Poloniex, the biggest altcoin exchange with daily volume in tens of thousands, if not hundreds of thousands btc, is insecure according to an anonymous "really light testing" security review.
Xavier59, whose StackExchange profile states "[a]pparently, this user prefers to keep an air of mystery about them," publicly released three vulnerabilities after claiming Poloniex failed to reply to his emails informing them of security bugs more than a month ago. The vulnerabilities, according to Xavier59, indicate incompetence and potential risks.
The most prominent seems to be using Get (which is mainly employed for public information) instead of Post (mainly used for private info) for cryptocurrency transactions. Xavier59 states:
"It is a terrible bad practice that any person involved in security would scream while discovering it."
Poloniex apparently does not use what type of data the code is feeding - that is numbers, letters, etc - which "could cause unexpected behavior" and "is representative of bad security policy." Moreover, the source code is visible to an attacker, making it is easier to find vulnerabilities, according to Xavier59, which would allow an attacker to gain moderator privileges in the infamous troll box thus sharing potentially malware infested links from a position of apparent authority. We have reached out to Poloniex, but they have not responded in time for publishing.
Emin G?n Sirer, Cornell professor, publicly stated in sharing the security review[2] that "Poloniex has some major red flags." He further publicly stated that although it is not an immediate vulnerability or cause for panic, it is a wakeup call and "some 1995-level security practice." In further elaborating, Sirer stated to CCN that he does not know the author of the security review and has not had the time to verify the claims himself, before adding: "If true, these indicate that the level of implementation is far from best practices, closer to mid-90's web programming than current day state of the art. Coupled with an earlier concurrency issue about a year and a half ago where Poloniex lost money due to a basic concurrent programming error, I have grave doubts about the robustness of their implementation.
"Running an exchange in this space, with these valuable bearer instruments, is a difficult task. I'd be wary of any company that commits elementary mistakes, because the attackers are both sophisticated and very motivated, given the money at stake."
http://securitykit.info/posts/2016/10/cryptocurrency-exchange-poloniex-is-insecure-security-review-claims-4/
