Bitcoin7 a new exchange

[cuddlefish]

Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.

Still easy to exploit.

Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.

* davout heads to bitcoin-central.net to add a PIN code

Yup. I'm adding a framebreaker to Ubitex.org (although since I don't handle money, not nearly as bad.)

[1714773407]

1714773407

[1714773407]

1714773407

[1714773407]

1714773407

[1714773407]

1714773407

[1714773407]

1714773407

[rb2k]

Ok, so:

• Text was copied
• Coins are stored as floats and apparently this won't change
• Site is exploitable

Yeah... thanks but no thanks

[cuddlefish]

Ok, so:

• Site is exploitable

Oh, not just exploitable. Exploitable as in Sony.

[jav]

Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.

Still easy to exploit.

Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.

* davout heads to bitcoin-central.net to add a PIN code

This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain.

This might just get dangerous when combined with cross-site scripting: If you manage to feed the webserver some data that it will display back to you unescaped, you can then get your code to come from the same domain and can do these sort of things.

[davout]

This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain.

I stand corrected on this one

[jakemates]

From this topic:

we don't store in floats. We keep the accuracy up to floats, but store numbers in a more "integer" way. I can't share more on the technical side of this matter

You should, because "we store numbers in a more integer way" is hardly reassuring.

bittersweet, digging further on this will help neither the users nor Bitcoin7.

[darkwon]

Wow, you guys are hyper-critical. Why so much hate in your reaction? I mean some posters on this forum outright said that just because they're from Bulgaria it must mean they are scammers.

I don't think bitcoin7 did a perfect start either and there's still obviously a lot to be done on their site, but at least they are very proactive about it, fixing things within minutes of reports coming in, communicating a lot in emails and on forum, trying to be helpful, etc..

They have a total of 400 Bitcoins traded as of now, this exchange just opened, but you all expect perfection right from the start?!

Yes they made some mistakes, like copying that text from Tradehill and having security holes, but they're also very quick in acknowledging and fixing mistakes; which shows, at least to me, that they're honestly trying their best to provide a good service to us.

[davout]

they're also very quick in acknowledging and fixing mistakes

Well, actually no, they could have said something like "hey yeah that's right, we should store amounts in decimal, not in floats", but instead, the answer was pretty much just marketing talk. please read the whole thread

[darkwon]

You are right, the floating point issue is the only one where they didn't immediately respond with "it's being fixed right now", for reasons i could only speculate about. Still, that doesn't change the other points i made in my posting. Please don't single out one issue like this, it's a bad habit in debating.

[davout]

It's not that they didn't fix it that's disturbing, it's the fact they don't even acknowledge it is an issue that is.

Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.

[grondilu]

Registered today.  Transfered a few euros via SEPA.

I'll let you guys know if everything went smooth.

[lemonginger]

Wow, you guys are hyper-critical. Why so much hate in your reaction? I mean some posters on this forum outright said that just because they're from Bulgaria it must mean they are scammers.

YOU CAN'T RUN A LIVE MONEY EXCHANGE SITE WITH LARGE SECURITY HOLES.

Seriously, "fixing on the fly" is not an okay way to run a site that is moving money. It doesn't matter whether they are scammers or very well-meaning but incompetent programmers trying to cash in off the lack of exchanges currently out there.

If you are making mistakes at the most basic levels, it is likely that your site is going to be riddled with possible security holes. No one wants to hear "Oh, sorry, we are fixing it now" after their money goes flying out the window. Not to mention any exchange handling any large amounts of money is going to be a target for thieves, hackers, governments, DDOS attacks, etc etc etc. If you are going to paint a target on your back with other people's money, you best be in a position to handle it.

For all I know these folks are the nicest people on earth and I'd be happy to have a beer with them. That doesn't mean they should be programming a currency exchange.

[jkminkov]

if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!

[davout]

if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!

it's yours that i'm going to exploit for the lulz

[joan]

Wow, you guys are hyper-critical. Why so much hate in your reaction?

I agree the reaction has been harsh, but I think it's a good thing.
The influx of users have been overwhelming. Many people have seen quick dollars and business opportunities. We need to make sure these new businesses are sound and safe for the users.

If that means aggressively auditing every new project for security holes and taking a "scam until proven otherwise" stance, so be it. Better safe than sorry.
Every project handling people coins needs to have very high security standards. Lotteries need to be provably honest. Exchanges and escrows need to be transparent.
We need to raise the bar.

[gene]

Exchanges are crucial. If this exchange is shit (smells like it), it damages bitcoin.

So yes, it is time to get vicious.

[Bitcoin7.com]

Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!

[jakemates]

Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!

Do you still use floats to store values and are you still vulnerable to CSRF exploits?

[finnthecelt]

So for what it's worth.

I have successfully transferred BTC to B7.

I have sold some BTC.

I transferred it to my Dwolla account and it's showing up there....

[Bitcoin7.com]

We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.

Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.