[RESOLVED] Bitherium.cc not a full decentralized exchange - PrivKey leaks

[Mallyx]

Resolved here: https://bitcointalk.org/index.php?topic=5228661.msg53954607#msg53954607
Archive of that thread: http://web.archive.org/web/20200303104953/https://bitcointalk.org/index.php?topic=5228661.0&all=
Archive of the official thread: http://web.archive.org/web/20200303105444/https://bitcointalk.org/index.php?topic=5226563.0&all=

tldr;
1. I accused them to send the users privatekeys to the server.
2. They goes to maintenance mode, then back online.
3. It seem they resolved the issue.



Accusation:
Bitherium claim to be a full decentralized exchange, but your private key and password are sent plaintext to the server.


Proof:
You can try by yourself, but here a screenshot of the XHR POST request when you create an account:






And when you want to unlock your wallet:






Obliviously, everything is managed server-side. A token is bind to you. It mean that your private key remain on the server somehow:




Other red flags:

• Hidden team.
• Very hard to verify the Seychelles Certificate of Incorporation.
• Many low accounts are enjoying Bitherium on the main thread.
• Hidden WHOIS.

Official thread: https://bitcointalk.org/index.php?topic=5226563.0

[1714020511]

1714020511

[1714020511]

1714020511

[1714020511]

1714020511

[Jawhead999]

Domain : bitherium.cc
Registrar : DYNADOT, LLC
Registered On : 2019-04-05
Expires On : 2020-04-05
Updated On : 2020-02-25
Status : clientTransferProhibited
Name Servers : liv.ns.cloudflare.com
                        mario.ns.cloudflare.com

I using this site to find the WHOIS https://www.whois.com/whois/bitherium.cc



I also don't understand about his invest plan, it's like a certain level to earn more profit. Maybe a ponzi? But I'm not sure.. just my suspicion

[matejbilahora]

Well this is going to be interesting. I knew it is scam from the first moment I have seen it. Too much nice talk about it and not much proof about who is who. That paper from Seychelles Certificate of Incorporation can be faked.

[notblox1]

Great work OP
This is multiple way scam.
Now I expect to see their clown account to come here and write a bunch of stupid things

[watergold]

It turns out that there are still many scamers who continue to commit fraud and that is the average claiming to be a fully decentralized exchange, even though they want to find users by importing their private that has been saved by scamer. This is an extraordinary catch in my opinion.

[bitherium.cc]

Hello Bitcointalk,


It took a little longer because we had to reconstruct and evaluate things first.

To the allegations

We never have and will never collect or keep private keys from wallets.

Some users seem to be trying hard to spread fud, thanks for that.
However, we do not accept any dubious offers from you to receive positive fake posts here in Bitcointalk. We are a hard working project. We do not need this and will not respond to your offers.

If we were Scammers, we wouldn't program Dex. We would also not be transparent in our external communication. All accusations are nothing more than accusations and defamations

We are completely in the development phase. Deposits and withdrawals are deactivated.

Here you can see that we are working on the development of our smart contract (which is not yet finished): https://ropsten.etherscan.io/address/0x8b1c480428038e93f9e99fc9e34194a5f4c1fc60#code

The accusations that the privatekey is read by users completely invented. This screenshot only shows that the user can see his own private key in his own browser session!

Here is a report from our developer team:





The consequences:

We will immediately end the ability to create wallets directly about our exchange. We will add a link to MyEtherWallet with a note on creating a Keystore wallet.

Now we are on the next topic
We immediately end the possibility that the user can log in to us with his private key. It only works with the metamask, Keystore file and we will work on it to connect to the general ledger.

Thanks a lot for this organized, negative campaign it made sure that we will make bitherium even safer.

[notblox1]

Here he is with his feelings hurt now....oh poor little clown worried about imagined evil 'campaign' against their circus.
It would also be good to learn proper English language when you write, but it will not help you.

[bitherium.cc]

Here he is with his feelings hurt now....oh poor little clown worried about imagined evil 'campaign' against their circus.
It would also be good to learn proper English language when you write, but it will not help you.

Thank you very much for your non constructive and totally useless post. Your words are saying much more about you now.

[notblox1]

Thank you very much for your non constructive and totally useless post. Your words are saying much more about you now.

Your actions and lies say much more about you.

You can use your private key, keystore file, metamask  to log into our exchange, just like every decentralized exchange offers this login, similar to myetherwallet.
We can't collecting or saving anything from this details.

Our hired developer company got questions about security and we will inform you as soon as possible. If dev company have created any security issues we will publish their name immediately. For now it looking like the users can see their own private keys only in their own web browser and the exchange only authorize them.

We never have and will never collect or keep private keys from wallets.

Some users seem to be trying hard to spread fud, thanks for that.
However, we do not accept any dubious offers from you to receive positive fake posts here in Bitcointalk. We are a hard working project. We do not need this and will not respond to your offers.

If we were Scammers, we wouldn't program Dex. We would also not be transparent in our external communication. All accusations are nothing more than accusations and defamations

The accusations that the privatekey is read by users completely invented.

We immediately end the possibility that the user can log in to us with his private key. It only works with the metamask, Keystore file and we will work on it to connect to the general ledger.

Why did you stop your shit if everything is 'invented' ?

[Mallyx]

The screens are only showing the XHR request with all the data, that was sent to the server. The data contain your private key, password.
On most browsers it's easy to track the network activities.

Not even technicaly speaking, a real DEX just don't need your private key. It only need your sign to commit an action to the blockchain. The smartcontract do the job.

1. You send the private key to the server.
2. Then you identify the user though a token to commit an order (like buying), which mean that the private key is stored server-side.

It's not how work a DEX.



 

[criticalknow]

they're both stupid or just retarded, or both  

They both got too little love ?

He has stated that the exchange is currently development phase
and a decentralized smart contract is in development progress

Don't you understand what that statement means?


that it was a hybrid exchange before and everything went well

they make themselves completely ridiculous

 

[Mallyx]

I can understand that the platform is in a beta stage.

No DEX wallet needs anyway to send your private keys to the server, even for a check. That's a major failure, or a scam attempt.
Plenty libs exists to handle that client side though Javascript (eg. https://github.com/nakov/client-side-ethereum-wallet).

If you show honesty and fix that issue, I'll remove my complaint.

[criticalknow]

Now among adults and developers,

Have you ever tried to contact this project?
to find out if this company actually wants to cheat

or whether there was a technical problem or whether there was a problem at all?

A company works for this project
they are in the process of optimizing some things.

Privatekey login is completely deactivated. Not because of the Exchange but because it is a danger for the user to have the Prvatekey on the computer.

This Guys have also completely outsourced the creation of wallets.
You are wrong if you say there is a scam.

Think about it before you say these things and it would have been professional to contact the project first, they are fighting for the same thing as you 1

[notblox1]

You are insulting people here,
and the way you are speaking it is obvious you are same person as your other account bitherium.cc

registered yesterday 

[bitherium.cc]

I can understand that the platform is in a beta stage.

No DEX wallet needs anyway to send your private keys to the server, even for a check. That's a major failure, or a scam attempt.
Plenty libs exists to handle that client side though Javascript (eg. https://github.com/nakov/client-side-ethereum-wallet).

If you show honesty and fix that issue, I'll remove my complaint.

Hello Mallyx,

As we told you before, our exchange is in the test phase. Some things have not been checked yet or implemented. The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.

The other thing is that you accused us of collecting / storing private keys. There is a difference between checking in in the backend or frontend and saving a private key. A private keys was never stored. We can assure you of that. We evaluated all bitcointalk feedback in the past few days and our developers had to answer questions and provide evidence. I would also like to thank you for your indirect help. Based on your campaign, we checked again if the availability of log in with private keys makes sense for users. And after lot of talks we decided to turn it off regardless of whether the validation in the front end is carried out via web3.js and thus externally. Instead of that option we are working to ensure that the user can soon log in with their Ledger hardware wallet.

For security reasons, we also decided that the users be only able to create their wallets externally, to dispel any doubts. Another note for you. Before we open our exchange for trading, the code will be checked by 2 independent companies.

If you have any further comments or concerns, please let us know at info@bitherium.cc or join our telegram channel and we can talk more about the project.

-The Bitherium team

[TryNinja]

As we told you before, our exchange is in the test phase. Some things have not been checked yet or implemented. The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.

That's a lie. The page was sending a POST request with the private-key and its password in plain-text to your server.

If you saved the private-key or not, that's something we can not confirm since it was handled by your server, and we do not have access to it. But saving it was as simple as taking the body data from the request and saving them anywhere you wanted. So it was definitely possible. Do not lie saying this data was handled in the client, on his own browser, because it was NOT.

[bitherium.cc]

As we told you before, our exchange is in the test phase. Some things have not been checked yet or implemented. The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.

That's a lie. The page was sending a POST request with the private-key and its password in plain-text to your server.

If you saved the private-key or not, that's something we can not confirm since it was handled by your server, and we do not have access to it. But saving it was as simple as taking the body data from the request and saving them anywhere you wanted. So it was definitely possible. Do not lie saying this data was handled in the client, on his own browser, because it was NOT.

We will explain it once more now. In our test phase we sent the private key to the backend to check it (through web3.js) if is valid or not. And because we had no encryption at the time, this event occurred. We presented everything transparently and above all we changed all what you wanted.

[TryNinja]

We will explain it once more now. In our test phase we sent the private key to the backend to check it (through web3.js) if is valid or not. And because we had no encryption at the time, this event occurred. We presented everything transparently and above all we changed all what you wanted.

Exactly. You were sending it to your backend. Like I said, if you were only checking if its valid or saving them, it's not up for me to say. A DEX would not need any of these to reach the backend after all.

But your answer was:

The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.

The accusations that the privatekey is read by users completely invented. This screenshot only shows that the user can see his own private key in his own browser session!

The bolded part is a lie. If it reached your backend, you could supposedly have seen it all and saved them. If you admitted it was sent to the backend, then how is it only on the browser session? Again, if you saved or not, we can't know. But you COULD have been saving them. That's the point of OP's thread.

[criticalknow]

Don't answer anymore.
You did everything you could.


It looks like these people are not about security, but just portraying you as a scam to get attention


forget it

 

Honest

A blind man sees that there is no fraud here

If this project wanted to scam, they would have implemented encryption beforehand

and not afterwards, really hard to read

[bitherium.cc]

We will explain it once more now. In our test phase we sent the private key to the backend to check it (through web3.js) if is valid or not. And because we had no encryption at the time, this event occurred. We presented everything transparently and above all we changed all what you wanted.

Exactly. You were sending it to your backend. Like I said, if you were only checking if its valid or saving them, it's not up for me to say. A DEX would not need any of these to reach the backend after all.

But your answer was:

The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.

The accusations that the privatekey is read by users completely invented. This screenshot only shows that the user can see his own private key in his own browser session!

The bolded part is a lie. If it reached your backend, you could supposedly have seen it all and saved them. If you admitted it was sent to the backend, then how is it only on the browser session? Again, if you saved or not, we can't know. But you COULD have been saving them. That's the point of OP's thread.

We would not say "lie" but "not true". Yes, that was the first reaction (of social media manager) we thought is right, we should have examine it at first.