Byte-Gox (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
April 12, 2013, 12:40:45 PM Last edit: April 12, 2013, 01:27:21 PM by Byte-Gox |
|
Goog morning guys, We are very happy to announce the release of the exchange ( http://exchange.bytecoin.in) It is still rough but the background is highly functional, but like in all betas, bugs are likely to show up. Please use this thread to post all your feedback about the exchange and what changes/improvements you would like to see. Enjoy! Edit: IT experts, please test the site for security vulnerabilities. We want to make sure the exchange is rock solid. Thanks in advance
|
|
|
|
Remember remember the 5th of November
Legendary
Offline
Activity: 1862
Merit: 1011
Reverse engineer from time to time
|
|
April 12, 2013, 12:44:10 PM |
|
BTE<->BTC?
|
BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
|
|
|
Byte-Gox (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
April 12, 2013, 12:51:18 PM |
|
Correct!
|
|
|
|
|
Byte-Gox (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
April 12, 2013, 01:26:41 PM |
|
IT experts, please test the site for security vulnerabilities. We want to make sure the exchange is rock solid. Thanks in advance
|
|
|
|
grc
Newbie
Offline
Activity: 40
Merit: 0
|
|
April 12, 2013, 02:08:51 PM Last edit: April 12, 2013, 02:22:03 PM by grc |
|
IT experts, please test the site for security vulnerabilities. We want to make sure the exchange is rock solid. Thanks in advance
Trying to withdraw without any money gives a fatal error. Also, I'd replace "username doesn't exist" and "incorrect password" with a less revealing message like "invalid username/password combination", but that's just me being fussy.
|
|
|
|
grc
Newbie
Offline
Activity: 40
Merit: 0
|
|
April 12, 2013, 02:55:57 PM Last edit: April 12, 2013, 03:31:08 PM by grc |
|
DO NOT USE THIS SITE YET
It is vulnerable to cross-site request forgery.
This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).
Not to mention that in the process of testing it my 0.5 BTE magically turned into 0.005 BTE. I made one order to sell 0.5 BTE at a price of 0.1 (BTC per BTE I presume, but I can't be sure since are no units given for the price, amount or total). When I cancelled it, I only got 0.05 BTE back. I did a similar thing again and it further reduced my balance to 0.005 BTE.
So I'd definitely recommend avoiding this site for now/ever.
|
|
|
|
Remember remember the 5th of November
Legendary
Offline
Activity: 1862
Merit: 1011
Reverse engineer from time to time
|
|
April 12, 2013, 03:17:08 PM |
|
DO NOT USE THIS SITE
It is vulnerable to cross-site request forgery.
This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).
Not to mention that in the process of testing it my 0.5 BTE magically turned into 0.005 BTE. I made one order to sell 0.5 BTE at a price of 0.1 (BTC per BTE I presume, but I can't be sure since are no units given for the price, amount or total). When I cancelled it, I only got 0.05 BTE back. I did a similar thing again and it further reduced my balance to 0.005 BTE.
So I'd definitely recommend avoiding this site for now/ever.
Best way to fix csrf is to use POST more(with some hidden randomly generated tokens) for most stuff, and less GET requests with dynamic data.
|
BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
|
|
|
crazy_rabbit
Legendary
Offline
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
|
|
April 12, 2013, 03:25:31 PM |
|
DO NOT USE THIS SITE
It is vulnerable to cross-site request forgery.
This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).
Not to mention that in the process of testing it my 0.5 BTE magically turned into 0.005 BTE. I made one order to sell 0.5 BTE at a price of 0.1 (BTC per BTE I presume, but I can't be sure since are no units given for the price, amount or total). When I cancelled it, I only got 0.05 BTE back. I did a similar thing again and it further reduced my balance to 0.005 BTE.
So I'd definitely recommend avoiding this site for now/ever.
Wow you're a real jerk considering they asked for help pointing out security vulnerabilities and you go all ape-shit on them with your enormous red font.
|
more or less retired.
|
|
|
grc
Newbie
Offline
Activity: 40
Merit: 0
|
|
April 12, 2013, 03:30:00 PM |
|
Wow you're a real jerk considering they asked for help pointing out security vulnerabilities and you go all ape-shit on them with your enormous red font.
Sorry. I just don't want other people to lose money like I did.
|
|
|
|
Byte-Gox (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
April 12, 2013, 03:31:23 PM |
|
Wow you're a real jerk considering they asked for help pointing out security vulnerabilities and you go all ape-shit on them with your enormous red font.
Sorry. I just don't want other people to lose money like I did. How much did you lose? Post your address
|
|
|
|
grc
Newbie
Offline
Activity: 40
Merit: 0
|
|
April 12, 2013, 03:34:47 PM |
|
Wow you're a real jerk considering they asked for help pointing out security vulnerabilities and you go all ape-shit on them with your enormous red font.
Sorry. I just don't want other people to lose money like I did. How much did you lose? Post your address Not much at all. I just used a tiny bit while testing and lost almost most of it, so I wanted to warn others. I apologise if I was rude about it before.
|
|
|
|
saigo
|
|
April 12, 2013, 03:47:08 PM |
|
|
Saigō Takamori : ( 1828 – 1877) was one of the most influential samurai in Japanese history. He has been dubbed the last true samurai.
|
|
|
brie
|
|
April 12, 2013, 04:47:31 PM |
|
DO NOT USE THIS SITE YET It is vulnerable to cross-site request forgery.
This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).
I have an easy solution for the exchange to fix the biggest problem there. Simply allow users to lock their payment address.
|
|
|
|
Rubberduckie
Legendary
Offline
Activity: 1442
Merit: 1000
|
|
April 12, 2013, 06:34:36 PM |
|
Goog morning guys, We are very happy to announce the release of the exchange ( http://exchange.bytecoin.in) It is still rough but the background is highly functional, but like in all betas, bugs are likely to show up. Please use this thread to post all your feedback about the exchange and what changes/improvements you would like to see. Enjoy! Edit: IT experts, please test the site for security vulnerabilities. We want to make sure the exchange is rock solid. Thanks in advance nice work Sir
|
|
|
|
Rubberduckie
Legendary
Offline
Activity: 1442
Merit: 1000
|
|
April 12, 2013, 07:25:20 PM |
|
Deposits and payouts work fine
|
|
|
|
jhd
|
|
April 12, 2013, 09:17:05 PM |
|
Thanx for it i try it soon
|
|
|
|
Byte-Gox (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
April 12, 2013, 09:34:24 PM |
|
Welcome guys!
|
|
|
|
blastbob
|
|
April 12, 2013, 10:05:12 PM Last edit: April 12, 2013, 10:15:28 PM by blastbob |
|
I am buying 3750 BTE! fill my order please.
|
Bitrated user: blastbob.
|
|
|
dust
|
|
April 12, 2013, 11:06:40 PM Last edit: April 21, 2013, 09:24:14 PM by dust |
|
DO NOT USE THIS SITE YET It is vulnerable to cross-site request forgery.
This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).
I have an easy solution for the exchange to fix the biggest problem there. Simply allow users to lock their payment address. The correct solution is to protect against all CSRF attacks. I also recommend avoiding this site completely until this critical issue is fixed. Any site you visit in the same browser could steal your entire balance with absolutely zero interaction from you.EDIT: FIXEDFunny, the first thing I thought of after seeing this site was "it is probably vulnerable to CSRF".
|
|
|
|
|