Cryptocurrency Exchange Poloniex is Insecure, k4s© Security Review Claims

[Chronobank]

Poloniex, the biggest altcoin exchange with daily volume in tens of thousands, if not hundreds of thousands btc, is insecure according to an anonymous "really light testing" security review.

Xavier59, whose StackExchange profile states "[a]pparently, this user prefers to keep an air of mystery about them," publicly released three vulnerabilities after claiming Poloniex failed to reply to his emails informing them of security bugs more than a month ago. The vulnerabilities, according to Xavier59, indicate incompetence and potential risks.

The most prominent seems to be using Get (which is mainly employed for public information) instead of Post (mainly used for private info) for cryptocurrency transactions. Xavier59 states:

"It is a terrible bad practice that any person involved in security would scream while discovering it."

Poloniex apparently does not use what type of data the code is feeding - that is numbers, letters, etc - which "could cause unexpected behavior" and "is representative of bad security policy." Moreover, the source code is visible to an attacker, making it is easier to find vulnerabilities, according to Xavier59, which would allow an attacker to gain moderator privileges in the infamous troll box thus sharing potentially malware infested links from a position of apparent authority. We have reached out to Poloniex, but they have not responded in time for publishing.

Emin G?n Sirer, Cornell professor, publicly stated in sharing the security review[2] that "Poloniex has some major red flags." He further publicly stated that although it is not an immediate vulnerability or cause for panic, it is a wakeup call and "some 1995-level security practice." In further elaborating, Sirer stated to CCN that he does not know the author of the security review and has not had the time to verify the claims himself, before adding: "If true, these indicate that the level of implementation is far from best practices, closer to mid-90's web programming than current day state of the art. Coupled with an earlier concurrency issue about a year and a half ago where Poloniex lost money due to a basic concurrent programming error, I have grave doubts about the robustness of their implementation.

"Running an exchange in this space, with these valuable bearer instruments, is a difficult task. I'd be wary of any company that commits elementary mistakes, because the attackers are both sophisticated and very motivated, given the money at stake."

http://securitykit.info/posts/2016/10/cryptocurrency-exchange-poloniex-is-insecure-security-review-claims-4/

[amacar2]

As i also develop few server side scripts over php i know the difference between the GET and POST but haven't thought this can create a serious security concern. And i have also seen most of the sites including gambling, exchange platform etc using GET method to grab withdraw verification with encrypted hash hard to predict but i also think this may create some security concern. I am not security expert so i may go with this line stated above.

I'd be wary of any company that commits elementary mistakes, because the attackers are both sophisticated and very motivated, given the money at stake.

[OmegaStarScream]

Support takes time to answer for both reporting security issues & technical issues (withdrawing and deposit etc... ) , It's probably better to tell the mods about it in the Trollbox (or at least give a hint) so other users don't know about it and targets the website.
In the other hand , their issues should be fixed but even If things goes wrong , users should know that most of the funds are in cold storage so It's not going to be big like with Bitfinex or other websites.