Bitcoin7 a new exchange

[cuddlefish]

We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.

Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.

Soo. if it couldn't be used, what was there to FIX?

[1713559095]

1713559095

[1713559095]

1713559095

[1713559095]

1713559095

[ryepdx]

You're salting and hashing your user's passwords before storing them in your database, right?

[davout]

Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!

I don't speculate, I point at hard facts.
You were vulnerable to one identified CSRF exploit, you fixed it, good.

You still didn't make any statement regarding the amounts storage, the options are :
 - "We use floats because we don't have a clue about handling money in a database"
 - "We now use decimals instead of floats because we understand the exact implications"

"we store amounts very precisely", "we're monitoring the site closely", "trust us!", "we don't want to communicate about it", "davout is mean", "<insert random marketing talk here>" are not acceptable answers.

I'm not making any assumption regarding your honesty, I'm making statements about technical matters and I have no problem being corrected if I happen to be wrong (see previous posts).

Now I suggest you get your code straight and be open about it.

We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.

This is an outright lie. It was trivially exploitable.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.

more marketing talk...

You're salting and hashing your user's passwords before storing them in your database, right?

Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better )

[ryepdx]

Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better )

Hrm. Bcrypt, eh?

<plug>Oh, and BitcoinPouch.com is also open-source. I just haven't been plugging it much because I want to make sure it's well-tested and hardened before I expose it to the general public.</plug> Open source is good for that very reason. Plus it's nice to be able to fix, with your own hands, any security holes you notice instead of having to wait on someone else to do it.

[Bitcoin7.com]

davout did you see a real result of the "exploit"? Yes or No?

[davout]

davout did you see a real result of the "exploit"? Yes or No?

No. I saw code that was trivially exploitable.

This code got fixed because some honest people pointed it out previously in this very thread. (Did you thank them at all ? )

[Sukrim]

I was just looking for a way to delete my account and couldn't find any obvious was to do so... could you please give me specifics? (I don't care about the 1 US-cent that's left, keep it as a tip)

Also something strange:
Added funds 1xx.xx USD 1.xx USD <-- the second number = commissions.
WTF?! Why did I get charged commissions for sending money on MtGox suddenly?

Commission % is displayed as 0% by the way... and was at 0% (now it's been changed to 1%!) back then.

[Littleshop]

davout did you see a real result of the "exploit"? Yes or No?

I will say that while this may revolt you.......

You should pay DAVOUT for the work he has done even though you did not contract with him.  You might want to hire him for FURTHER work checking out your site (if he is interested/willing to do so). 

I love the idea of an additional exchange, the more the better.  But we need them to be secure.  It is not just about the fees.

[cuddlefish]

davout did you see a real result of the "exploit"? Yes or No?

I will say that while this may revolt you.......

You should pay DAVOUT for the work he has done even though you did not contract with him.  You might want to hire him for FURTHER work checking out your site (if he is interested/willing to do so). 

I love the idea of an additional exchange, the more the better.  But we need them to be secure.  It is not just about the fees.

I reported the exploit and posted the POC.

No, I won't work for them. I don't need that on my rep. If they want to give me BTC, that'd be great.

[davout]

You should pay DAVOUT for the work he has done

I just posted code to exploit the vulnerability to show how simple it was.

[Bitcoin7.com]

How simple is what? The exploit should bring result, right? We tested it and there was no result. (we saw you tested it too, selling 1 BTC for 1$ -> if it was you, you made someone very happy )

Did you have any result? Yes or no?


P.S. We offered cuddlefish to test additionally for us, but he preferred to spam the forum with his first discovery. Pity this was more important to him.

[cuddlefish]

How simple is what? The exploit should bring result, right? We tested it and there was no result. (we saw you tested it too, selling 1 BTC for 1$ -> if it was you, you made someone very happy )

Did you have any result? Yes or no?


P.S. We offered cuddlefish to test additionally for us, but he preferred to spam the forum with his first discovery. Pity this was more important to him.

Okay, the next time I see an error that lets you steal all your Bitcoins, I won't tell you, wait a day, then tell #bitcoin-cabal and PM you, then wait a few hours and post it on the forums. I'll just let the black-hats handle /that/.

Security > Usability > Good graphics.

You're great at #2 and #3. #1.... not so much.

[jerfelix]

How simple is what? The exploit should bring result, right? We tested it and there was no result. (we saw you tested it too, selling 1 BTC for 1$ -> if it was you, you made someone very happy )

Did you have any result? Yes or no?


P.S. We offered cuddlefish to test additionally for us, but he preferred to spam the forum with his first discovery. Pity this was more important to him.

I appreciate that cuddlefish and davout point out publicly that there are issues.   Other users need to know that.  

I also think that their quick examples were pretty clear to experts, but can be confusing for novices.  So let me try to explain.  Maybe this will help you fix the issues.

Picture this scenario:  Someone logs into your site, and leaves it logged in, while they are, say um, reading bitcoin forums for example.  That doesn't seem too far fetched, does it?  And then they read a forum post that has an interesting link in it.  And they click on that link.  Maybe the post reads "Here's what you REALLY need to know about Bitcoin7's security" and then has a tiny url.  The user clicks on the link, and they are taken to a page on some remote server that POSTS to your site an instruction to sell bitcoins for a dollar.

Bam.  They have been exploited.  All because you have a vulnerability in your site.  
Or worse, it could post to a page that transfers Bitcoins to a particular Bitcoin Address.


See how serious that is?

Davout and cuddlefish, please correct me if I didn't describe that correctly.

Now, cuddlefish gave a WORKING demonstration, but he put "!!!" in the URL so that someone didn't click it by accident.  But if you were signed into your Bitcoin7 account in one tab, while you clicked on his link in another, you would have transmitted funds to instawallet.   Pretty scary.

Got it?
Don't minimize the advice that you are getting here.  This is a sharp group. They may not be explaining things at novice level, but do NOT assume you have nothing to learn from others!  Very risky!

[Nescio]

if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!

it's yours that i'm going to exploit for the lulz

That's a disturbing image

We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Let me reshuffle that sentence for you: "We had flaws, we were not ready for the start yesterday. We still have, we are still not ready for the start today."

(good thing about that: it's reusable)

[FooDSt4mP]

Your constantly dismissive attitude is not reasonable when there are serious concerns being raised.  Security is crucial when dealing with other people's money.  Especially when transactions are irreversible.  Instead of "it's not a problem", try "thanks for the report, I'll have my engineers look at it".  Davout, cuddlefish, and others are donating their time to help you get your issues straightened out.  Please be more respectful of their knowledge.  To me, dismissive hand waving is worse than no response.

[finnthecelt]

Your constantly dismissive attitude is not reasonable when there are serious concerns being raised.  Security is crucial when dealing with other people's money.  Especially when transactions are irreversible.  Instead of "it's not a problem", try "thanks for the report, I'll have my engineers look at it".  Davout, cuddlefish, and others are donating their time to help you get your issues straightened out.  Please be more respectful of their knowledge.  To me, dismissive hand waving is worse than no response.

I'm quite certain they respect the security issues being brought about but try and be understanding. B7 is getting attacked on all fronts and trying to cooperate when dealing with many personality types from different cultures.

They are being accused of many things and being called names so of course there will be some defensiveness.

Professionalism is also in the delivery of a message not in the receipt solely. Let's tone down the rhetoric, offer advice and hold them accountable. More progress will be made and we will have another respectable exchange.

[jakemates]

Caught them using sockpuppets.

[cuddlefish]

Caught them using sockpuppets.

They also CSRF'd Witcoin. Bit ironic, really.

[Littleshop]

You should pay DAVOUT for the work he has done

I just posted code to exploit the vulnerability to show how simple it was.

ok 

[cronopio]

Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better )

Yeah!. I love bitcoin-central.com its a really good RoR App.