BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 16, 2019, 08:53:59 PM Last edit: November 07, 2021, 04:39:06 PM by BayAreaCoins |
|
I went ahead and created a PowerPoint for my lawyer (I was just asking if there was anything I could "do", but there isn't)... the PowerPoint is a little less clusterfucky than this Bitcointalk thread. I'm going to leave the original post under the next post, but here is a link to the PowerPoint that breaks down how Blockchain.com and HackerOne.com fucked me on a painfully obvious and dangerous 2fa dump logic error. Powerpoint with the full story: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharingtl;Dr I reported a problem, they said it was working as intended, they fixed the problem that night, they stiffed me. Needless to say, we are not going to go forward with any formal complaints and I still hope Blockchain just pays me my fucking bug bounty! I would NOT trust HackerOne or Blockchain.com's exchange team (previously known at "The Pit") at this point. (It should be noted that Blockchain.com dropped "The Pit" name and it is now just Exchange) I will update this thread when the companies decide to make this right. They did eventually offer me $50 for trying and required I give my social security to collect it... lol (read the power point)
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 16, 2019, 11:48:47 PM Last edit: January 15, 2021, 11:42:18 PM by BayAreaCoins |
|
(original post, heavily updated and semi confusing... please reference powerpoint in the OP, thank you.) *I give my full permission for anyone to use any text or any images from this thread.*I signed up for an account on Blockchain.com's new " military-grade" exchange called " The Pit". I noticed right off the bat that I was able to get their exchange to show my 2fa backup codes without prompting me for my 2fa code. (I only needed to enter my password) I emailed Blockchain.com's support and reported the problem. Blockchain.com's support told me to open a "HackerOne" bug bounty report if I wanted to get paid.... I figured, "Why not? I could use the money to test their site further / link my bank account with a wire!" (I should have fucking known better and just been OK without getting compensated, but I was worried Blockchain.com's customer support person wouldn't forward on the problem if I didn't open a HackerOne ticket and I didn't want some poor Blockchain.com customer to get pwned because of Blockchain's critically flawed security design.)(you can see I'm sketched out about this "HackerOne" stuff from the start) I created the issue on HackerOne: HackerOne staff responded: Yikes!!!!!!! But OK... if that's how you want to have your website, go for it... I guess... HOWEVER, today I checked Blockchain.com's website and low n behold: (users are now prompted for 2fa after the password screen) 10/16/2019I'm not overly worried about Blockchain... I imagine they will make it right, but this fucking dipshit at HackerOne that said that's how the feature is supposed scares the shit out of me!!!!! At least I learned fast to avoid Hackerone.com before FreeBitcoins.com hired them. It's scary to see that other cryptocurrency companies use HackerOne! I do want to say "Good job" to Blockchain.com's security team for fixing this problem within a week. I will update when and if HackerOne or Blockchain.com compensates me for this report. Edit: "They" reopened my closed bug report and offered me $50, requiring me to fill out my social security for said $50. First they claimed the feature was functioning as it was supposed to at first and then later claimed they knew about the bug the whole time to being reported!!!!!! Ya, right. I strongly recommend keeping on reading.Double Edit: I am now calling this a scam. I believe it's just a case of one or more employees trying to cover their ass. I will continue updating and such.Now they are saying that the bug was known before my report... ya right!!! If it was, that's disgusting that they advertised Military-grade security with a bug known like that... Links & news articles related to this: https://www.reddit.com/r/Bitcoin/comments/djpg2m/bug_bounty_scam_blockchaincom_hackeronecom_didnt/ (50 upvotes with 92% upvotes so far. Thanks for voting <3) https://www.reddit.com/r/btc/comments/djpfu9/scam_blockchaincom_hackeronecom_didnt_pay_a_major/ (this one got nuked by a /r/btc mod) https://twitter.com/SnailsInTheMail/status/1185212527925436416https://forum.bitcoin.com/post294928.html#
|
|
|
|
TwitchySeal
Legendary
Offline
Activity: 2716
Merit: 2093
Join the world-leading crypto sportsbook NOW!
|
|
October 17, 2019, 08:52:41 AM |
|
That's annoying. Obviously you should get something. Not even a thank you is basically a middle finger.
I always assumed these bug bounty sites were given some sort of retainer or billed the actual site with the bug for any bounties they paid.
This makes me think maybe they just charge a flat rate or something for their 'service', maybe package it with a security audit.
If a bug bounty site has a financial incentive to not pay out bounties, like in the example above, they're actually doing a disservice to the sites being tested, the sites users, and the bug reporters. That's fucked up.
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 17, 2019, 02:43:55 PM Last edit: February 23, 2020, 07:43:23 PM by BayAreaCoins |
|
Blockchain.com customer support email this morning. In the previous email, I let them know HackerOne said this was how the feature intended to function & I also included a link to this thread. I went ahead and sent Marco Santori a link to this thread on his personal website. If I was the President of an exchange I would want to know about this. Plus I noticed a typo on Mr. Santori's website, so I figured I'd get two birds stoned at once. That's annoying.
Super annoying. O well, life's annoying! I've got faith in Blockchain.com.
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 17, 2019, 05:19:44 PM Last edit: October 17, 2019, 09:51:48 PM by BayAreaCoins |
|
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 12:18:21 PM Last edit: October 19, 2019, 11:29:52 AM by BayAreaCoins |
|
Whoa.... $50 for a critical infrastructure error and the HackerOne people STILL claiming it's normal practice & Google does it (Google doesn't don't worry) to display 2fa backup codes without re-authenticating both 2fa and password if the account has both. What is the point of 2fa in that case? This is NOT how military-grade 2fa security works at all. Severity "none" w-t-f "Pipelined for fix" also catches my eye because this fix has already taken place, as indicated in my OP. These HackerOne people are liars. "Note that other services, including Google, do not require 2FA code to reveal the backup codes." This is NOT true. Google absolutely requires 2fa to reveal 2fa codes. (see further down the thread) (this paragraph is a 10/19/2019 edit) "recognition of your effort to prioritize this fix" At least they are calling it a fix and not a fucking feature! Imagine this story: You have $10,000,000 on your account and you want to go to a coffee shop to trade. You know you aren't going to withdraw, so you leave your 2fa at home in your safe. Your account is covered by 2fa. You use Lastpass because your passwords are 30 characters long. While your sitting in the coffee shop, some punk grabs your computer and takes off. By the time you get done with the police and hot coffee shop girls making sure you're OK, that punk could have withdrawn $10,000,000 without my bug report (half in BTC and half in fiat as per The Pit's withdraw limits). My bug report just stopped that from happening because now that punk has to have your 2fa code to display your 2fa back up. Please keep in mind, I'm not 100% what the withdraw user experience & security features are like on "The Pit". I was only on the site for a few minutes to find this. IF it's like any other website + that bug that only required your password to dump and turn your 2fa... you'd be a fucked duck. End of edit.According to Blockchain.com's bug bounty they pay $2000 and more for critical infrastructure errors/errors that result in users funds... both of which this bug absolutely is. Also, the icing on the cake... HackerOne is demanding my personal information for a $50 bounty!!!!!!!!!!! Since when does US tax law require personal information for a $50 payment to a nonemployee independent contractor? In order to get a 1099 tax form in America, you have to earn over $600 in a year! (I'm not a CPA) Edited:
Here is the actual shit they are trying to force me to fill out to get $50...
https://www.taxgirl.com/2009/03/19/ask-the-taxgirl-can-i-refuse-to-complete-a-form-w-9/
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 12:27:33 PM |
|
My response to HackerOne staff: My follow up email to Blockchain.com staff:
|
|
|
|
LFC_Bitcoin
Legendary
Offline
Activity: 3710
Merit: 10435
#1 VIP Crypto Casino
|
|
October 18, 2019, 12:33:20 PM |
|
You might want to edit out your name in the letter. I presume you don’t want to dox yourself.
Fascinating reading though & the bounty paid is a joke by the way.
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 12:42:52 PM Last edit: October 18, 2019, 01:27:35 PM by BayAreaCoins |
|
You might want to edit out your name in the letter. I presume you don’t want to dox yourself.
I've been a namefag for a while. It's all good! Thank you though <3 I appreciate you pointing it out. Fascinating reading though & the bounty paid is a joke by the way.
I don't know if I should laugh, cry, an hero or bang my head against the wall.
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 01:08:51 PM Last edit: October 18, 2019, 01:29:29 PM by BayAreaCoins |
|
Here is the file I attached (blockchain.info.png) with proof Google requires 2fa before dumping 2fa backup codes:
|
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1333
|
Google absolutely does prompt for both account password and 2FA code before allowing you to do anything with your 2FA settings if 2FA is enabled. If your account doesn't, it's likely because you have left "Don't ask again on this computer" checked. It is checked by default every time you provide a 2FA code. Allowing any logged in account to access its 2FA backup codes without providing a 2FA code means that if anyone gains temporary access to your account they can disable 2FA at any point in the future. That's clearly "a credible attack".
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 01:48:59 PM |
|
Google absolutely does prompt for both account password and 2FA code before allowing you to do anything with your 2FA settings if 2FA is enabled. If your account doesn't, it's likely because you have left "Don't ask again on this computer" checked. It is checked by default every time you provide a 2FA code. Allowing any logged in account to access its 2FA backup codes without providing a 2FA code means that if anyone gains temporary access to your account they can disable 2FA at any point in the future. That's clearly "a credible attack". Thank god I'm not losing my marbles... I appreciate the second set of eyes Doog.
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 02:10:22 PM |
|
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 02:19:55 PM Last edit: October 19, 2019, 11:32:30 AM by BayAreaCoins |
|
Wow, just wow. It went from a "working feature, how else would the recover their 2fa if lost?" to "Something they were already planning on fixing." No fucking way. This was a horrible security flaw that someone fucked up royally & fixed as soon as I reported it. I can't even imagine purposely leaving 2fa to be dumped with a password only. "not a critical security flaw as per the industry-accepted defination of the term" It should be noted that this is a MAJOR CRITICAL HOLY FUCK security flaw as per industry-accepted definition. Not to re-authenticating a user's 2fa or give the user a "remember this computer" option (which you shouldn't use ffs!) such as what Google does and is most certainly not military-grade "locked down" or likely even good enough for Neopets. Blockchain.com's bug bounty is a scam or some employees there are very confused about what the industry standard is for 2fa security, holy shit. I'm going to officially say that at this point. Updated in the OP.
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 02:36:19 PM Last edit: October 18, 2019, 03:40:41 PM by BayAreaCoins |
|
Hold on... still a glimmer of hope...
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 02:40:16 PM Last edit: October 18, 2019, 08:18:49 PM by BayAreaCoins |
|
Jesus Christ on a stick. Unreal. I'm totally flabbergasted and at a lost for words. Needless to say, I will not be claiming that $50 by filling out any tax forms I'm not required to! Fuck that noise.
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 03:17:43 PM |
|
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 04:09:00 PM Last edit: October 18, 2019, 08:18:08 PM by BayAreaCoins |
|
I am now calling this a scam as of this post due to Blockchain and HackerOne not honoring their Bug Bounty terms of payment. After going back and forth with Blockchain's & HackerOne's customer support, I also believe they made claims that they knew are flat out lies. Please read through and make your own decision. I have done my best to document everything here. Something feels real off to me about it. I find it hard to believe that their security team was aware of this problem and purposely chose not to fix it... or at least chose not to fix it until I reported it.
|
|
|
|
BayAreaCoins (OP)
Legendary
Offline
Activity: 4004
Merit: 1250
Owner at AltQuick.com
|
|
October 18, 2019, 07:14:36 PM Last edit: October 19, 2019, 09:04:42 AM by BayAreaCoins |
|
BlockchainPIT on their telegram channel is now editing their messages! I'm so fucking thankful I took screenshots. Before they edited their response was: "Steven stick to asking questions on the Pit on this channel. we have taken your points on board above and are looking into it. I have asked the relevant folks internally to ensure it's sorted correctly. Edit: Lol I'm just noticing that part of the edit in their telegram removed the "to ensure it's sorted correctly." lol *facepalm* srsly? Double edit: I'm not saying editing is bad. I make about a million edits and typos each post... but to remove the part that says they will get it sorted correctly is kinda funny in a sick way. lol
|
|
|
|
TwitchySeal
Legendary
Offline
Activity: 2716
Merit: 2093
Join the world-leading crypto sportsbook NOW!
|
Seems like this would be good story for some of those clickbait crypto news sites.
|
|
|
|
|