happens in one place, it's likely to happen in other parts of the code. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.
tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
June 11, 2013, 06:45:38 AM
 #57

ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?
In this place only the password, but after that other things as well except the btc accounts.
this bit of code:
$this->Recipe->save($this->request->data);

looks awfully scary
...if it happens in one place, it's likely to happen in other parts of the code.
Yes
...if it happens in one place, it's likely to happen in other parts of the code.
We have reviewed the whole code. This was the only place where this construct was used.
i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.
The code was like this:
$this->User->id=$this->Auth->user('id');
if ($this->User->save($this->data,array('fieldList'=>array('pass','pass2')))) ...
Only 2 elements should be saved, but apparently data[User][id] overwrites User->id.
We try to limit application of 3rd part software to a minimum.

We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.
Modifications will freeze the account for some period of time so that the user can react.
The admin will be also notified of strange trading orders.

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile

Ignore
June 11, 2013, 12:19:59 PM
 #58

wow. was there actually that much liquidity?

Nope, not even close. Tytus just likes to tell stories about imaginary bazillions.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
bitfitted
Newbie
*
Offline Offline

Activity: 26


View Profile

Ignore
June 11, 2013, 03:52:28 PM
 #59

We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.

Consider also sending confirmation links for doing these things via e-mail / SMS.

CoinLenders - earn interest, get loans (http://coinlenders.com)   ☕ Free bitcoins chatting - CoinChat (http://coinchat.org) ⚠ Ripple is a scam (http://ripplescam.org)
1 BTC raffle - free to enter! (https://bitcointalk.org/index.php?topic=198947.0) - 14kBiDJNnVeNL89EwXctiaLcTs2PGk8RMk
tytus
Sr. Member
****
Offline Offline

Activity: 272



View Profile WWW

Ignore
June 11, 2013, 08:43:08 PM
 #60

We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.

Consider also sending confirmation links for doing these things via e-mail / SMS.

Yes. We will add mandatory email confirmation and probably withdraw confirmations but confirming each trade by email is not convenient.
The page is up again. Proteon assets are restored.
I will continue adding security / notifications tomorrow.

Sorry for the inconvenience !!!

PicoStocks.com, High-tech startup fundraising, evaluation and profit sharing
Pages: 1 2 [3] 4 5 6  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!