Bitcoin Forum
November 11, 2024, 12:10:36 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1]
  Print  
Author Topic: WARNING TO ALL CRYPTOSTOCKS INVESTORS!! SECURITY ISSUE  (Read 1080 times)
campycoin (OP)
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


Daily Bitcoins for your Paypal/Skrill


View Profile
February 26, 2014, 01:11:12 PM
 #1


THIS IS SERIOUS

If you have stocks at cryptostocks, please read.

Long story short: Our companies stock was sold at pennies and we realized that someone gained access to the CEO account, lowered the price and sold all our remaining stock for pennies and cashed out about 1 bitcoin.  We could not figure out how they gained access but I just tested it and it is, in my opinion a very serious flaw yet I just got the answer from cryptostocks.com and they say it is not a flaw....  (see email below)

If someone has access to your email, despite you having 2fA set-up, they can click lost password, and then a new password link will be sent, when you click that link and make a new password, it logs you in and overrides or disables your 2FA!!!!

To me, this is an issue as our CEO felt safe since he had 2fA on but someone got into his email and that's all they needed.  SECURE YOUR EMAIL WITH LONG PASSWORDS IMMEDIATELY

I emailed cryptostocks for 2 days trying to get a response about this....  first email I got was the following:

Dear user, we are have quite a backlog of emails to answer and thus please bear
with us, we will surely come back to you but this might take a few days. We hope
to have completed the backlog by latest Monday next week.


Finally the addressed my concern by saying this....

Dear user, assuming that you have protected your email account (e.g. with 2FA) then this is not a flaw, you can only reset the password if you have access to the email account.

It is the same process as when you request 2FA reset (currently being implemented). We have to contact you somehow and that is by email, hence an email is send and if you click the link the 2FA will be disabled. Therefore it does not make sense to have a different approach for email resets.

==================================
Best regards
Your Cryptostocks Team


To me, there is no reason why if you click reset password, that it should not force you to re-sign in using 2FA?Huh

Anyone?
hjbuell
Member
**
Offline Offline

Activity: 70
Merit: 10

Writer $0.10/word +


View Profile WWW
February 26, 2014, 01:49:26 PM
 #2

For tl;dr crowd, what he's saying is this:

2FA was turned on, and the following occurred, bypassing 2FA completely.

  • Someone gained unauthorized access to an email address associated with a cryptostock account.
  • They then requested a password reset, which sent a link to the email address.
  • The link then allowed the password to be reset, and opened access to the cryptostock account.

To the Op - no, they are running a MtGox shop. Resetting your password should have required completion of the 2FA chain.

I have said repeatedly, and will continue to say so. If you want to invest your money, put it in something real. Cryptostocks are nothing more than Venture Capital disguised as stocks. I have yet to see one worth more than a roll of toilet paper in the hands of a charismatic salesperson.

Being different is all it takes to make a difference. H. J. Buell
Writer from $0.10 per word. https://hjbuell.com
campycoin (OP)
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


Daily Bitcoins for your Paypal/Skrill


View Profile
February 26, 2014, 02:00:43 PM
 #3

For tl;dr crowd, what he's saying is this:

2FA was turned on, and the following occurred, bypassing 2FA completely.

  • Someone gained unauthorized access to an email address associated with a cryptostock account.
  • They then requested a password reset, which sent a link to the email address.
  • The link then allowed the password to be reset, and opened access to the cryptostock account.

To the Op - no, they are running a MtGox shop. Resetting your password should have required completion of the 2FA chain.

I have said repeatedly, and will continue to say so. If you want to invest your money, put it in something real. Cryptostocks are nothing more than Venture Capital disguised as stocks. I have yet to see one worth more than a roll of toilet paper in the hands of a charismatic salesperson.

Checkout DiamondCircle    -  I think they are good but cryptostocks can kiss my ass.  How in the hell they let a password reset, disabled 2FA, stock price reduction of 10000% followed by an immediate withdrawal of btc to a wallet is beyond me
420
Hero Member
*****
Offline Offline

Activity: 756
Merit: 500



View Profile
March 31, 2014, 11:40:01 PM
 #4

My account was compromised and stolen funds on March 15th; doesn't look like they got into my email;

shows a password reset email same day; then stocks sold and funds withdrawn.

Donations: 1JVhKjUKSjBd7fPXQJsBs5P3Yphk38AqPr - TIPS
the hacks, the hacks, secure your bits!
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!