Coinone Critical Vulnerabilities

[CBLS]

Hello friends,

I am an ethical hacker. I found vulnerabilities on Coinone. I sent a report 2 months ago for the first vulnerability.

Response of Coinone (2 month ago);
Thank you for the contact. We have an internal bug bounty program, we’ll review your bug and arrange price. We have a rule for the price depending on the impact. Please send us your report.

Response of Coinone (1 month ago);
We have checking your mail with our own team and security partner.
So we need meeting our council and reward program.

Passed to a month... I wrote it 3 times for remind. Coinone doesn't answer, haven't fixed off vulnerability and they didn't send me a bug bounty.
So, I didn't tell them the second vulnerability(SQLi).

Your memberships aren't safe!

[leveler]

Is this right?

[CBLS]

Absolutely. I have worked with Poloniex before and Mr. Tristan sent 0.5 BTC for bug bounty.
But Coinone didn't fixed vulnerability... Passed to a month. Blackhat can hack many user accounts.
I will share the first vulnerability here within 24 hours. People have to get their own security. This is not a disclosure, it is purely good faith.

[CBLS]

First Vulnerability;
CWE - CWE-601: URL Redirection to Untrusted Site
https://coinone.co.kr/language/?code=en&next=https://attacker.org
POC: https://www.youtube.com/watch?v=N74jnUVUccw

Next video will be for SQLi.(Within 24 hours)

[leveler]

Next video will be for SQLi?

I`m waiting for proof.

[CBLS]

Next video will be for SQLi?

I`m waiting for proof.

Yes. Type of sqli: time-based(stacked queries) + dns exfiltration. Run, Forrest, run!
Please don't send private messages. No sale. I will continue to share from here.