cuddlefish
|
|
June 16, 2011, 09:11:12 AM |
|
Security is no joke indeed, thanks for reporting. The glitch has been fixed. We review any single transaction manually at the moment anyway. Our commitment is to ensure maximum stability, even if we have to restore damage.
Still easy to exploit. Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it. * davout heads to bitcoin-central.net to add a PIN code Yup. I'm adding a framebreaker to Ubitex.org (although since I don't handle money, not nearly as bad.)
|
|
|
|
rb2k
Member
Offline
Activity: 109
Merit: 10
|
|
June 16, 2011, 09:22:11 AM |
|
Ok, so: - Text was copied
- Coins are stored as floats and apparently this won't change
- Site is exploitable
Yeah... thanks but no thanks
|
|
|
|
cuddlefish
|
|
June 16, 2011, 09:27:32 AM |
|
Oh, not just exploitable. Exploitable as in Sony.
|
|
|
|
jav
|
|
June 16, 2011, 11:24:59 AM |
|
Security is no joke indeed, thanks for reporting. The glitch has been fixed. We review any single transaction manually at the moment anyway. Our commitment is to ensure maximum stability, even if we have to restore damage.
Still easy to exploit. Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it. * davout heads to bitcoin-central.net to add a PIN code This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain. This might just get dangerous when combined with cross-site scripting: If you manage to feed the webserver some data that it will display back to you unescaped, you can then get your code to come from the same domain and can do these sort of things.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
June 16, 2011, 12:15:43 PM |
|
This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain.
I stand corrected on this one
|
|
|
|
jakemates
Member
Offline
Activity: 69
Merit: 10
firstbits.com/1c3qpa
|
|
June 16, 2011, 01:45:42 PM |
|
From this topic: we don't store in floats. We keep the accuracy up to floats, but store numbers in a more "integer" way. I can't share more on the technical side of this matter
You should, because "we store numbers in a more integer way" is hardly reassuring.
bittersweet, digging further on this will help neither the users nor Bitcoin7.
|
|
|
|
darkwon
Newbie
Offline
Activity: 57
Merit: 0
|
|
June 16, 2011, 02:12:39 PM |
|
Wow, you guys are hyper-critical. Why so much hate in your reaction? I mean some posters on this forum outright said that just because they're from Bulgaria it must mean they are scammers.
I don't think bitcoin7 did a perfect start either and there's still obviously a lot to be done on their site, but at least they are very proactive about it, fixing things within minutes of reports coming in, communicating a lot in emails and on forum, trying to be helpful, etc..
They have a total of 400 Bitcoins traded as of now, this exchange just opened, but you all expect perfection right from the start?!
Yes they made some mistakes, like copying that text from Tradehill and having security holes, but they're also very quick in acknowledging and fixing mistakes; which shows, at least to me, that they're honestly trying their best to provide a good service to us.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
June 16, 2011, 02:29:37 PM |
|
they're also very quick in acknowledging and fixing mistakes
Well, actually no, they could have said something like "hey yeah that's right, we should store amounts in decimal, not in floats", but instead, the answer was pretty much just marketing talk. please read the whole thread
|
|
|
|
darkwon
Newbie
Offline
Activity: 57
Merit: 0
|
|
June 16, 2011, 02:39:30 PM |
|
You are right, the floating point issue is the only one where they didn't immediately respond with "it's being fixed right now", for reasons i could only speculate about. Still, that doesn't change the other points i made in my posting. Please don't single out one issue like this, it's a bad habit in debating.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
June 16, 2011, 02:49:19 PM |
|
It's not that they didn't fix it that's disturbing, it's the fact they don't even acknowledge it is an issue that is. Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.
|
|
|
|
grondilu
Legendary
Offline
Activity: 1288
Merit: 1080
|
|
June 16, 2011, 03:08:54 PM |
|
Registered today. Transfered a few euros via SEPA.
I'll let you guys know if everything went smooth.
|
|
|
|
lemonginger
Full Member
Offline
Activity: 210
Merit: 100
firstbits: 121vnq
|
|
June 16, 2011, 04:51:58 PM |
|
Wow, you guys are hyper-critical. Why so much hate in your reaction? I mean some posters on this forum outright said that just because they're from Bulgaria it must mean they are scammers.
YOU CAN'T RUN A LIVE MONEY EXCHANGE SITE WITH LARGE SECURITY HOLES. Seriously, "fixing on the fly" is not an okay way to run a site that is moving money. It doesn't matter whether they are scammers or very well-meaning but incompetent programmers trying to cash in off the lack of exchanges currently out there. If you are making mistakes at the most basic levels, it is likely that your site is going to be riddled with possible security holes. No one wants to hear "Oh, sorry, we are fixing it now" after their money goes flying out the window. Not to mention any exchange handling any large amounts of money is going to be a target for thieves, hackers, governments, DDOS attacks, etc etc etc. If you are going to paint a target on your back with other people's money, you best be in a position to handle it. For all I know these folks are the nicest people on earth and I'd be happy to have a beer with them. That doesn't mean they should be programming a currency exchange.
|
|
|
|
jkminkov (OP)
|
|
June 16, 2011, 04:58:49 PM |
|
if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!
|
.:31211457:. 100 dollars in one place talking - Dudes, hooray, Bitcoin against us just one, but we are growing in numbers!
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
June 16, 2011, 05:10:13 PM |
|
if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!
it's yours that i'm going to exploit for the lulz
|
|
|
|
joan
Jr. Member
Offline
Activity: 56
Merit: 1
|
|
June 16, 2011, 05:15:31 PM |
|
Wow, you guys are hyper-critical. Why so much hate in your reaction?
I agree the reaction has been harsh, but I think it's a good thing. The influx of users have been overwhelming. Many people have seen quick dollars and business opportunities. We need to make sure these new businesses are sound and safe for the users. If that means aggressively auditing every new project for security holes and taking a "scam until proven otherwise" stance, so be it. Better safe than sorry. Every project handling people coins needs to have very high security standards. Lotteries need to be provably honest. Exchanges and escrows need to be transparent. We need to raise the bar.
|
|
|
|
gene
|
|
June 16, 2011, 06:05:16 PM |
|
Exchanges are crucial. If this exchange is shit (smells like it), it damages bitcoin.
So yes, it is time to get vicious.
|
*processing payment* *error 404 : funds not found* Do you want to complain on the forum just to fall for another scam a few days later? | YES | YES |
|
|
|
Bitcoin7.com
Newbie
Offline
Activity: 29
Merit: 0
|
|
June 16, 2011, 07:47:56 PM |
|
Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction. We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.
Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
|
|
|
|
jakemates
Member
Offline
Activity: 69
Merit: 10
firstbits.com/1c3qpa
|
|
June 16, 2011, 07:51:31 PM |
|
Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction. We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.
Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
Do you still use floats to store values and are you still vulnerable to CSRF exploits?
|
|
|
|
finnthecelt
|
|
June 16, 2011, 08:16:19 PM |
|
So for what it's worth.
I have successfully transferred BTC to B7.
I have sold some BTC.
I transferred it to my Dwolla account and it's showing up there....
|
|
|
|
Bitcoin7.com
Newbie
Offline
Activity: 29
Merit: 0
|
|
June 16, 2011, 08:19:53 PM |
|
We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.
Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.
On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
|
|
|
|
|