Answer to Poloniex reddit post :
https://www.reddit.com/r/CryptoCurrency/comments/57q9gf/poloniex_is_secure_were_good/-- Anyone who is familiar with web services should know that multithreading, in and by itself, is not a vulnerability. In fact, it is necessary when processing more than one request at any given time. Our trading engine processes 200-300 transactions per second, and that's on a slow day.
You're totally off the mark. Never said multithreadying is a vulnerability, as well as get request. It's the way you use them wich is a vulnerability. It becomes one when multiple thread can share the same ressources at the same time.
-- For those who may be concerned with us using GET in any context: We agree that POST is best practice, and we currently use POST for sensitive information. We have plans to move more requests to POST, but in the meantime, it’s worth noting that GET is not inherently insecure and POST is not inherently secure. What matters much more is how each is used.
I wonder how you can say that after what I did write in my reports. I reported you every GET request you did was easily shared with the moderator clickable link. This wouldn't be possible using POST request. Same for Open URL Vulnerability. So YES, you're using GET request in the bad way, and if you can't see that, I feel only much worried.
-- This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes
As I wrote, I'm not a professionnal pentester. I feel the need to test my payloads before reporting them, because I'm never sure it will work. I have been posting exactly 3 messages using the moderator client-side privilege. I wonder where you see in my article that I did a falsefy report ! Quoting me :
"Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."This is exactly what it did, and I specified that it was moderation client privilege only.
If you think I wrote as moderator just to be spectacular, remember that I only posted 3 messages, and then directly reported the vulnerability as suggested by the moderators.
Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective?
And this is your principal mistake. Because I didn't neither I do hide myself. Some research on any search engines could easily lead you to my identify. Moreover, I would like to remind you that I shared my personnal identy with the support.
I would be very interested knowing which company did a security audit of your website ?
Btw, I'm still waiting your answer, tickets #66023. Pending since 29 days now. Tic tac tic tac ...
but if your story is a mash-up of half-truths and inaccuracies, what are you really after?
