exxe (OP)
|
|
January 10, 2013, 08:19:26 PM Last edit: April 10, 2013, 08:07:27 PM by exxe |
|
1Broker.com is running for more than 2 months now and it's amazing to look into the access logs. Nearly every day someone tries his/her luck by finding SQL injections, vulnerable services, the admin panel ... Obviously the more people try the better, so I decided to give rewards even if someone only finds partial SQL injections, harmless XSS problems, endless loops, browser specific bugs ... It is hard to specify what is a bug, but everything what is unknown and surprises me will be rewarded. This gives you an overview of how much you can expect: 0.025 BTC Embarrassing language mistakes and typos 0.1 BTC Unknown unexpected behavior (e.g. endless loops, links to 404 pages, UI issues ...)0.1 BTC Harmless XSS problems 0.5 BTC CSRF and XSS problems 3 BTC Critical CSRF and XSS problems (e.g. possibility of session stealing)5 BTC Partial (blind) SQL injection which does nothing5 BTC Manipulating parts of the DB (e.g. close a position which is owned by another user)10 BTC Bypassing the Master Key system, creating negative balances and other logical bugs of this category10 BTC RFI/LFI bugs20 BTC Full access to the Database20 BTC Stealing coins from the hot wallet.40 BTC Full root access to the server Edit (April, 10th): Due to the extreme BTC/USD volatility in the last weeks we will dynamically determine the reward for a reported problem.Rules: - No (D)DoS
- Problems have to be unknown (e.g. "Master Key system sucks" is not a bug)
- Security related bugs have to be reported privately
- Once a bug is abused you won't get a reward anymore
- UI issues have to apply for at least 2% of the users (IE 6 problems are ignored)
This is good chance for all talented hackers to earn money without breaking the law or moral principles. Have fun, exxe
|
|
|
|
|
|
|
|
No Gods or Kings. Only Bitcoin
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
Bitsky
|
|
January 10, 2013, 11:34:56 PM |
|
https://1broker.com/?c=about_tosIn my opinion, "withdrawal requests" sounds better than "withdraw requests". https://1broker.com/?c=about_securityThe left picture has no thumbnail; it's only resized via height/width in html, meaning the preview is a 355kB download. "No externaly resources are loaded when logged in" I haven't created an account, so I cannot check, but are the Godaddy seal and Twitter/FB/G+/Google-Analytics removed after login? https://1broker.com/Actually, I assumed the ticker would refresh via ajax now and then. Sticking CSS/JS into separate files (and selective caching) would reduce the pagesize what increases loading speed and reduces traffic. It would also be nice if the info boxes close when clicking anywhere on the page and not only on "OK" Clicking on "Login" without any values filled in drops the user to an error page which looks like a leftover from the devs (also, that html isn't valid at all) The site doesn't validate as html5. Cosmectic maybe, but personally I'm picky about such things.
|
|
|
|
exxe (OP)
|
|
January 11, 2013, 01:31:19 AM |
|
Hit! 0.025 Not a bug, but thanks. "No externaly resources are loaded when logged in" I haven't created an account, so I cannot check, but are the Godaddy seal and Twitter/FB/G+/Google-Analytics removed after login?
The godaddy seal is a local gif and yes! Actually, I assumed the ticker would refresh via ajax now and then.
Sticking CSS/JS into separate files (and selective caching) would reduce the pagesize what increases loading speed and reduces traffic.
It would also be nice if the info boxes close when clicking anywhere on the page and not only on "OK"
Clicking on "Login" without any values filled in drops the user to an error page which looks like a leftover from the devs (also, that html isn't valid at all)
The site doesn't validate as html5. Cosmectic maybe, but personally I'm picky about such things.
Yeah these things are not perfect but I wouldn't call them bugs. Anyway, your post was really useful. Thanks! Rewarded you with: 0.125 BTC
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1226
Away on an extended break
|
|
January 11, 2013, 12:49:14 PM |
|
Well, the last two rewards do not seem really substantial enough for what they're worth. What makes you think a hacker finding that kind of exploit would not try to empty your wallets and/or more malicious actions? That said, there's still some minor wording errors here and there: https://1broker.com/?c=faqOn weekends and on holidays currently all markets, except BTC/USD, are closed. All markets are closed on weekends and holidays except BTC/USD. https://1broker.com/?c=about_securityInstantly after creation all private keys of these addresses are gpg (CAST-128) encrypted with a long cipher and backed up at several highly secured locations. GPG should be caps in this case. A comma between creation and all would be appropriate too. No external resources are loaded when logged in. External. Also, a subject here would improve the sentence; i.e.: when users are logged in. Every user can look into a detailed access log of the account. Every user can look into a detailed access log of their accounts. Session cookies are protected from XSS attacks and are only sent with enabled TLS connection. With an enabled TLS connection, or through a TLS connection. HSTS prevents users from man-in-the-middle attacks. Protects. https://1broker.com/?c=about_privacy...Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site,.. the User's. 1Broker may collect and use Users personal information for the following purposes: the User's. https://1broker.com/?c=about_tos If necessary, 1Broker is completely sold and the amount of purchase is divided and payed out to our customers. If necessary, 1Broker will be completely sold, and the proceeds divided and paid out to our customers. If a customer lost high amounts during an unscheduled outage he can contact us and we will try to find a solution for both parties. Loses. Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above.
|
|
|
|
exxe (OP)
|
|
January 11, 2013, 01:38:35 PM |
|
Well, the last two rewards do not seem really substantial enough for what they're worth. What makes you think a hacker finding that kind of exploit would not try to empty your wallets and/or more malicious actions?
I'm still hoping that there are good people in this world. 1Broker may collect and use Users personal information for the following purposes: the User's. Isn't this correct: Users' Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above.
Thanks! Sent you: 0.225 BTC
|
|
|
|
wachtwoord
Legendary
Offline
Activity: 2324
Merit: 1125
|
|
January 11, 2013, 01:43:02 PM |
|
1Broker may collect and use Users personal information for the following purposes: the User's. Isn't this correct: Users' Users' is for the pleural and User's is for the singular form. The users' is short for: "the user s his" The user's is short for: "the user his" So you are correct users' is correct here (the personal information of the users)
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1226
Away on an extended break
|
|
January 11, 2013, 01:51:10 PM |
|
... 1Broker may collect and use Users personal information for the following purposes: the User's. Isn't this correct: Users' Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above.
Thanks! Sent you: 0.225 BTCThanks! Yep, it's Users'. Typo here. You're missing the apostrophe though. https://1broker.com/?c=about_securityAddresses of offline storage only store small amounts to avoid attack scenarios while importing them back to the server wallet. A rewording should go like this: Offline storage addresses only hold small amounts to avoid potential attacks when imported back to the server wallet. However. this is still quite vague, and implies that offline addresses only store small amounts when in fact you're storing nearly all of your customers' in offline generated Bitcoin addresses. Consider changing this sentence. I'll make an account and play with it later.
|
|
|
|
exxe (OP)
|
|
January 11, 2013, 05:21:16 PM |
|
https://1broker.com/?c=about_securityAddresses of offline storage only store small amounts to avoid attack scenarios while importing them back to the server wallet. A rewording should go like this: Offline storage addresses only hold small amounts to avoid potential attacks when imported back to the server wallet. However. this is still quite vague, and implies that offline addresses only store small amounts when in fact you're storing nearly all of your customers' in offline generated Bitcoin addresses. Consider changing this sentence. Another 0.025 sent, but this is obsolete anyway. Creating offline raw transactions is the better way of doing this, so I'll remove this.
|
|
|
|
exxe (OP)
|
|
January 11, 2013, 05:28:33 PM |
|
Unknown unexpected behavior (e.g. endless loops, links to 404 pages, UI issues ...)
I have created account using the same nickname as here - subSTRATA - but I ended up with nickname substrata. This is known. Usernames are intentionally converted to lowercase during signup. You can still log in with "subSTRATA" however.
|
|
|
|
flatfly
Legendary
Offline
Activity: 1078
Merit: 1016
760930
|
|
January 11, 2013, 08:07:32 PM |
|
Hi,
I've created an account to try the platform out... a couple of things already:
- at registration, email addresses with a plus sign (such as johndoe+1@gmail.com) are not recognized, while perfectly valid.
- also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"...
- when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English. Either "You do not have enough funds" or just "Not enough funds!"
Cheers
|
|
|
|
exxe (OP)
|
|
January 11, 2013, 09:21:12 PM |
|
- at registration, email addresses with a plus sign (such as johndoe+1@gmail.com) are not recognized, while perfectly valid.
Thanks & fixed - also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"...
Known problem. The message system needs improvements (sometimes). - when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English. Either "You do not have enough funds" or just "Not enough funds!"
Fixed. Rewarded you with 0.1 BTC
|
|
|
|
flatfly
Legendary
Offline
Activity: 1078
Merit: 1016
760930
|
|
January 12, 2013, 09:40:11 AM |
|
- at registration, email addresses with a plus sign (such as johndoe+1@gmail.com) are not recognized, while perfectly valid.
Thanks & fixed - also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"...
Known problem. The message system needs improvements (sometimes). - when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English. Either "You do not have enough funds" or just "Not enough funds!"
Fixed. Rewarded you with 0.1 BTCThanks! Website seems to be down right now, are you aware of this?
|
|
|
|
fghj
Member
Offline
Activity: 65
Merit: 10
|
|
January 12, 2013, 12:47:50 PM |
|
I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0? I saw oO0 and l but no I.
|
|
|
|
exxe (OP)
|
|
January 12, 2013, 01:57:01 PM |
|
Autocomplete attribute is not disabled in HTML form / input element containing password type input. Passwords may be stored in browsers and retrieved.
<FORM AUTOCOMPLETE = "off"> or <INPUT ... AUTOCOMPLETE = "off">
Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate and private.
This is intentional. I don't want to overrule users here. Some people want to handle their passwords with Lastpass or a Firefox master password. (including myself) The autocomplete=off is really annoying sometimes. (However, Master Key inputs have the autocomplete=off parameter of course) 0.1 BTC for the private attribute in Cache control of images (very few attack possibilities, if any) You want it to your 1Broker account or to a specific Bitcoin address? I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0? I saw oO0 and l but no I. Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible) Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too)
|
|
|
|
fghj
Member
Offline
Activity: 65
Merit: 10
|
|
January 12, 2013, 03:24:23 PM |
|
I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0? I saw oO0 and l but no I. Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible) Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too) I still can't see the difference. Sorry. 1AWHB4h1ZprDZpBkALPxEuPtvaZRwzrG5D That would be embarrassing if OCR couldn't read it too, and someone had to manually process this backup.
|
|
|
|
exxe (OP)
|
|
January 12, 2013, 03:49:25 PM |
|
Autocomplete attribute is not disabled in HTML form / input element containing password type input. Passwords may be stored in browsers and retrieved.
<FORM AUTOCOMPLETE = "off"> or <INPUT ... AUTOCOMPLETE = "off">
Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate and private.
This is intentional. I don't want to overrule users here. Some people want to handle their passwords with Lastpass or a Firefox master password. (including myself) The autocomplete=off is really annoying sometimes. (However, Master Key inputs have the autocomplete=off parameter of course) 0.1 BTC for the private attribute in Cache control of images (very few attack possibilities, if any) You want it to your 1Broker account or to a specific Bitcoin address? 1Broker account please, I'm currious how long will it take me to lose everything due to my (stock)exchange bad luck. BTW, fees page could be more clear - 0.00 BTC does not neccessarly equal "no BTC will be taken". 8 decimal places would remove doubt. Done. Good luck Fees page updated. I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0? I saw oO0 and l but no I. Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible) Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too) I still can't see the difference. Sorry. 1AWHB4h1ZprDZpBkALPxEuPtvaZRwzrG5D That would be embarrassing if OCR couldn't read it too, and someone had to manually process this backup. Turned out it is Calibri: http://prntscr.com/oxmtz Yeah manual processing would be horrible, but backups are also stored on USB sticks. Thanks and 0.1 sent!
|
|
|
|
exxe (OP)
|
|
January 12, 2013, 11:04:52 PM |
|
Balance shown on right side should be accurate to 8 digits. I just tried to ForEx a little with BTC/USD, clicked on "Short", copy pasted balance value shown - 0.0976 - to "Amount/Margin" field, clicked on "Open Order" and ended surprised with "Insufficient funds!" message. It took me a while to find out I actualy have less than 0.0976 BTC! https://i.imgur.com/NSyR6.pngKnown problem. Full precision is not shown everywhere, because it wouldn't look good. However, I changed it to Math.floor() instead of Math.round() => you won't see that problem again. Additionally, now it also shows a full precision tooltip onmouseover.
|
|
|
|
exxe (OP)
|
|
January 13, 2013, 05:05:48 PM |
|
I closed position at BTC/USD, got 0.09603989 BTC, placed all on "Short" with leverage at 5 and immidiately lost 0.0028 BTC (-2.95%). I haven't noticed any price change inbetween moment of closing and opening position. What I am missing there? Every CFD has a Bid and an Ask price. If you open a short position you sell for the bid price. The -2.95% shows what you would get if you close the position (buy it back for the ask price). The bid is always lower than the ask price price so everytime a position is opened you start with a small loss. (... and higher leverages result in a greater initial loss of course) This is called the spread which exists in all financial markets around the world.
|
|
|
|
|
marketersales
Member
Offline
Activity: 112
Merit: 10
|
|
January 16, 2013, 08:59:33 AM |
|
Anyone confirms this is legit?
|
|
|
|
|