COINITRAGE - SECURITY WARNING - MUST READ!

[UGMZ]

WARNING

I contacted coinitrage about a security issue on there site. Its quite a serious issue. But they basically said to me go ahead take us down..

Now, any "legit" business would be red alert if someone pointed out a security vuln on there site. Especially if it could effect its users!

Would you like to see the reply?  see below.

http://postimg.org/image/b1afpao2n/
https://postimg.org/image/dj73krm3h/

Further to this if this was a legit company then why would they be running with Java error's ?  There is 1 red flag

http://postimg.org/image/k77n3643d/

2nd lets see how long they have been "in the game" as they say..

https://postimg.org/image/fk4ylt1ox/

Not long..

Further to this there security is almost ZERO!  With some editing I could very easy have fully access to there cpanel! I already have the email to reset the password without too much trouble..

https://postimg.org/image/9jevjj9al/

I posted a warning in there topic but they are "self moderating" the topic and removed it so I decided I would post here to make everyone aware.
see here..

http://postimg.org/image/tipxqd18d/

Would you trust a bank or investment company with such Lax approach to your security? I think not.

Let me finish off by saying.. You should be VERY careful investing in this site.. Looks like a Ponzi scam!

Further to this they state exactly how much they have taken in deposits.  The site has only been active since the start of December.. and from my calculations from all there crypto they have supposedly taken in over $300,000!  Smell fishy? I think so!

My advice keep your coins. Go learn to trade on kraken or some other trading platform yourself.. It's not rocket sicence and you stay in control of you own funds at all time not risking someone "running" with your funds...

[1713489208]

1713489208

[1713489208]

1713489208

[juraviel]

They already responded to this, there's no vulnerability. You wannabe hacker don't get it? Stop spamming.

[UGMZ]

They already responded to this, there's no vulnerability. You wannabe hacker don't get it? Stop spamming.

They never responded.. they deleted the topic and dismissed the claims.

Lol. Wanna be?  

OSCE, OSCE, & OSEE trained..

Only a fool would trust this site.!

PS.. You already have neg rating for helping ponzi scammers backing up there claims.. Just need to look at your post's to see its 100% true what crypto devil has left you neg for!

[juraviel]

That's funny, because you have reds too, I got mine because I said I would invest in a site, that's all the "help" I did. Cryptodevil is gone now, and he was a judgmental moron.

[UGMZ]

That may be true. But there site dose have security issues.  and the fact they told me basically we don't care.. what kind of message is that to send out??

By all means send your money to them.. I doubt you will see it back.

Good luck.

(I also have - rating for asking for a loan and not reading the "terms" ) but I will have it removed in the near future

[supermoney]

coinitrage.com is also vulnerable to SYN flood and HTTP DDoS, hosted at namecheap.com
Have you noticed how slow is database at processing queries? The DataTables proves it 

[UGMZ]

Thank you.. Someone else who know's what there talking about.. They have many errors.. Also just look how the admin responded to my message..

Dose that seem like a "legit" admin?

Also they keep deleting my posts from there topics..

[UGMZ]

A message from the Coinitrage.com Admin

1. Anyone can do a Whois lookup to know we are not hosted at namecheap, we are DDOS protected on a dedicated server
2. These "vulnerabilities" are not of high priority, why? Because they are not financial vulnerabilities. We put as much time and effort as possible into testing the financial side of the platform, not some petty issues such as viewing our cPanel login page like the OP has pointed out.

We would also like to point out that this user approached us in the most hostile way possible, with his opening statement being along the lines of "you better fix your security holes before someone takes you down"

We did not see any benefit communicating with this user, since he opened with a threat, so we ended the chat as soon as possible....and this is how we treat most live supports that threaten our clients and our work.

All funds are safe, and always will be, our platform is completely financially secure. Do not believe FUD.

1. At no point did I threaten your staff.  I contacted you as a matter of urgency to let you know.  You should be aware that ANY vulnerability is a risk! the fact your now saying you know you have them but there not financial related is very concerning.

2. I did not say you better fix it before someone takes your down.. I said its important before some hacker comes along and takes your down.. which is true!

3. you send back the worst reply I've seen from a supposed "legit" service. saying go ahead and try.. Dose that sound like something a responsible site admin would say?

4. I don't think you even know the holes you have in your system the fact you can't even fix the .js error thats "constantly" poping up tells me this is a script site you have bought from some hyip seller and have absolute no knowledge of networking or website security!

5. Your dealing with people MONEY! any website error should be looked into and fixed or you should take down the site until you are 100% sure that EVERY possible hole is fixed.. The fact you admit you have vulns and you don't really care rings alarm bells....

6. The fact I was so blunt in chat was I was shocked to find what I did.. and then reading all the people who have been sending you money something had to be said... You shot me down in flames and have yet to even ask me what issues I found.. which is also very concerning....

I look forward to your reply.......

UGMZ

[UGMZ]

They already responded to this, there's no vulnerability. You wannabe hacker don't get it? Stop spamming.

Oh look... The admin ADMIT they have issues....So do your homework before you come here and talk utter shite....

[kelevra]

A message from the Coinitrage.com Admin

1. Anyone can do a Whois lookup to know we are not hosted at namecheap, we are DDOS protected on a dedicated server
2. These "vulnerabilities" are not of high priority, why? Because they are not financial vulnerabilities. We put as much time and effort as possible into testing the financial side of the platform, not some petty issues such as viewing our cPanel login page like the OP has pointed out.

We would also like to point out that this user approached us in the most hostile way possible, with his opening statement being along the lines of "you better fix your security holes before someone takes you down"

We did not see any benefit communicating with this user, since he opened with a threat, so we ended the chat as soon as possible....and this is how we treat most live supports that threaten our clients and our work and more importantly our staff who work as hard as possible to maintain satisfaction of our clients who do not deserve this treatment, which is why I recommended that response to them.

All funds are safe, and always will be, our platform is completely financially secure. Do not believe FUD.

http://whois.domaintools.com/coinitrage.com
"coinitrage.com - Registered at Namecheap.com"
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
https://www.google.ru/?gws_rd=ssl#q=DNS1.REGISTRAR-SERVERS.COM

[UGMZ]

1. I don't use my home machine for anything. I have a pentesting machine setup for my work (Employed as a IT security engineer)

2. I am not a customer of your site so your TOS mean's absolutely nothing to me.

3. I am not hiding away but informing you of your issues like any good pen-tester should do. ( i would even go so far to speak to you on the phone if you prefer)

4. I still think you are unaware of "all" your issues.  I have never used any exploit against your site and I don't plan to.

5. I understand that you probably get messages all the time about getting hacked or people trying to extort money from your service but if your not careful someone will exploit your site and you might loose funds...

6. I understand you say you keep funds in cold storage.. how can you make money for customers with funds in cold storage?? also when a customer sends you funds they are not in "cold storage" right away. You have to put them there.  And thats the point where you need to be 100% that you have no issues.

7. If you really cared about anything I was saying about this you would of send me a PM asking about it.. The fact your here arguing or defending yourself just dose not sit right with me..

For now I'll let this topic drop. But when the shutter slam down on this site or your posting to your customers you had a breach ill be sitting back laughing saying " I did warn them"

Thanks and good luck..

UGMZ

[UGMZ]

Here is your WHOIS.  From command line....

Code:

@MyComputer:~$ whois coinitrage.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: COINITRAGE.COM
   Registrar: ENOM, INC.
   Sponsoring Registrar IANA ID: 48
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: DNS1.REGISTRAR-SERVERS.COM
   Name Server: DNS2.REGISTRAR-SERVERS.COM
   Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Updated Date: 06-dec-2016
   Creation Date: 03-dec-2015
   Expiration Date: 03-dec-2017

>>> Last update of whois database: Tue, 27 Dec 2016 23:08:43 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.


Domain Name: COINITRAGE.COM
Registry Domain ID: 1985370713_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2016-12-06T02:43:13.00Z
Creation Date: 2015-12-03T12:14:00.00Z
Registrar Registration Expiration Date: 2017-12-03T12:14:39.00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 0
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 47243A39FB944DE9938464EE35E7806A.PROTECT@WHOISGUARD.COM
Registry Admin ID:
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: 0
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: 47243A39FB944DE9938464EE35E7806A.PROTECT@WHOISGUARD.COM
Registry Tech ID:
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: 0
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: 47243A39FB944DE9938464EE35E7806A.PROTECT@WHOISGUARD.COM
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unSigned
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252982646
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-12-06T02:43:13.00Z <<<

For more information on Whois status codes, please visit https://icann.org/epp


The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us. 

We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002

[kelevra]

A message from the Coinitrage.com Admin

1. Anyone can do a Whois lookup to know we are not hosted at namecheap, we are DDOS protected on a dedicated server
2. These "vulnerabilities" are not of high priority, why? Because they are not financial vulnerabilities. We put as much time and effort as possible into testing the financial side of the platform, not some petty issues such as viewing our cPanel login page like the OP has pointed out.

We would also like to point out that this user approached us in the most hostile way possible, with his opening statement being along the lines of "you better fix your security holes before someone takes you down"

We did not see any benefit communicating with this user, since he opened with a threat, so we ended the chat as soon as possible....and this is how we treat most live supports that threaten our clients and our work and more importantly our staff who work as hard as possible to maintain satisfaction of our clients who do not deserve this treatment, which is why I recommended that response to them.

All funds are safe, and always will be, our platform is completely financially secure. Do not believe FUD.

http://whois.domaintools.com/coinitrage.com
"coinitrage.com - Registered at Namecheap.com"
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
https://www.google.ru/?gws_rd=ssl#q=DNS1.REGISTRAR-SERVERS.COM

Why don't you go ahead and pull a recent hosting whois instead of one from over 6 months ago....We are on a dedicated IP. There is no way we would be able to run on shared hosting at namecheap with the amount of DDOS attempts we receive.
Regarding point six, as I mentioned cold storage and exchanges, exchanges being where we work and cold storage for excess we do not need to use.
We are happy to drop the "argument".

For the love of Linux: http://www.viewdns.info/dnsreport/?domain=coinitrage.com
Whois is usually updated within 72 hours and you've talked about 6 months...  

[UGMZ]

Ok..

You say you bought hosting a year ago for testing? correct?

So you have had 1 year to fix these issues.

Seems like your telling porkies to cover your ass..

Your telling me for a year you have had a error in you .JS that throws up errors in the browser and you have been testing for a year?

Further to this you have vulns that you admitted to.. You say they are "non financial related" but one small vuln can lead to much bigger ones.. Look at Bitfinex and MTGox.. they lost fund's and Ill tell you this they had a lot more money are resources that you do.. and they were hacked..

650,000 bitcoins, still to this day remain unaccounted for from those hacks.. Yet you seem to proclaim your "financial" side of things is tighter than a nuns chuff... Which I doubt!

Dose not sound like a year of development to me..  Seems like less than 1 month and a purchase of a HYIP script from someone thats been edited and bits added onto..

I have taken all the code from your site. And when I find another site using the same code I will expose your ass for what you are... A ponzi scam... plain and simple...

[UGMZ]

Time will tell but something tells me you will be long gone when the crying in your topic starts..

Or when you realized you site's been compromised. what ever comes first.

You can pop back over to your self moderated topic and delete everones comments that you like but you can't stop us talking in here hence I made this topic in the first place. Since you delete anyone's comments who speak out about you. (covering you ass thats called)

Any legit service would answer each and every comment... Not delete them the second there posted.

PS.. You still ain't asked what I found on your site.. Which shows you really don't care because you don't know how to fix anything on that script..

[UGMZ]

1. at no point have I threatened you.. Or your service.. I had a genuine concern and your "support" staff basically told me go ahead hack us...
Do you not find that threating? Or intimidating?

2. If your asking me now to disclose what I found then I won't be doing it in some insecure chat app. Supply me with a official email address where you can be contacted and I will send you a report (like I do with my customers) with the full information on the vuln's and further to that a solution to your issues.

3. I'm not here to wreck your reputation but when your dealing with customers funds I would of though you would of taken a more mature and responsible manner. I understand that the way I burst into the chat to warn your staff might of come across a bit hostile but to be honest your staff should of said. please direct the relevant information to xxxx@coinitrage.com   not "go ahead hack us!"

4. the reason I didn't want to message you in private was down the the fact the way your staff replied (all be it you get many messages like this) they showed no concern what so ever to the matter so why shouldn't I warn the users if the staff show no interest. hence my multiple post's on your topic and that eventually lead to the creation of this topic.

5. I think your customers would be more happy to see you taking on board some quite serious concerns regarding your site rather than dismiss it and make out that your " super secure"  there is nothing wrong with having issues on a new site every site has them but when issues arise instead of sweeping it under the carpet man up and take the advice when give and show your willing to fix them..

I Will send you over a email regarding this and we can continue this and hopefully resolve your issues for the sake of your customers and reputation. the last thing you want is someone like a blackhat seizing control when you could of protected yourself prior.

[kelevra]

Since he's deleted my post on their thread, and I see no reason to do it because "it is not a Ponzi scheme", I quote it here:

This is gonna be your last 24 hours max because you paid too much in terms of profit and transaction fees, also because tomorrow's income must be +10 BTC whether you want to run another 2-3 days without suffering losses.
However, it won't happen because we're near to new year and most of the people will be away (including me for a week  ). Happy earnings OP, you're gonna pass a nice new year I guess.

[Slow death]

Since he's deleted my post on their thread, and I see no reason to do it because "it is not a Ponzi scheme", I quote it here:

This is gonna be your last 24 hours max because you paid too much in terms of profit and transaction fees, also because tomorrow's income must be +10 BTC whether you want to run another 2-3 days without suffering losses.
However, it won't happen because we're near to new year and most of the people will be away (including me for a week  ). Happy earnings OP, you're gonna pass a nice new year I guess.

OP stole all coins

[wPocho1]

hi everybody i have invested about 700 dollars in Coinitrage and till yesterday they had always paid me my 1 percent but since this morning the countdown of the next payment is down as the coinitrage support....
anyone has the same problem? are you receiving your payments?

[juraviel]

hi everybody i have invested about 700 dollars in Coinitrage and till yesterday they had always paid me my 1 percent but since this morning the countdown of the next payment is down as the coinitrage support....
anyone has the same problem? are you receiving your payments?

No. You can see on the list of payments they haven't paid anybody for last ~24 hours. It's unlikely they will resume payouts as there was no news from them whatsoever. This is what happens with ponzis, eventually they collapse, it is inevitable. For your sake I hope you are a person that can afford to waste $700, or at least that you got some of that back. Painful way to learn that lesson I know, but, it happens every-single-time. I was lucky enough to make a profit with them but, it seems all that ended (as was known from the beginning that it eventually would).