Bitcoin Forum
November 11, 2024, 08:03:28 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 [4] 5 6 7 »  All
  Print  
Author Topic: Bitcoin7 a new exchange  (Read 20864 times)
cuddlefish
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 16, 2011, 08:20:44 PM
 #61

We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.

Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
Soo. if it couldn't be used, what was there to FIX?
ryepdx
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500


View Profile
June 16, 2011, 08:24:23 PM
 #62

You're salting and hashing your user's passwords before storing them in your database, right?
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
June 16, 2011, 08:31:04 PM
 #63

Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
I don't speculate, I point at hard facts.
You were vulnerable to one identified CSRF exploit, you fixed it, good.

You still didn't make any statement regarding the amounts storage, the options are :
 - "We use floats because we don't have a clue about handling money in a database"
 - "We now use decimals instead of floats because we understand the exact implications"

"we store amounts very precisely", "we're monitoring the site closely", "trust us!", "we don't want to communicate about it", "davout is mean", "<insert random marketing talk here>" are not acceptable answers.

I'm not making any assumption regarding your honesty, I'm making statements about technical matters and I have no problem being corrected if I happen to be wrong (see previous posts).

Now I suggest you get your code straight and be open about it.


We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.
This is an outright lie. It was trivially exploitable.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
more marketing talk...

You're salting and hashing your user's passwords before storing them in your database, right?
Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better Wink)







ryepdx
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500


View Profile
June 16, 2011, 08:40:12 PM
 #64

Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better Wink)

Hrm. Bcrypt, eh?

<plug>Oh, and BitcoinPouch.com is also open-source. I just haven't been plugging it much because I want to make sure it's well-tested and hardened before I expose it to the general public.</plug> Open source is good for that very reason. Plus it's nice to be able to fix, with your own hands, any security holes you notice instead of having to wait on someone else to do it.
Bitcoin7.com
Newbie
*
Offline Offline

Activity: 29
Merit: 0



View Profile WWW
June 16, 2011, 08:49:02 PM
 #65

davout did you see a real result of the "exploit"? Yes or No?
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
June 16, 2011, 09:09:05 PM
 #66

davout did you see a real result of the "exploit"? Yes or No?
No. I saw code that was trivially exploitable.

This code got fixed because some honest people pointed it out previously in this very thread. (Did you thank them at all ? Cheesy)

Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1007


View Profile
June 16, 2011, 11:25:51 PM
 #67

I was just looking for a way to delete my account and couldn't find any obvious was to do so... could you please give me specifics? (I don't care about the 1 US-cent that's left, keep it as a tip)

Also something strange:
Added funds 1xx.xx USD 1.xx USD <-- the second number = commissions.
WTF?! Why did I get charged commissions for sending money on MtGox suddenly?

Commission % is displayed as 0% by the way... and was at 0% (now it's been changed to 1%!) back then.

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
Littleshop
Legendary
*
Offline Offline

Activity: 1386
Merit: 1004



View Profile WWW
June 16, 2011, 11:32:13 PM
 #68

davout did you see a real result of the "exploit"? Yes or No?

I will say that while this may revolt you.......

You should pay DAVOUT for the work he has done even though you did not contract with him.  You might want to hire him for FURTHER work checking out your site (if he is interested/willing to do so). 

I love the idea of an additional exchange, the more the better.  But we need them to be secure.  It is not just about the fees.

cuddlefish
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 16, 2011, 11:33:57 PM
 #69

davout did you see a real result of the "exploit"? Yes or No?

I will say that while this may revolt you.......

You should pay DAVOUT for the work he has done even though you did not contract with him.  You might want to hire him for FURTHER work checking out your site (if he is interested/willing to do so). 

I love the idea of an additional exchange, the more the better.  But we need them to be secure.  It is not just about the fees.

I reported the exploit and posted the POC.

No, I won't work for them. I don't need that on my rep. If they want to give me BTC, that'd be great.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
June 17, 2011, 06:07:22 AM
 #70

You should pay DAVOUT for the work he has done
I just posted code to exploit the vulnerability to show how simple it was.

Bitcoin7.com
Newbie
*
Offline Offline

Activity: 29
Merit: 0



View Profile WWW
June 17, 2011, 06:55:59 AM
 #71

How simple is what? The exploit should bring result, right? We tested it and there was no result. (we saw you tested it too, selling 1 BTC for 1$ -> if it was you, you made someone very happy Smiley )

Did you have any result? Yes or no?


P.S. We offered cuddlefish to test additionally for us, but he preferred to spam the forum with his first discovery. Pity this was more important to him.
cuddlefish
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 17, 2011, 08:16:37 AM
 #72

How simple is what? The exploit should bring result, right? We tested it and there was no result. (we saw you tested it too, selling 1 BTC for 1$ -> if it was you, you made someone very happy Smiley )

Did you have any result? Yes or no?


P.S. We offered cuddlefish to test additionally for us, but he preferred to spam the forum with his first discovery. Pity this was more important to him.

Okay, the next time I see an error that lets you steal all your Bitcoins, I won't tell you, wait a day, then tell #bitcoin-cabal and PM you, then wait a few hours and post it on the forums. I'll just let the black-hats handle /that/.

Security > Usability > Good graphics.

You're great at #2 and #3. #1.... not so much.
jerfelix
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile
June 17, 2011, 08:22:46 AM
Last edit: June 17, 2011, 08:36:33 AM by jerfelix
 #73

How simple is what? The exploit should bring result, right? We tested it and there was no result. (we saw you tested it too, selling 1 BTC for 1$ -> if it was you, you made someone very happy Smiley )

Did you have any result? Yes or no?


P.S. We offered cuddlefish to test additionally for us, but he preferred to spam the forum with his first discovery. Pity this was more important to him.

I appreciate that cuddlefish and davout point out publicly that there are issues.   Other users need to know that.  

I also think that their quick examples were pretty clear to experts, but can be confusing for novices.  So let me try to explain.  Maybe this will help you fix the issues.

Picture this scenario:  Someone logs into your site, and leaves it logged in, while they are, say um, reading bitcoin forums for example.  That doesn't seem too far fetched, does it?  And then they read a forum post that has an interesting link in it.  And they click on that link.  Maybe the post reads "Here's what you REALLY need to know about Bitcoin7's security" and then has a tiny url.  The user clicks on the link, and they are taken to a page on some remote server that POSTS to your site an instruction to sell bitcoins for a dollar.

Bam.  They have been exploited.  All because you have a vulnerability in your site.  
Or worse, it could post to a page that transfers Bitcoins to a particular Bitcoin Address.


See how serious that is?

Davout and cuddlefish, please correct me if I didn't describe that correctly.

Now, cuddlefish gave a WORKING demonstration, but he put "!!!" in the URL so that someone didn't click it by accident.  But if you were signed into your Bitcoin7 account in one tab, while you clicked on his link in another, you would have transmitted funds to instawallet.   Pretty scary.

Got it?
Don't minimize the advice that you are getting here.  This is a sharp group. They may not be explaining things at novice level, but do NOT assume you have nothing to learn from others!  Very risky!
Nescio
Jr. Member
*
Offline Offline

Activity: 56
Merit: 1


View Profile
June 17, 2011, 08:52:44 AM
 #74

if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!
it's yours that i'm going to exploit for the lulz

That's a disturbing image Smiley

Quote from: Bitcoin7.com
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Let me reshuffle that sentence for you: "We had flaws, we were not ready for the start yesterday. We still have, we are still not ready for the start today."

(good thing about that: it's reusable)
FooDSt4mP
Full Member
***
Offline Offline

Activity: 182
Merit: 100


View Profile
June 17, 2011, 01:21:18 PM
 #75

Your constantly dismissive attitude is not reasonable when there are serious concerns being raised.  Security is crucial when dealing with other people's money.  Especially when transactions are irreversible.  Instead of "it's not a problem", try "thanks for the report, I'll have my engineers look at it".  Davout, cuddlefish, and others are donating their time to help you get your issues straightened out.  Please be more respectful of their knowledge.  To me, dismissive hand waving is worse than no response.

As we slide down the banister of life, this is just another splinter in our ass.
finnthecelt
Full Member
***
Offline Offline

Activity: 140
Merit: 101


View Profile
June 17, 2011, 07:45:12 PM
 #76

Your constantly dismissive attitude is not reasonable when there are serious concerns being raised.  Security is crucial when dealing with other people's money.  Especially when transactions are irreversible.  Instead of "it's not a problem", try "thanks for the report, I'll have my engineers look at it".  Davout, cuddlefish, and others are donating their time to help you get your issues straightened out.  Please be more respectful of their knowledge.  To me, dismissive hand waving is worse than no response.

I'm quite certain they respect the security issues being brought about but try and be understanding. B7 is getting attacked on all fronts and trying to cooperate when dealing with many personality types from different cultures.

They are being accused of many things and being called names so of course there will be some defensiveness.

Professionalism is also in the delivery of a message not in the receipt solely. Let's tone down the rhetoric, offer advice and hold them accountable. More progress will be made and we will have another respectable exchange.
jakemates
Member
**
Offline Offline

Activity: 69
Merit: 10


firstbits.com/1c3qpa


View Profile WWW
June 17, 2011, 07:50:33 PM
 #77

Caught them using sockpuppets.
cuddlefish
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 17, 2011, 07:57:46 PM
 #78

Caught them using sockpuppets.

They also CSRF'd Witcoin. Bit ironic, really.
Littleshop
Legendary
*
Offline Offline

Activity: 1386
Merit: 1004



View Profile WWW
June 17, 2011, 08:23:08 PM
 #79

You should pay DAVOUT for the work he has done
I just posted code to exploit the vulnerability to show how simple it was.
ok  Smiley

cronopio
Newbie
*
Offline Offline

Activity: 55
Merit: 0


View Profile
June 18, 2011, 04:01:19 AM
 #80

Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better Wink)

Yeah!. I love bitcoin-central.com its a really good RoR App.
Pages: « 1 2 3 [4] 5 6 7 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!