Blockchain.com & HackerOne.com didn't pay a major bug bounty & fixed bug.

[DiamondCardz]

Their handling of the situation is what I would generously class as a complete joke. Being able to get 2FA Backup codes without proving you have access to a 2FA method makes about as much sense as being able to change the password on an account without knowledge of its existing password. It's ridiculous and a failure of basic security principles, and it's pretty worrying that a "military-grade" exchange made such a basic error. If they're making basic security errors like that then they have clearly invested very little in reviewing their security practices which is completely antithetical with claiming that your security is top-notch.

Shame on them.

[BayAreaCoins]

My only update for today:



Please considering voting at https://www.reddit.com/r/Bitcoin/comments/djpg2m/bug_bounty_scam_blockchaincom_hackeronecom_didnt/

[lugrugzo]

I'm sorry but you act like r/ChoosingBeggars.
They clearly won't pay and even if they pay, the reason will be:

- F*ck, this guy talks so much, pay his shit and make him shut up.

[BayAreaCoins]

I'm sorry but you act like r/ChoosingBeggars.

I'll live.  I'm not begging.  No need to apologize.  I treated this exactly how I would want my website to be treated as well.

I just think it's wild to claim military security and have 2fa backups dump without reauthenticating.  Then on top of that claim that is how it's supposed to function.  Then offer $50 but demand personal information.  It's just an experience that needs to be documented IMO.  That's worth far more than the $6,000 cap on bug bounties.

They clearly won't pay and even if they pay, the reason will be:

- F*ck, this guy talks so much, pay his shit and make him shut up.

How about:

- Hey, this guy found a major flaw in our securities logic that put our customers at risks that could/would result in coins being lost & customers possibly physically hurt. We fixed it asap. Our bug bounty says $2,000-$6,000.  Lets do what we say we will do.

Not:

- Uhhh the feature performs as intended.
(1 day later)
- Actually we fixed it because we already knew about it and Google does it this way too.  (Google does not)
- Here is $50 for trying so hard, but... we need all your personal info to pay you $50 or you get jack shit!  Welcome to the Bitcoin community, thanks for making our website and community more strong... let us know if you see anything else! *an heros  *

I just can't stand getting fed bullshit & lies.  Please don't confuse my bitching as begging.  End of the day, I would have given them this for free... I just dislike the deceptive bullshit.

[TwitchySeal]

I'm sorry but you act like r/ChoosingBeggars.
They clearly won't pay and even if they pay, the reason will be:

- F*ck, this guy talks so much, pay his shit and make him shut up.

If you just skimmed the OP and thread I can see how you would think that.  You're wrong though.

It doesn't matter how obvious or easy to fix a bug is.  It only matters how critical it is.

The fact the bug existed and the way it was handled is a pretty big deal imo. 

[BayAreaCoins]

Still demanding sensitive personal information for a $50 payment in BTC on a critical bug that would have resulted in user funds being lost that they said wasn't a bug, but fixed anyways.

[BayAreaCoins]

Better bump topic about your best friend klye and his scam
3 years without active and i think he still didn't pay scammed money.

Actually, believe it or not... I believe bb (KYLE) has paid everyone that has demanded their investment back and all his current people are up to date payment wise.

If KYLE owes you money from his shit, please contact me and I'll reach out to him.  

(Mind you, none of that had anything to do with me... I just helped him a tiny bit manage the crisis.)

[MRKLYE]

Better bump topic about your best friend klye and his scam
3 years without active and i think he still didn't pay scammed money.

Bayareacoins is my lover, not my best friend. Get your facts straight bitch.

Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3

Cheers Fuckface.

[BayAreaCoins]

Better bump topic about your best friend klye and his scam
3 years without active and i think he still didn't pay scammed money.

Bayareacoins is my lover, not my best friend. Get your facts straight bitch.

Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3

Cheers Fuckface.

I was actually going to correct him to "Butt Buddies" rather than besties, but I figured I'd keep our love in the cummy-shadows bb <3.

Mwahaha

Thanks for responding... Im glad to see everyone is squared away for the moment and lots of luck with STEEM bb.  Don't let Justin Sun buttfuck your community too bad!  #resistcommunism

[Grab]

Better bump topic about your best friend klye and his scam
3 years without active and i think he still didn't pay scammed money.

Bayareacoins is my lover, not my best friend. Get your facts straight bitch.

Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3

Cheers Fuckface.

I just wanna know why he help you with your shitty scam.
I have info that he didnt pay all bitcoins and he ignore investor's:)
That's why i make this post, but if you wanna to deal with lowlife scammer it is ok, but people shouldn't trust you Bay.

[BayAreaCoins]

I just wanna know why he help you with your shitty scam.

My extent of helping bb was encouraging him not to kill himself when he messaged me that he gambled it all away.  I also encourage him to keep pushing on and making people right.  Pay the urgent ones first and the chill people interest later.

If he killed himself... no one's getting paid for sure.

Edit:  One time I let bb be a camgirl on MyFreeCams on a spare account... it was unrelated to this KYLEMAX nonsense, but still had to do with webcamming I guess you could say! We just pretended he was a girl with cancer lol kind of fucked up, but o well.

I have info that he didnt pay all bitcoins and he ignore investor's:)

Open a new thread and address the issue because as far as I understand, that isn't the case.

That's why i make this post, but if you wanna to deal with lowlife scammer it is ok, but people shouldn't trust you Bay.

That's part of what makes Bitcoin so amazing, I am able to transact with bb safely as long as he sends first... it keeps the playing field honest.

KLYE and I are lovers... we are not business partners and our trust doesn't have anything to do with each other. (har har)

I don't understand why someone wouldn't trust me due to bb, but if they don't... it's probably not someone I want to deal with anyways.  

I feel like I've addressed your post even though it was nonrelated to the OP of this thread.  If you wish to discuss this further, please create a new thread and PM me the link!  Thank you!

[BayAreaCoins]

Powerpoint added to the OP that more clearly breaks down what happened and how it happened.

https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

[BayAreaCoins]

HackerOne reached out to me yesterday and let me know I no longer qualified for the $50 they were awarding me for "trying".  Keep in mind they were trying to requiring my social security and personal information for that $50! lol!



lol... 

I also noticed Blockchain.com has dropped "The Pit" name from most of the website except for the Terms of Service and long typed legal things.

Read the whole story:  https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

[allyouracid]

They treated the whole situation in the worst way possible. The very least thing they could have done was to acknowledge that their implementation of 2FA was pointless, instead of pretending it worked as intended. What's the point of second factor auth as an additional barrier, if anyone can gain access to that barrier once the previous barrier(s) the 2FA is supposed to harden are broken? This doesn't make sense.

Generally, I think someone who leaves his computer in a coffee shop with the trading platform open, logged in, and hell, even with the password manager open, deserves some kind of lesson, though. This is not how you're supposed to opsec when dealing with crypto. But the way they treated this whole thing is just ridiculous. Best part is how they play offended by revoking the 50 bucks now.

[BayAreaCoins]

Generally, I think someone who leaves his computer in a coffee shop with the trading platform open, logged in, and hell, even with the password manager open, deserves some kind of lesson, though. This is not how you're supposed to opsec when dealing with crypto. now.

A user doesn't just have to leave a computer reckless unintended for this flaw to be dangerous!

Imagine just being shot in the face, and the person picks up your computer!  There are thousands of ways "something" could go wrong with this flaw.

These security flaws in systems designed for people to keep millions of dollars of value that can be sent nonreversible with a few clicks put people at severe risks.

[BayAreaCoins]

Good traction on another Reddit post today.

I had a white hat hacker recommend that I post my experience on /r/netsec today.

https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

Enjoy and thank you!

Edit: looks like it got removed off /r/netsec by a mod.  The post had 170 upvotes @ 94%... good ole reddit  

[TwitchySeal]

Good traction on another Reddit post today.

I had a white hat hacker recommend that I post my experience on /r/netsec today.

https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

Enjoy and thank you!

Edit: looks like it got removed off /r/netsec by a mod.  The post had 170 upvotes @ 94%... good ole reddit  

Post is still up, but a bunch of comments have been removed

https://www.removeddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

[BayAreaCoins]

Good traction on another Reddit post today.

I had a white hat hacker recommend that I post my experience on /r/netsec today.

https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

Enjoy and thank you!

Edit: looks like it got removed off /r/netsec by a mod.  The post had 170 upvotes @ 94%... good ole reddit  

Post is still up, but a bunch of comments have been removed

https://www.removeddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

  *an heros*

[BayAreaCoins]

bump

[BayAreaCoins]

Blockchain.com now claiming that the issue I reported was a bug... but... they knew about it prior to my report! LOL



Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.

So either...

A:  They fucked me.

B:  They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.

Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.