WARNING Cryptostocks.com INVESTORS SECURITY FLAW

[campycoin]

THIS IS SERIOUS

If you have stocks at cryptostocks, please read.

Long story short: Our companies stock was sold at pennies and we realized that someone gained access to the CEO account, lowered the price and sold all our remaining stock for pennies and cashed out about 1 bitcoin.  We could not figure out how they gained access but I just tested it and it is, in my opinion a very serious flaw yet I just got the answer from cryptostocks.com and they say it is not a flaw....  (see email below)

If someone has access to your email, despite you having 2fA set-up, they can click lost password, and then a new password link will be sent, when you click that link and make a new password, it logs you in and overrides or disables your 2FA!!!!

To me, this is an issue as our CEO felt safe since he had 2fA on but someone got into his email and that's all they needed.  SECURE YOUR EMAIL WITH LONG PASSWORDS IMMEDIATELY

I emailed cryptostocks for 2 days trying to get a response about this....  first email I got was the following:

Dear user, we are have quite a backlog of emails to answer and thus please bear
with us, we will surely come back to you but this might take a few days. We hope
to have completed the backlog by latest Monday next week.

Finally the addressed my concern by saying this....

Dear user, assuming that you have protected your email account (e.g. with 2FA) then this is not a flaw, you can only reset the password if you have access to the email account.

It is the same process as when you request 2FA reset (currently being implemented). We have to contact you somehow and that is by email, hence an email is send and if you click the link the 2FA will be disabled. Therefore it does not make sense to have a different approach for email resets.

==================================
Best regards
Your Cryptostocks Team

To me, there is no reason why if you click reset password, that it should not force you to re-sign in using 2FA?

Anyone?

[qwertyqwerty]

That's pretty shocking. 2fa should be enforced on withdrawals, account login is not enough
2fa should be mandatory, reset should be a manual procedure, with verification required by requester and the process can take a long period to ensure a hacker can not make a quick getaway.

[okaynow]

words

So someone had access to your email? What kind of password did you have at your email?
Are you sure it is not the owner of the email shitting with you?
Did Altswap solve the firemine issue and the late announcemebts, or are you fucking with people to cover your asses?

EDIT: Did you guys address this? https://bitcointalk.org/index.php?topic=472265.0

Are you absolutely sure that the owner of the altswap email account IS NOT the firemine account?

[campycoin]

He is not the owner but is helping a friend with the stock management.  Again, it isn't my email but the CEO's, regardless, he would have just run with all the money if he wanted, all of this mess accounts for a bitcoin worth of theft that we will cover. We may issue stock certificates and manage the stocks outside of cryptostocks because they diluted the shares.  We have a shareholder spreadsheet with those who bought at 0.000001 taken off.

[campycoin]

And again, I am not fucking with anyone about anything.  I operate honestly and if you'd like to talk to me, feel free to chat at altswap.com today, I am on chat all day.

[Kumala]

This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.

In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.

Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time.   But all these are not solving the root cause, weak or compromised email accounts.
 

[campycoin]

This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.

In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.

Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time.   But all these are not solving the root cause, weak or compromised email accounts.
 

Thanks!  It wasn't my email that was accessed and according to the CEO he must have been hit by a keylogger

[thy]

I think the Altswap/Firemine listings looks strange. For example the fact that they reused the webpage for those listings and how they haven't been very clear about what they actually mine with or what they buy for the investors money and some other things in how the contract was formulated, also the price they seems to have payed per GH and what each GH seems to be generating don't seem to make much sence, but with that beeing said:

....
If someone has access to your email, despite you having 2fA set-up, they can click lost password, and then a new password link will be sent, when you click that link and make a new password, it logs you in and overrides or disables your 2FA!!!!
....
and cashed out about 1 bitcoin
....

If this is what happened it's a bad flaw in CS system that they should fix as soon as possible, the whole point with 2FA is to make it impossible for someone that may get access to an email/password from doing any harm, even CS should realize that and maby they should compensate the issuer at least partially for that and if the losses "only" were 1 btc there shouldn't be any problems for Cryptostocks to take that cost as they charge each company 1 btc to list at there site. But it's stll up to everyone to protect there emailadress so even if the 2FA don't work the way one can expect it to do it's not fully CS's fault. 

I emailed cryptostocks for 2 days trying to get a response about this....  first email I got was the following:

Cryptostocks support is known to take long time in most cases, some exceptions exists thou when they acted and fixed things within minutes/hours.

Finally the addressed my concern by saying this....

Dear user, assuming that you have protected your email account (e.g. with 2FA) then this is not a flaw, you can only reset the password if you have access to the email account.

How Kumala is thinking here i can't see, he clearly haven't realized what the 2FA used on CS is for then and some email accounts dont even have the possibility to protect the email with 2FA. Kumala if someone have 2FA on at CS, then no one should be able to reset there password without access to both the email and the 2nd authentication used, they should not be able to log in, not be able to buy or sell anything and not be able to withdraw anything.

I think i read way back something about that CS was sending out a postcard after a week or two to those that wanted to advanced verification to verify that there address was real as a step in getting that advanced verification. Maby something similar could be done to make sure resets of 2FA or changing of password is done by the correct person, or maby have people register there accounts with 2 emailadresses and both emails would have to confirm a change of password or reset of 2FA there could also be an automatic delaying of the change by a week or two if someone wants to change password or reset 2FA to make things safer.



Edit reading what you said a bit closer

 We could not figure out how they gained access but I just tested it and it is, in my opinion a very serious flaw
...
If someone has access to your email, despite you having 2fA set-up, they can click lost password, and then a new password link will be sent, when you click that link and make a new password, it logs you in and overrides or disables your 2FA!!!!

Shouldent you have seen pretty mutch directly that something was wrong, if someone changed your password your old one sholulden't work, how have you been able to log into CS up until recently if CS support diden't answer you for 2 days ?

[twentyseventy]

This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.

In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.

Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time.   But all these are not solving the root cause, weak or compromised email accounts.
 

Why not have 2FA for withdrawals? And some sort of 7 or 14 day waiting period for 2FA disabling?

[itsik78]

Beyond all this...
If you want to see the stock price rerise the community needs to see some sort of progress on the site and not just a 15 minutes UI work as it is now.
You should have a working exchange now - put it up to see it, at least as a demo...
We need to see something to believe it isn't a scam

[campycoin]

I say it again, Im not in design and development.  They are doing a reskin and we are looking at this weekend to drop the beta

[bitwho]

so should i buy this stock at this price? are they valid?

[regmann]

buy buy buy

[Jasun7211]

Wow an exchange this cheap.  Ill support this price 

[Rannasha]

This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.

In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.

Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time.   But all these are not solving the root cause, weak or compromised email accounts.

A common approach is for things like 2FA-resets to come with a mandatory waiting period between 1 and 4 weeks, during which a reminder email is sent periodically to the users email address informing them of the requested change and the waiting period remaining. This gives a user ample time to react before an attacker gains access to the account.

Right now, you make the users email security a single point of failure for the account-security of your website. It's not a good idea to have a single point of failure being something that is completely out of your control.

[Skinnkavaj]

This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.

In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.

Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time.   But all these are not solving the root cause, weak or compromised email accounts.
 

This is the stupidest shit I have ever read. The whole point of 2FA is to protect from keyloggers getting your password details on your computer including your email.

[itsik78]

This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.

In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.

Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time.   But all these are not solving the root cause, weak or compromised email accounts.
 

As you can see from the comments, you're the only one that thinks it makes sense.
I don't use gmail for my account on CryptoStocks which means I don't have 2FA on my email...
It doesn't make sense to allow access to an account through the lost password flow as it simply renders the whole point of 2fa useless on your site.

Please fix so we can feel safer with the funds we hold on your site.

Thanks

[regmann]

This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.

In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.

Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time.   But all these are not solving the root cause, weak or compromised email accounts.
 

As you can see from the comments, you're the only one that thinks it makes sense.
I don't use gmail for my account on CryptoStocks which means I don't have 2FA on my email...
It doesn't make sense to allow access to an account through the lost password flow as it simply renders the whole point of 2fa useless on your site.

Please fix so we can feel safer with the funds we hold on your site.

Thanks

+1 on this

they can buypass everything buy just hacking your email witch is stupid as fuck

[regmann]

buy all cheap fee,s now ( they cant roll it back any way lolk ) nom nom nom nom cheap fee,s

[Maidak]

I'm gonna have to say someone is spreading some FUD