|
kaerf
|
 |
May 27, 2013, 09:07:58 AM |
|
I see that you recognize the trading fee is a bit high...as well as poor liquidity. Any reason for keeping the trading fee @ 1%?
|
|
|
|
|
|
|
|
|
|
|
|
Remember that Bitcoin is still beta software. Don't put all of your money into BTC!
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
tytus (OP)
|
|
May 27, 2013, 09:15:56 AM |
|
I see that you recognize the trading fee is a bit high...as well as poor liquidity. Any reason for keeping the trading fee @ 1%?
We would like to encourage long term investments. We want to focus on small startups not on high trading volume assets like BTC/USD. |
|
|
|
|
|
tytus (OP)
|
|
June 10, 2013, 05:13:53 PM |
|
PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBbWe will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected. |
|
|
|
|
|
kaerf
|
|
June 10, 2013, 05:27:01 PM |
|
wow. was there actually that much liquidity or did the victim have a lot of coin in his account?
it's somewhat disconcerting seeing coin from my deposit address being transfered out to the hacker's account. can you confirm that this was solely a user's password that was compromised and the server(s) itself were not compromised (there may be indications of attack in the logs).
|
|
|
|
|
fently
Member
 Offline
Activity: 66
Merit: 10
Bleh!
|
|
June 10, 2013, 05:39:28 PM |
|
would appreciate 2FA
|
|
|
|
|
|
ZoladkowaGorzka
|
|
June 10, 2013, 08:25:46 PM |
|
Strange?
Shareholder's password got compromised and you graciously refund the loss. Why is that?
Was the password compromised on your fault? That's great deal of money
|
|
|
|
|
tytus (OP)
|
|
June 10, 2013, 08:35:45 PM |
|
Strange?
Shareholder's password got compromised and you graciously refund the loss. Why is that?
Was the password compromised on your fault? That's great deal of money
We will refund the loss because we are operating the account for some of our bigger customers that don't know much about bitcoins and we had the same password on few accounts which was just extremely stupid. This is clearly our fault. The system seems fine. This is clearly a human error. We will now try to find out how the intruder discovered the passwords. |
|
|
|
|
|
tytus (OP)
|
|
June 10, 2013, 08:40:56 PM |
|
wow. was there actually that much liquidity or did the victim have a lot of coin in his account?
it's somewhat disconcerting seeing coin from my deposit address being transfered out to the hacker's account. can you confirm that this was solely a user's password that was compromised and the server(s) itself were not compromised (there may be indications of attack in the logs).
You deposit address is there because these are the funds that went to the hot wallet. |
|
|
|
|
mrb
Legendary
Offline
Activity: 1512
Merit: 1027
|
|
June 10, 2013, 08:42:19 PM |
|
PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBbWe will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected. A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address? |
|
|
|
|
|
tytus (OP)
|
|
June 10, 2013, 08:45:51 PM |
|
PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBbWe will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected. A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address? He/She obtained access to 2 accounts that had the same password. One had shares of proph and the other had funds. He bought shares of "proph" for nothing [sold from the firs stolen account] and sold it to the account that had BTC. The transfer was from his account. |
|
|
|
|
murfshake
Member
Offline
Activity: 84
Merit: 10
|
|
June 10, 2013, 09:30:28 PM |
|
$145k heist with no repercussions. Amazing and sad world we live in.
|
|
|
|
|
|
MPOE-PR
|
|
June 10, 2013, 11:18:31 PM |
|
PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBbWe will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected. A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address? The plot thickens. Looking forward to seeing which will be the third completely imaginary, multi-million dollar mining "investment" this guy makes, after having lost that much on bASIC and seeing how BitFury isn't going to be delivering (or at least, not on the originally promised schedule). |
|
|
|
|
tytus (OP)
|
|
June 11, 2013, 12:16:19 AM |
|
We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data ( http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html): ... // Update: id is set to a numerical value $this->Recipe->id = 2; $this->Recipe->save($this->request->data); ... this does not work properly as Recipe->id is overwritten by data; The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables). The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners. Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected. |
|
|
|
|
|
kaerf
|
|
June 11, 2013, 01:53:25 AM |
|
We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data ( http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html): ... // Update: id is set to a numerical value $this->Recipe->id = 2; $this->Recipe->save($this->request->data); ... this does not work properly as Recipe->id is overwritten by data; The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables). The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners. Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected. ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data? this bit of code: $this->Recipe->save($this->request->data); looks awfully scary...if it happens in one place, it's likely to happen in other parts of the code. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong. |
|
|
|
|
|
tytus (OP)
|
|
June 11, 2013, 06:45:38 AM
Last edit: June 11, 2013, 06:55:46 AM by tytus |
|
ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?
In this place only the password, but after that other things as well except the btc accounts. this bit of code:
$this->Recipe->save($this->request->data);
looks awfully scary
...if it happens in one place, it's likely to happen in other parts of the code.
Yes ...if it happens in one place, it's likely to happen in other parts of the code.
We have reviewed the whole code. This was the only place where this construct was used. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.
The code was like this: $this->User->id=$this->Auth->user('id'); if ($this->User->save($this->data,array('fieldList'=>array('pass','pass2')))) ... Only 2 elements should be saved, but apparently data[User][id] overwrites User->id. We try to limit application of 3rd part software to a minimum. We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system. Modifications will freeze the account for some period of time so that the user can react. The admin will be also notified of strange trading orders. |
|
|
|
|
|
MPOE-PR
|
|
June 11, 2013, 12:19:59 PM |
|
wow. was there actually that much liquidity?
Nope, not even close. Tytus just likes to tell stories about imaginary bazillions. |
|
|
|
bitfitted
Newbie
Offline
Activity: 26
Merit: 0
|
|
June 11, 2013, 03:52:28 PM |
|
We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system. Consider also sending confirmation links for doing these things via e-mail / SMS. |
|
|
|
|
|
tytus (OP)
|
|
June 11, 2013, 08:43:08 PM |
|
We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system. Consider also sending confirmation links for doing these things via e-mail / SMS. Yes. We will add mandatory email confirmation and probably withdraw confirmations but confirming each trade by email is not convenient. The page is up again. Proteon assets are restored. I will continue adding security / notifications tomorrow. Sorry for the inconvenience !!! |
|
|
|
|
|
kaerf
|
|
June 13, 2013, 04:34:59 AM |
|
i think there is a slight bug with the login. i've had to login twice the last few times i've accessed the site.
|
|
|
|
|
|
tytus (OP)
|
|
June 13, 2013, 02:20:20 PM |
|
Yes, if You click on the login info before redirection something strange happens and the session is lost. I will look at this today or tomorrow. I am too busy with the 100th chips order to move forward with the server as fast as I wanted :-(
|
|
|
|
|
|
