Bitcoin Forum
September 22, 2019, 09:21:17 PM *
News: If you like a topic and you see an orange "bump" link, click it. More info.
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: 1Broker.com - Vulnerabilty & bug bounty  (Read 7261 times)
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 16, 2013, 10:39:56 PM
 #21

On https://1broker.com/?c=about_privacy there are 7 occurrences of "Personal identification information." The conventional way to state this according to http://en.wikipedia.org/wiki/Personally_identifiable_information is in one of four ways:

Personally Identifiable Information
Personally Identifying Information
Personal Identifying Information
Personal Identifiable Information


Other sources for this nomenclature:
http://www.doncio.navy.mil/ContentView.aspx?id=2428
http://www.dol.gov/dol/ppii.htm#.UPZoVaG8HrE
http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf

Thanks for the research. Wanted to send 0.025 BTC but bitcoind says to your signature address:
Code:
<./bitcoind validateaddress 19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv
>{
>   "isvalid" : false
>}
1569187277
Hero Member
*
Offline Offline

Posts: 1569187277

View Profile Personal Message (Offline)

Ignore
1569187277
Reply with quote  #2

1569187277
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1569187277
Hero Member
*
Offline Offline

Posts: 1569187277

View Profile Personal Message (Offline)

Ignore
1569187277
Reply with quote  #2

1569187277
Report to moderator
1569187277
Hero Member
*
Offline Offline

Posts: 1569187277

View Profile Personal Message (Offline)

Ignore
1569187277
Reply with quote  #2

1569187277
Report to moderator
1569187277
Hero Member
*
Offline Offline

Posts: 1569187277

View Profile Personal Message (Offline)

Ignore
1569187277
Reply with quote  #2

1569187277
Report to moderator
53rv3r
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
January 17, 2013, 12:35:23 AM
Last edit: January 17, 2013, 12:46:36 AM by 53rv3r
 #22


Thanks for the research. Wanted to send 0.025 BTC but bitcoind says to your signature address:
Code:
<./bitcoind validateaddress 19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv
>{
>   "isvalid" : false
>}


hmm, 9 transactions have been successfully processed to this address: http://blockchain.info/address/19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv

edit: I think if you capitalize the last V it works:

19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsV


I don't know how that happened. thank you, btw!
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 17, 2013, 10:28:46 PM
 #23

edit: I think if you capitalize the last V it works:
19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsV
Worked  Smiley
53rv3r
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
January 18, 2013, 04:01:03 AM
 #24

Worked  Smiley
TY!
QA
Newbie
*
Offline Offline

Activity: 20
Merit: 0


View Profile WWW
January 21, 2013, 06:07:13 AM
 #25

https://1broker.com/?c=contact
it says "bug- and feature requests send to:" with a '-' after 'bug'


In Searching:
Not sure if it's bug:
when search for 'inc', there's a name "Nokia Oyj" on the bottom, with 0 bid and ask, and it doesn't show in any categories


In 'Open order':
(Chrome Version 24.0.1312.52)
1. it seems that leverage has 1~15 range, as it keeps jumping to 15 input a larger number, but input as 0.1 is allowed, which will jump to 1 when clicking -/+ again, it's confusing.

2. not sure if desired: when right click on the -/+ for leverage, the number auto-decrease/increase, and click again will stop it

3. if input any invalid charactors in leverage, like '-', '*', when there's an amount, the feedback says "In words: If the price of *** goes up by 1% you will win NaN BTC", the NaN looks too Javascript


suggestion:
highlight the current one if selected:
Account Info
Access Log
Transaction Log
Account Settings
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 22, 2013, 06:04:40 PM
 #26

Sorry for the delayed answer.

Quote
https://1broker.com/?c=contact
it says "bug- and feature requests send to:" with a '-' after 'bug'

In Searching:
Not sure if it's bug:
when search for 'inc', there's a name "Nokia Oyj" on the bottom, with 0 bid and ask, and it doesn't show in any categories
Good finds! Thanks!

Quote
1. it seems that leverage has 1~15 range, as it keeps jumping to 15 input a larger number, but input as 0.1 is allowed, which will jump to 1 when clicking -/+ again, it's confusing.
Intentional. The more auto corrections, the more annoying it can get when editing the value. You can see a list of the maximum leverages here: https://1broker.com/?c=cfds

Quote
2. not sure if desired: when right click on the -/+ for leverage, the number auto-decrease/increase, and click again will stop it
In general a slider would be better here and will be implemented sometime.

Quote
3. if input any invalid charactors in leverage, like '-', '*', when there's an amount, the feedback says "In words: If the price of *** goes up by 1% you will win NaN BTC", the NaN looks too Javascript
Right.

Quote
suggestion:
highlight the current one if selected:
Account Info
Access Log
Transaction Log
Account Settings
Yeah this needs a redesign.

Sent you 0.125 BTC.
001sonkit
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


Casper - A failed entrepenuer who looks like Zhou


View Profile WWW
February 10, 2013, 11:42:15 AM
 #27

Hi, glad I found this service despite I am only holding a really tiny amount of coins.
Just a bit of suggestion to your service.

1; Upon transaction sent, show the user that the transaction is confirming and the amount of it. Just to have the newcomers to know things are happening behind.

2; Create a dashboard page, having data centralized is much more easy to navigate.

3; API, of course, which could grab the Bitcoin community attention + increase your service popularity.


Wish you good business.

GEMINI ACCOUNT REVIEW - Source of Funds Request
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
February 10, 2013, 09:34:27 PM
 #28

Quote
1; Upon transaction sent, show the user that the transaction is confirming and the amount of it. Just to have the newcomers to know things are happening behind.
Good suggestion. Added it to the TODO list.

Quote
2; Create a dashboard page, having data centralized is much more easy to navigate.
I'll think about this.

Quote
3; API, of course, which could grab the Bitcoin community attention + increase your service popularity.
It is on the long-term TODO list.

Quote
Wish you good business.
Thanks  Smiley
whitenight639
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
February 15, 2013, 03:25:30 AM
 #29

https://1broker.com/?c=about_tos

Quote
Account Hack
If our system has/had no weaknesses which make a hack of a customer account possible we will not refund stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place.


This is Bad Grammar,  and doesn’t make sense are you trying to say the following:


Quote
Account Hack
If our system has or is found to have weaknesses which make compromising customer account(s) possible we will not refund the stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place.

OR are you trying to say:

Quote
Account Hack
Our system has no known weaknesses which make a hack of a customer account possible, we will not refund stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place.



If it was me I would word it totally differently though,


Quote
Account Security
We advice that you keep your login details secure and never reveal them or write them down. You use our service at your own risk and liability, every effort has been taken in ensuring your account is secure and our servers and software are tested regularly. As such, should your account be compromised as a result of your negligence we accept no liability and will not refund your account.


P.s I can re-write the rest of you Legal pages if you like.

12j2DRmNAW9ZQRGbSFvZUT56PuGNRj1bW7



125uWc197UW5kM659m4uwEakxoNHzMKzwz
pinger
Legendary
*
Offline Offline

Activity: 1500
Merit: 1000


Bitcoin - Resistance is futile


View Profile WWW
February 15, 2013, 04:57:15 AM
 #30

Nothing found apart of Leet ports and Gangnam Style cookies :p

I'm not really skilled I guess

For rent
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
February 15, 2013, 05:48:09 PM
 #31

Quote
Nothing found apart of Leet ports and Gangnam Style cookies :p

I'm not really skilled I guess
Good Tongue Thanks for trying!


Quote
If it was me I would word it totally differently though,

Quote
Account Security
We advice that you keep your login details secure and never reveal them or write them down. You use our service at your own risk and liability, every effort has been taken in ensuring your account is secure and our servers and software are tested regularly. As such, should your account be compromised as a result of your negligence we accept no liability and will not refund your account.
Very good! Rewarded you with 0.075 BTC

In general our language quality is not what I expect it to be. Therefore, I'm now searching for an English native speaker who helps us to rewrite some things, write "news" and helps with language problems in general. Of course this person gets some BTCs for his/her work.

If anyone is interested to do this small job (<1h/week) convince me that you have the required language skills, especially with formal/marketing language. If more persons want to do this I will try to pick the best one in the next few days. Can I count you in, whitenight639?
whitenight639
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
February 15, 2013, 08:44:53 PM
 #32



Yes you can count me in, and thanks for the payment :-)

125uWc197UW5kM659m4uwEakxoNHzMKzwz
Tekkna
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
April 09, 2013, 01:03:24 AM
Last edit: April 09, 2013, 01:57:40 AM by Tekkna
 #33

I would also be interested in re-writing text (Unless, of course, Whiteknight gets the position) I am a native English speaker, and used to do something similar for Japanese speakers in a language exchange (I help fix their English, they fix my Japanese).

I suppose for an example of my work you could see the amazon gift codes I'm selling in my signature.

NOTE: Some of these are probably not exactly worth a bounty, but still a good idea to change, I may post more after my account is verified.

Something I notice quite a bit recently, is the lack of liquid layouts, my screen isn't that small, but I get some cut off for some reason:




Quote
https://1broker.com/?c=about_fees
There are no hidden fees whatsoever. Everything we charge from you is listed on this page.
to
Quote
There are no hidden fees whatsoever, everything we charge is listed on this page
charge from you -> charge you
You use a lot of periods, when the sentence would be more fluid with commas.



Quote
We profit from the spread, the difference between the bid and ask price. This means you will usually start with a very small initial loss, when a new position is openend.
to
Quote
We profit from the spread, the difference between the bid and ask price. This means you will usually start with a very small loss, when a new position is opened.
openend -> opened
very small initial loss -> very small loss | Redundant



Quote
You can contact us via email:
support@1Broker.com

Administrative stuff, technical questions, bug and feature requests send to:
exxe@1Broker.com

You may not want to use "Administrative stuff", stuff is informal (although, some sites are going for a very informal approach in their documentation)



https://1broker.com/?c=faq
Quote
1Broker offers a service where you can trade for live market-prices
to
Quote
1Broker offers a service where you can trade for live market prices
No dash in market-prices



In the account sign up:
Quote
If you don't click on the confirmation link your account gets deleted in the next few days.
to
Quote
If you don't click on the confirmation link within 2 days, your account will be terminated.
More professional (includes time frame, more formal language)



When unverified:
Quote
Your account is currently blocked!
to
Quote
Your account has not been verified!


BTC: 15Yb897j2Yrbk1GU5Uwwhg5PFBMXeUAmhS  | I sell $5 Amazon Gift Codes | I also build websites

sega01
Sr. Member
****
Offline Offline

Activity: 383
Merit: 295



View Profile WWW
April 09, 2013, 03:33:01 PM
 #34

Not sure how serious this is, but it looks like your bitcoind is listening on port 8333 (default) for incoming Bitcoin-esque connections. It's said that it's much easier to double spend when someone connects directly to your node and another at the same time.

On my DNS tunnel service, I have the daemon setup like this, to only connect out: bitcoind -noupnp -par=1 -daemon -nolisten. Granted, I'm not quite sure how relevant this for your environment. Not sure why you have portmapper open or port 41689, either.

Let me know what you think. Best of luck with the service!

Cheers,
Teran

VPS hosting for Bitcoin (As anonymous as you make it, API-driven, no emails. BCH and BSV also accepted)
Tor VPS hosting for Bitcoin
Bitcoin mixer
Dron007
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
April 10, 2013, 11:20:55 PM
 #35

There is Mater Key at the registration form. Looking at the JavaScript code I can see that validation will fail if key is exactly equal to 10000 or to 99999. But these values can be generated by the random generator. So the code should be changed to the following:

if (!(document.getElementById("masterkey").value >= 10000 && document.getElementById("masterkey").value <= 99999)) {
    document.getElementById("error").innerHTML+="- Please generate a Master Key!<br>";
    ok = false;
}


instead of

if (!(document.getElementById("masterkey").value > 10000 && document.getElementById("masterkey").value < 99999))
...

Remember remember the 5th of November
Legendary
*
Offline Offline

Activity: 1862
Merit: 1002

Reverse engineer from time to time


View Profile
April 10, 2013, 11:36:26 PM
 #36

At OP,

Not really a big deal, but when I entered some invalid characters I got greeted by a blank page with a red box with an error message, but when done to this URL, the error message appears ontop of the normal page, with no footer.

http://i.imgur.com/OFnkrKN.png

BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
April 11, 2013, 06:05:37 PM
 #37

I would also be interested in re-writing text (Unless, of course, Whiteknight gets the position) I am a native English speaker, and used to do something similar for Japanese speakers in a language exchange (I help fix their English, they fix my Japanese).

I suppose for an example of my work you could see the amazon gift codes I'm selling in my signature.

NOTE: Some of these are probably not exactly worth a bounty, but still a good idea to change, I may post more after my account is verified.

Something I notice quite a bit recently, is the lack of liquid layouts, my screen isn't that small, but I get some cut off for some reason:
[...]
Whiteknight already agreed to help, but I will keep you in mind in case I need advice from multiple people.
Concerning the cut offs: Can you tell me what your screen resolution is?

Thanks for the problems reported. These things will be fixed with the next update.

Sent 0.025 BTC to 1AKtor49AFFHF8kVH4SAgd23eTPVy91iDB


Not sure how serious this is, but it looks like your bitcoind is listening on port 8333 (default) for incoming Bitcoin-esque connections. It's said that it's much easier to double spend when someone connects directly to your node and another at the same time.

On my DNS tunnel service, I have the daemon setup like this, to only connect out: bitcoind -noupnp -par=1 -daemon -nolisten. Granted, I'm not quite sure how relevant this for your environment. Not sure why you have portmapper open or port 41689, either.

Let me know what you think. Best of luck with the service!

Since, we do not accept 0-conf transactions there should be no big problems with double spending.
The open portmapper port is indeed strange and I've contacted the support who told me that this was part of their default configuration upon server setup.
Nevertheless, the port is now closed.


There is Mater Key at the registration form. Looking at the JavaScript code I can see that validation will fail if key is exactly equal to 10000 or to 99999. But these values can be generated by the random generator. So the code should be changed to the following:
Will be fixed in the next update. Since this statistically only causes a small bug in every 4500th registration I hope you are okay if I don't pay a reward for this.  Tongue


At OP,

Not really a big deal, but when I entered some invalid characters I got greeted by a blank page with a red box with an error message, but when done to this URL, the error message appears ontop of the normal page, with no footer.

http://i.imgur.com/OFnkrKN.png

This is known and a result of our code structure and error handling. Since a "normal" user won't see such things there is no need to fix this, imho.



Thank you all!
Tekkna
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
April 11, 2013, 07:17:27 PM
 #38

Quote
Whiteknight already agreed to help, but I will keep you in mind in case I need advice from multiple people.
Concerning the cut offs: Can you tell me what your screen resolution is?


1024x768 is my monitor resolution (I think that's really skinny for monitors, but still, would prepare you for mobile users).

Received payment from exxe successfully  Smiley

Thank you, I am willing to provide any help you need.

Also, were my scans correct in guessing that you are using  >Postgre 8 on a nginx server?


BTC: 15Yb897j2Yrbk1GU5Uwwhg5PFBMXeUAmhS  | I sell $5 Amazon Gift Codes | I also build websites

exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
April 11, 2013, 08:06:05 PM
 #39

1024x768 is my monitor resolution (I think that's really skinny for monitors, but still, would prepare you for mobile users).

Received payment from exxe successfully  Smiley

Thank you, I am willing to provide any help you need.

Also, were my scans correct in guessing that you are using  >Postgre 8 on a nginx server?
Okay, maybe I will look into the resolution problem, but don't expect too much. A mobile app is on the TODO list anyway.

Nginx is easy to see (https://1broker.com/404), but the PostgreSQL guess is wrong.  Cheesy
Tekkna
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
April 11, 2013, 08:23:06 PM
 #40

Yeah, I didn't put too much stock in the scan, but worth a guess I suppose Smiley

It's not a killer bug, and everything functions properly still, just slightly annoying.


BTC: 15Yb897j2Yrbk1GU5Uwwhg5PFBMXeUAmhS  | I sell $5 Amazon Gift Codes | I also build websites

Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!