Bitcoin Forum
November 08, 2024, 07:45:28 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: Poloniex security review  (Read 6573 times)
Xavier59 (OP)
Hero Member
*****
Offline Offline

Activity: 729
Merit: 545


View Profile
October 16, 2016, 09:09:01 AM
 #41


So you rely on a post posted by the website himself ? Sure, they will say Yes, we fucked up, withdraws your coins. That's just stupid.
Again, it isn't FUD, I like to believe after that, they will consider their customers and increase security.
s4w3d0ff
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Spray and Pray


View Profile
October 16, 2016, 09:26:36 AM
 #42

Quote
"Because we take these claims seriously, we investigate each one, but almost all of them turn out to be fake with the sole purpose of extorting us. In the event that someone comes to us with a legitimate matter, we pay a bounty and part ways with a professional understanding that as long as we promptly fix the issue, the matter is considered closed."

Quote
"This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes."

Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).

BTC:15D8VaZco22GTLVrFMAehXyif6EGf8GMYV
|⚒|Cryptographic Anomaly|⚒|
Mimir
Member
**
Offline Offline

Activity: 106
Merit: 10

Only a fool worries over what he can’t control.


View Profile
October 16, 2016, 12:26:34 PM
 #43

Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).

So was it a risk or not? That's the real question.

Polo admits that mod escalation happened, this is admitted on both reddit and btctalk by legitimate spokepeople
Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo


The wilderness has a mysterious tongue. Which teaches awful doubt, or faith so mild
spartak_t
Legendary
*
Offline Offline

Activity: 1960
Merit: 1176


@FAILCommunity


View Profile WWW
October 16, 2016, 12:48:33 PM
 #44

Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo

You think?

https://twitter.com/el33th4xor/status/787610289369784320

Mimir
Member
**
Offline Offline

Activity: 106
Merit: 10

Only a fool worries over what he can’t control.


View Profile
October 16, 2016, 01:35:20 PM
 #45

As far as it stands now.

Yes.

The wilderness has a mysterious tongue. Which teaches awful doubt, or faith so mild
spartak_t
Legendary
*
Offline Offline

Activity: 1960
Merit: 1176


@FAILCommunity


View Profile WWW
October 16, 2016, 01:44:30 PM
 #46

As far as it stands now.

Yes.

You do realize that Emin Gun Siner is Associate Professor at Cornell's Computer Science Dept.? And as I said - I don't think their answer is professional. They talked against Xavier for too much and I believe they have better things to do.

Mimir
Member
**
Offline Offline

Activity: 106
Merit: 10

Only a fool worries over what he can’t control.


View Profile
October 16, 2016, 02:08:17 PM
Last edit: October 21, 2016, 11:18:23 AM by Mimir
 #47

We are arguing man? I'm in complete agreeance.

The wilderness has a mysterious tongue. Which teaches awful doubt, or faith so mild
spartak_t
Legendary
*
Offline Offline

Activity: 1960
Merit: 1176


@FAILCommunity


View Profile WWW
October 16, 2016, 02:13:05 PM
 #48

I can't argue on the matter as I'm not a coder.

Mimir
Member
**
Offline Offline

Activity: 106
Merit: 10

Only a fool worries over what he can’t control.


View Profile
October 16, 2016, 02:28:24 PM
 #49

I can't argue on the matter as I'm not a coder.

I think we've crossed streams here.

Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.

As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.

For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.

The wilderness has a mysterious tongue. Which teaches awful doubt, or faith so mild
spartak_t
Legendary
*
Offline Offline

Activity: 1960
Merit: 1176


@FAILCommunity


View Profile WWW
October 16, 2016, 02:38:07 PM
 #50

I can't argue on the matter as I'm not a coder.

I think we've crossed streams here.

Nah, all is good.

Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.

As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.

For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.

I agree on everything, but the decent part (well, I may add the size of the bounty, giving the fact that Poloniex is operating with 10s of millions $). Notice part of their response:


Quote
This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes. Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective? Should a 'news source' that eagerly publishes the statements of a person without verifiable identity or proper vetting of his accusations be considered legitimate news?

I thought they are joking. Should that 'news source' name to be Kevin Mitnick in order to investigate the problem? It sounded like: "We are Poloniex and he is nobody".

Not cool.

hdbuck
Legendary
*
Offline Offline

Activity: 1260
Merit: 1002



View Profile
October 16, 2016, 02:46:11 PM
 #51

Somebody exploit the vulnerabilities yet?

I need an exchange to collapse to get more cheap coins. Grin

Xavier59 (OP)
Hero Member
*****
Offline Offline

Activity: 729
Merit: 545


View Profile
October 16, 2016, 06:45:37 PM
 #52

Poloniex is safe according to their post on reddit.

They were unlucky that I didn't release all the vulnerability in one row.

Oups ! goo.gl/xcbG5G
Xavier59 (OP)
Hero Member
*****
Offline Offline

Activity: 729
Merit: 545


View Profile
October 16, 2016, 08:53:08 PM
 #53

Poloniex is safe according to their post on reddit.

They were unlucky that I didn't release all the vulnerability in one row.

Oups ! goo.gl/xcbG5G

This open url vulnerability just got patched. But well, it was just another proof that Polo wasn't safe, even after the reddit post.
NLNico
Legendary
*
hacker
Offline Offline

Activity: 1876
Merit: 1295


DiceSites.com owner


View Profile WWW
October 17, 2016, 06:14:08 AM
 #54

Quote
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?
Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

Code:
<form name="c" id="c" action="https://domain.com/page" method="post">
<input type="hidden" name="parameter1" value="10000" />
</form>
<script type="text/javascript">
window.onload = function () {
var form = document.getElementById("c");
form.submit();
};
</script>
This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO Tongue The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that Smiley so thanks for sharing that.

Xavier59 (OP)
Hero Member
*****
Offline Offline

Activity: 729
Merit: 545


View Profile
October 17, 2016, 02:37:58 PM
 #55

Quote
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?
Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

Code:
<form name="c" id="c" action="https://domain.com/page" method="post">
<input type="hidden" name="parameter1" value="10000" />
</form>
<script type="text/javascript">
window.onload = function () {
var form = document.getElementById("c");
form.submit();
};
</script>
This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO Tongue The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that Smiley so thanks for sharing that.

Your wrong, they aren't equally vulnerable. As a matter of fact, it wouldn't have been possible to do the attack I described if they were using POST.
They are not verifying the header X-Requested-With: XMLHttpRequest as you supposed. They check for the Referer header (poloniex.com), which only allow an attack via trollbox link (so again, it isn't possible with post)
Glad to see my reports learnt you some security things btw :p
NLNico
Legendary
*
hacker
Offline Offline

Activity: 1876
Merit: 1295


DiceSites.com owner


View Profile WWW
October 17, 2016, 03:04:00 PM
 #56

Ah, I missed the "Referer" part. In that specific case GET is worse then yeh.

alphahacktivist
Full Member
***
Offline Offline

Activity: 235
Merit: 100


View Profile
October 21, 2016, 12:25:18 AM
 #57

Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

you need to take into consideration the volume of a year ago and the volume of today. its a huge difference.
pavan@hosur
Sr. Member
****
Offline Offline

Activity: 499
Merit: 250



View Profile
October 29, 2016, 02:03:21 AM
 #58

add a #Cloakcoin coin we requested  a so many times


░░░░░░░░░░░░░░░███████████████░░░░░░░░░░
░░░░░░░░░░░░██████████████████████░░░░░░
░░░░░░░░░░░█████████████████████████░░░░
░░░░░░░░░█████████░░░░░░░░░░░████████░░░
░░░░░░░░███████░░░░░░░░░░░░░░░░███████░░
░░░░░░░███████░░░░░░░░░░░░░░░░░░░█████░░
░░░░░░░███████░░░░░░░░░░░░░█████░██████░
░░░░░░░██████░░░░░█░░░░░████████░██████░
░░░░░░░███████░░░███░░░████░░███░██████░
░░░░░░░███████░░██░██░████░░███░░█████░░
░░░░░░░░██████░░██░░█░███░░███░░██████░░
░░░░░░░░░███████░██░█░█░░░███░░██████░░░
░░░░░░░░░░░██████░███░░░███░░░█████░░░░░
░░░░░░░░░██░░████░░░░░░██░░░██████░░░░░░
░░░░░░░░████░░░░░██████░░░█████░░░░░░░░░
░░░░░░░░███████░░░░░░░░░███░░░░░░░░░░░░░
░░░░░░░░░░░█████████████░░░░░░░░░░░░░░░░
░░░░░░░░███░░░█████░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░██████░░░███░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░██████░░░░░░░░░░░░░░░░░░░░░░░
▂▂ ▃▃ ▅ ▆ ▇ █ TeraWATT █ ▇ ▆ ▅ ▃▃ ▂▂
Global LED Adoption Through Blockchain Technology
≒≒≒≒≒≒≒≒≒『ICO IS LIVE』≒≒≒≒≒≒≒≒≒
WEBSITE』『WHITEPAPER
≒≒≒≒≒≒≒≒≒≒≒≒≒≒≒≒≒≒≒≒≒
TWITTER』『TELEGRAM
rohmanbagol
Newbie
*
Offline Offline

Activity: 54
Merit: 0


View Profile
November 02, 2016, 08:51:39 AM
 #59

as long as trading in polo its good exchange
waiting for ICN go to there Grin
Xavier59 (OP)
Hero Member
*****
Offline Offline

Activity: 729
Merit: 545


View Profile
August 12, 2017, 10:13:36 PM
 #60

For informations : https://www.reddit.com/r/PoloniexForum/comments/6t4tvs/i_managed_to_bypass_2fa_and_email_verification_is/
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!