Poloniex security review

[Xavier59]

FUD: https://www.reddit.com/r/CryptoCurrency/comments/57q9gf/poloniex_is_secure_were_good/

So you rely on a post posted by the website himself ? Sure, they will say Yes, we fucked up, withdraws your coins. That's just stupid.
Again, it isn't FUD, I like to believe after that, they will consider their customers and increase security.

[s4w3d0ff]

"Because we take these claims seriously, we investigate each one, but almost all of them turn out to be fake with the sole purpose of extorting us. In the event that someone comes to us with a legitimate matter, we pay a bounty and part ways with a professional understanding that as long as we promptly fix the issue, the matter is considered closed."

"This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes."

Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).

[Mimir]

Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).

So was it a risk or not? That's the real question.

Polo admits that mod escalation happened, this is admitted on both reddit and btctalk by legitimate spokepeople
Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo

[spartak_t]

Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo

You think?

https://twitter.com/el33th4xor/status/787610289369784320

[Mimir]

As far as it stands now.

Yes.

[spartak_t]

As far as it stands now.

Yes.

You do realize that Emin Gun Siner is Associate Professor at Cornell's Computer Science Dept.? And as I said - I don't think their answer is professional. They talked against Xavier for too much and I believe they have better things to do.

[Mimir]

We are arguing man? I'm in complete agreeance.

[spartak_t]

I can't argue on the matter as I'm not a coder.

[Mimir]

I can't argue on the matter as I'm not a coder.

I think we've crossed streams here.

Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.

As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.

For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.

[spartak_t]

I can't argue on the matter as I'm not a coder.

I think we've crossed streams here.

Nah, all is good.

Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.

As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.

For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.

I agree on everything, but the decent part (well, I may add the size of the bounty, giving the fact that Poloniex is operating with 10s of millions $). Notice part of their response:

This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes. Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective? Should a 'news source' that eagerly publishes the statements of a person without verifiable identity or proper vetting of his accusations be considered legitimate news?

I thought they are joking. Should that 'news source' name to be Kevin Mitnick in order to investigate the problem? It sounded like: "We are Poloniex and he is nobody".

Not cool.

[hdbuck]

Somebody exploit the vulnerabilities yet?

I need an exchange to collapse to get more cheap coins.

[Xavier59]

Poloniex is safe according to their post on reddit.

They were unlucky that I didn't release all the vulnerability in one row.

Oups ! goo.gl/xcbG5G

[Xavier59]

Poloniex is safe according to their post on reddit.

They were unlucky that I didn't release all the vulnerability in one row.

Oups ! goo.gl/xcbG5G

This open url vulnerability just got patched. But well, it was just another proof that Polo wasn't safe, even after the reddit post.

[NLNico]

I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

Code:

<form name="c" id="c" action="https://domain.com/page" method="post">
<input type="hidden" name="parameter1" value="10000" />
</form>
<script type="text/javascript">
window.onload = function () {
var form = document.getElementById("c");
form.submit();
};
</script>

This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that so thanks for sharing that.

[Xavier59]

I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

Code:

<form name="c" id="c" action="https://domain.com/page" method="post">
<input type="hidden" name="parameter1" value="10000" />
</form>
<script type="text/javascript">
window.onload = function () {
var form = document.getElementById("c");
form.submit();
};
</script>

This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that so thanks for sharing that.

Your wrong, they aren't equally vulnerable. As a matter of fact, it wouldn't have been possible to do the attack I described if they were using POST.
They are not verifying the header X-Requested-With: XMLHttpRequest as you supposed. They check for the Referer header (poloniex.com), which only allow an attack via trollbox link (so again, it isn't possible with post)
Glad to see my reports learnt you some security things btw :p

[NLNico]

Ah, I missed the "Referer" part. In that specific case GET is worse then yeh.

[alphahacktivist]

Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

you need to take into consideration the volume of a year ago and the volume of today. its a huge difference.

[pavan@hosur]

add a #Cloakcoin coin we requested  a so many times

[rohmanbagol]

as long as trading in polo its good exchange
waiting for ICN go to there

[Xavier59]

For informations : https://www.reddit.com/r/PoloniexForum/comments/6t4tvs/i_managed_to_bypass_2fa_and_email_verification_is/