|
Bitbobb
|
 |
November 06, 2018, 12:28:33 AM |
|
criminal scam exchange.
|
|
|
|
Saulich_Fedorovich
Newbie
 Offline
Activity: 9
Merit: 0
|
|
November 10, 2018, 12:32:11 PM
Last edit: November 10, 2018, 02:17:51 PM by Saulich_Fedorovich |
|
Sorry c-cex, but you don't seems to care about bug reports tickets.Normally, even when you go on coinexchange.io, it's hard to find something vulnerable. But with c-cex, it's hard to find something protected on client side. For starting, everything is vulnerable to CSRF even with 2FA enabled: Wanna change the user's chatname of someonelse? It's possible to do it by making cliking a link which trigger a POST to http://c-cex.com/?id=profile&rett=chat_b. Wanna write a chat message with an account you don't own? It's possible to do it by making cliking a link which simply works through a GET request. You hacked the e-mail account linked to a c-cex account? Just make the target user click a link and you'll receive the confirmation link. You also don't need to login to confirm the withdrawal (an other vulnerability combined). In that case, the only thing protected against CSRF I found is posting limit orders. And even then it's still performed through GET requests. I also found making someone losing all funds through clicking https://c-cex.com/?id=funds&dump=btc requires an origin matching c-cex.com. Though that’s still possible to hide and trigger the target through a redirect. There is also their internal captcha system https://c-cex.com/cp.html?s=385353503 which is easy to solve fully automatically through things like IBM Watson or Google Cloud vision with high sucess rates. There are many ways to bypass users completely and steal funds directly from servers like with the recent attack (though I failed to see the vulnerabilty recently used by the attacker). The exchange is definitely less secure than Mt.Gox. There are even known bugs used in the past elsewhere that aren't fixed on the exchange (1 task when you are in charge of security is to read the news about recent discovered attacking methods). Maybe they also run outdated third party libraries else too, but that's something to invastigate. The only thing postive over Mt.Gox is funds are correctly managed manually outside the lack of fund audits: they can't "find" a forgotten wallet like it happened with Mt.Gox since no wallet are susceptible to be forgotten. In some way, the bugs users are noticing with unexecuted withdrawals or disappearing deposits as well as disabled account is only the top of the iceberg.
|
|
|
|
|
milewilda
Legendary
Offline
Activity: 3290
Merit: 1156
|
|
November 10, 2018, 05:52:58 PM |
|
But with c-cex, it's hard to find something protected on client side. For starting, everything is vulnerable to CSRF even with 2FA enabled: Wanna change the user's chatname of someonelse? It's possible to do it by making cliking a link which trigger a POST to http://c-cex.com/?id=profile&rett=chat_b. Wanna write a chat message with an account you don't own? It's possible to do it by making cliking a link which simply works through a GET request. You hacked the e-mail account linked to a c-cex account? Just make the target user click a link and you'll receive the confirmation link. You also don't need to login to confirm the withdrawal (an other vulnerability combined). In that case, the only thing protected against CSRF I found is posting limit orders. And even then it's still performed through GET requests. I also found making someone losing all funds through clicking https://c-cex.com/?id=funds&dump=btc requires an origin matching c-cex.com. Though that’s still possible to hide and trigger the target through a redirect. There is also their internal captcha system  which is easy to solve fully automatically through things like IBM Watson or Google Cloud vision with high sucess rates. These are indeed serious bypass that you had mentioned but it doesnt really matter at all yet this exchange do already fallen to scam anyone.Im reading once in a while into this thread.I havent seen any response of OP on whats happening and also reading up continuous complaints about account disabled and lost funds. Remembering C-cex glory days but they do end up like this after on that 3 months vacation alibi. |
|
|
|
Saulich_Fedorovich
Newbie
Offline
Activity: 9
Merit: 0
|
|
November 10, 2018, 07:41:20 PM
Last edit: November 10, 2018, 10:23:12 PM by Saulich_Fedorovich |
|
These are indeed serious bypass that you had mentioned but it doesnt really matter at all yet this exchange do already fallen to scam anyone.Im reading once in a while
Outside this, there are also weak practices like using MD5 based session cookies and don't change it across requests.
into this thread.I havent seen any response of OP on whats happening and also reading up continuous complaints about account disabled and lost funds.
What's happenning? Do you remember how they were hacked in February 2014? Please notice how the last 9 september and the Februrary 2014 are similar (both repeated the same withdrawal several time). Well it might not be the same guys as in 2014, but I think the hackers just found a variant of the same vulnerability in order to bypass the February 2014 protection which was put after the first attack. Without C-cex explaining how it exactly happenned. We'll won't know. Remembering C-cex glory days but they do end up like this after on that 3 months vacation alibi.
What glory days? Trust me, you can be sure even by 2014 security standards, that you wouldn't see GET requests on Facebook or Paypal. You can be sure those weakness exists since the beggining and aren't the result of a code update. |
|
|
|
|
BazilOK
Member
Offline
Activity: 226
Merit: 34
|
|
November 11, 2018, 06:25:12 PM |
|
Пoxoдy cocкaмилиcь. SCAM!!
|
|
|
|
|
|
IconFirm
|
|
November 12, 2018, 02:31:55 PM |
|
@MODS: Isn't it about time this entire thread was moved to the scam section where it belongs? This would help stop noob users being scammed any further.
No support.
Customers accounts being closed.
Customers funds vanishing.
No withdrawals.
Missing funds.
Page after page after page of complaints.
|
|
|
|
MicroGuy
Legendary
Offline
Activity: 2506
Merit: 1030
Twitter @realmicroguy
|
|
November 12, 2018, 03:57:55 PM |
|
@MODS: Isn't it about time this entire thread was moved to the scam section where it belongs? This would help stop noob users being scammed any further.
No support.
Customers accounts being closed.
Customers funds vanishing.
No withdrawals.
Missing funds.
Page after page after page of complaints.
Finally something we both agree on!  |
|
|
|
|
pokerowned
Legendary
Offline
Activity: 1282
Merit: 1051
|
|
November 13, 2018, 05:35:42 AM |
|
One of the worst exchange i have seen
Bad support and delisting coins without any proper time
Shame on Ccex team
|
|
|
|
|
|
carlfebz2
|
|
November 13, 2018, 06:27:56 PM |
|
@MODS: Isn't it about time this entire thread was moved to the scam section where it belongs? This would help stop noob users being scammed any further.
No support.
Customers accounts being closed.
Customers funds vanishing.
No withdrawals.
Missing funds.
Page after page after page of complaints.
Finally something we both agree on! Agree on this one too since this thread have been already abandoned maybe this would suit out to be put up on scam accusations where there are lots of people continue to come here complaining that accounts been blocked other after another. Is there any possible action with this? |
|
|
|
KFEHF
Newbie
Offline
Activity: 1
Merit: 0
|
|
November 14, 2018, 08:46:37 PM |
|
Taкaя жe бeдa,Я HE MOГУ
ПOПACTЬ B MOЙ AККAУHT Увaжaeмый C-cex,
«Пoльзoвaтeль нe нaйдeн или oтключeн aккayнт». Я нe мoгy пoлyчить дocтyп к cвoeй yчeтнoй зaпиcи.
Ecть ли пpoблeмы c мoeй yчeтнoй зaпиcью?
Пoжaлyйcтa, пoмoгитe мнe peшить этy пpoблeмy.
|
|
|
|
|
pooya87
Legendary
Offline
Activity: 3626
Merit: 10994
Crypto Swap Exchange
|
|
November 15, 2018, 05:14:56 AM |
|
what happened to c-cex?
it used to be a decent place to trade despite the shadiness. now it seems to have turned into a full on scam. i tried accessing my account and it says it is not found! did they nuke their own database? luckily i had less than 0.01BTC there but it still sucks to lose that and an exchange that i used from time to time.
|
|
|
|
fearfighter
Newbie
Offline
Activity: 109
Merit: 0
|
|
November 15, 2018, 08:49:47 PM |
|
what happened to c-cex?
it used to be a decent place to trade despite the shadiness. now it seems to have turned into a full on scam. i tried accessing my account and it says it is not found! did they nuke their own database? luckily i had less than 0.01BTC there but it still sucks to lose that and an exchange that i used from time to time.
maybe the 6 months of vacations when no one could withdraw their funds caused c-cex to lose touch with reaaaaaaaallllllllllllllity |
|
|
|
|
|
cointron
|
|
November 16, 2018, 03:29:41 AM |
|
Any estimate of how much they stole? I left there 6.5 BTC and 1.5 BTC in alts.-
|
|
|
|
|
pooya87
Legendary
Offline
Activity: 3626
Merit: 10994
Crypto Swap Exchange
|
|
November 16, 2018, 05:10:19 AM |
|
what happened to c-cex?
it used to be a decent place to trade despite the shadiness. now it seems to have turned into a full on scam. i tried accessing my account and it says it is not found! did they nuke their own database? luckily i had less than 0.01BTC there but it still sucks to lose that and an exchange that i used from time to time.
maybe the 6 months of vacations when no one could withdraw their funds caused c-cex to lose touch with reaaaaaaaallllllllllllllity it sounds more like running away to me c-cex is a business not some hobby to take a 6 months vacation from and not come back. not to mention that it was a 24/7 market which also is global. you can't just shut it down and go have fun! |
|
|
|
zthomasz
Member
Offline
Activity: 489
Merit: 12
|
|
November 16, 2018, 01:23:19 PM |
|
Any estimate of how much they stole? I left there 6.5 BTC and 1.5 BTC in alts.-
ouch! is there any legal recourse to recover it? |
|
|
|
|
fearfighter
Newbie
Offline
Activity: 109
Merit: 0
|
|
November 16, 2018, 01:28:28 PM |
|
what happened to c-cex?
it used to be a decent place to trade despite the shadiness. now it seems to have turned into a full on scam. i tried accessing my account and it says it is not found! did they nuke their own database? luckily i had less than 0.01BTC there but it still sucks to lose that and an exchange that i used from time to time.
maybe the 6 months of vacations when no one could withdraw their funds caused c-cex to lose touch with reaaaaaaaallllllllllllllity it sounds more like running away to me c-cex is a business not some hobby to take a 6 months vacation from and not come back. not to mention that it was a 24/7 market which also is global. you can't just shut it down and go have fun! a year ago they took a 3 month vacation and i couldn't withdraw any coins. 90 days later they did it again, fortunately i had already withdrawn all coins by then. 3 months on, 3 months off, rinse and repeat I don't see how they stay in bizness |
|
|
|
|
|
|
|
cointron
|
|
November 16, 2018, 06:47:09 PM |
|
Any estimate of how much they stole? I left there 6.5 BTC and 1.5 BTC in alts.-
ouch! is there any legal recourse to recover it? I have no idea. I've searched for information, everywhere they talk about Mt.Gox, Bitfinex, Bitgrail, but nothing about C-Cex. In addition to taking everything, they have deleted the databases, they disappeared completely. It would be interesting to know how much they took and if a lawsuit can be initiated.- |
|
|
|
|
wincoinofficial
Newbie
Offline
Activity: 33
Merit: 0
|
|
November 16, 2018, 09:55:17 PM |
|
https://c-cex.com/i/c-cex_logo.svghttps://c-cex.comBTC, Ethereum, NXT, NXT assets, Omnicore, Omnicore properties friendly exchange
Our exchange is very fast and easy to use. We have very effective and responsive support team.
It is possible to get fast support by tickets or in chat.
| http://c-cex.com/i/security.png | Security
2FA (e-mail, sms, google authenticator), e-mail confirmations, SSL, DDoS protection, anti-theft protection, hot/cold storage. |
| http://c-cex.com/i/fast.png | Fast deposits / trades / withdraws
You do not have to wait hours to see Your deposits. They shown in realtime and credited instantly after needed confirmations. BTC needs only 2 confirmations! |
| http://c-cex.com/i/transfer.png | Transfer funds instant directly between accounts without comission
We have a mechanism to instantly transfer any funds between accounts via "C-CEX codes". |
| http://c-cex.com/i/supp.png | Active Dev/Support team
We have very responsive support team - You can contact us via skype or "Support" section. |
| http://c-cex.com/i/webcam_b.png | Webcamera QR-code reading support
You can easy scan Your wallet address or C-CEX code from paper / smartphone / tablet or other computer using You integrated or plugged web camera. |
| http://c-cex.com/i/coins.png | Vote for new coins to be added
We have voting system for adding new coins. You can vote free or by depositing small amount of BTC. |
You can deposits and withdraw USD with low commission using many options. (Payee gate with lots of options. Visa/MC deposits possible, PayPal withdraws included)! Our USD vouchers (C-CEX USD codes) are traded on following fiat exchanges: https://www.xmlgold.euhttp://money-change.bizTrading fee: 0.2% Welcome and have a good trades!RU thread: https://bitcointalk.org/index.php?topic=420342.0Twitter: https://twitter.com/CryptoCurrEncyX (main news source) Facebook: https://www.facebook.com/pages/C-CEXcom/1453754041506448Google Plus: https://plus.google.com/u/0/110094298275211579915/posts Hi C-Cex Team, can we know an official channel to get in touch with you or we can connect throught email? Thanks |
|
|
|
|
wklalen
Sr. Member
Offline
Activity: 525
Merit: 250
ibuku adalah segalanya(my mother is the best)
|
|
November 18, 2018, 01:17:16 PM |
|
hi admin ccex hi admin why account disable i dont have problem with exchange my account user name=robocop email = inot.syah@gmail.com20minutes ago i can still trade and now i can not log in again |
|
|
|
|
