ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
 |
May 06, 2026, 07:26:27 AM |
|
Report Title: Confidence Percentage Mismatch Report Details: While analyzing a Bitcoin address that the AI Detective stated has been reported for being used for scam, I still noticed that the system rated it high in confidence. Why would a scam wallet have a Confidence rating of 69% and Risj score of 57%? Why is the Confidence higher than the risk? I think Confidence in a scam wallet should be low and not high. As you can see, I also analyzed the Satoshi genesis which the AI Detective returned a risk score of 15% and Confidence of 82% which makes more sense. I think how Confidence score is calculated, especially for high risk wallets should be re-evaluated.   |
|
|
|
|
Italian Panic
|
|
May 06, 2026, 07:49:31 AM |
|
Report Title: Unsanitized external input stored and returned via API Report Details: Starting with any address (I use the Silk Road one, but it could be your own or Satoshi’s Genesis address) https://omnisee.io/api/address/1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx/scam-checkand querying the API, you get: {
"address": "1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx",
"is_scam": true,
"details": {
"is_scam": true,
"address": "1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx",
"category": "sextortion",
"risk_level": "high",
"sources": [
"chainabuse"
],
"report_count": 5,
"first_seen": "2026-03-27T20:45:09+00:00",
"description": "ChainAbuse: {{7*7}} its for the test in bugcrowd",
"ai_summary": "## Verdict\nSUSPICIOUS — address linked to sextortion scams, but no authoritative sanctions or law enforcement confirmation.\n\n## Key Factors\n- Flagged by multiple community reports (5) on ChainAbuse as a sextortion scam wallet.\n- On-chain activity shows high total received (208,210 BTC) with zero balance, consistent with a disposable collection address.\n- Mixing score indicates some coinjoin usage, possibly to obfuscate flow.\n\n## Activity Pattern\nAddress likely used to receive payments from sextortion email scams. Large volume suggests widespread targeting; funds have been moved out.\n\n## Recommendation\nMONITOR — while not confirmed by OFAC or major analytics firms, the pattern and multiple reports warrant caution. Interaction may expose users to legal or reputational risk."
}
}the line "description": "ChainAbuse: {{7*7}} its for the test in bugcrowd"This shows that the Chainabuse data has not been sanitized it would have returned 49. It is the log of a test carried out on Bugcrowd by someone else, and if it were rendered in HTML on the website. If this field is rendered in an HTML context without escaping, it could lead to Stored XSS. |
|
|
|
|
Italian Panic
|
|
May 06, 2026, 08:19:52 AM |
|
Report Title: Risk scoring algorithm uses current balance instead of total received, causing critically low scores for confirmed scam addresses Report details: the risk scoring system contains a logic error in the financial factor calculation. The algorithm evaluates the current balance of an address instead of the total amount received, resulting in a score of 0 for the financial factor on scam addresses that have already moved their funds — which is the typical behavior of every real scam wallet. Steps to Reproduce: Query the AI analysis endpoint for a known scam address: https://omnisee.io/api/address/1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx/analyze from dev tools --> network --> analyze --> response, we analyze the field "score", "level" and "analysis" Observe the score breakdown in the response: "financial": {
"total_btc": 0.0,
"total_usd": 0.0,
"score": 0
}Compare with the actual on chain data: Total received: 208,210 BTC Current balance: ~0.01 BTC Financial score: 0/100 The problem in in the scoring algorytm, the financial score is 0 from actual balance instead of total received (208k btc). This addrress with 208k btc from scam source must be 100/100 not low score. Cross-check with scam check API confirms the address is already flagged: https://omnisee.io/api/address/1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx/scam-check Returns: "is_scam": true, "risk_level": "high" So the system knows it's a scam, but the score says 58/100. That's the contradiction. |
|
|
|
|
Italian Panic
|
|
May 06, 2026, 08:35:14 AM |
|
Report Title: admin authentication token exposed via URL query parameter instead of HTTP header Report details: admin panel authentication is implemented by passing the token as a url query parameter. This is confirmed by the publicly accessible openapi.json file: https://pastebin.com/gTxZHrCxEvery admin endpoint contains: {
"name": "token",
"in": "query",
"required": false,
"schema": {"type": "string"}
}
This means that every time an admin accesses the panel the token appears directly in the URL for example like: /api/admin/stats?token= ....... This means the token is exposed in server access logs, browser history on the admin machine, referer header when navigating to external links. An attacker with access to any of these sources could obtain a valid admin token without brute force. |
|
|
|
|
Italian Panic
|
|
May 06, 2026, 09:40:49 AM |
|
Report Title: site omnisee.io is not smatphone friendly, it's truncated on the right Report details: if you try to open the site from various smartphone device the right is truncated  |
|
|
|
|
Italian Panic
|
|
May 06, 2026, 09:46:37 AM |
|
Report Title: The field values on the home page are not aligned Report details: For a smoother and more visually appealing experience, it would be helpful if the results for the fields relating to the blockchain, price, hashrate, etc. were aligned in the same line.  |
|
|
|
|
Italian Panic
|
|
May 06, 2026, 10:20:21 AM |
|
Report Title: on Opera browser (linux OS) the "full graph" don't work Report details: with random wallet address the full graph option don't work in opera browser like in image below. EDIT: try after 1 hours, same problem  |
|
|
|
ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
|
May 06, 2026, 10:41:46 AM |
|
Report Title: AI Detective Returns Neutral Risk Score (50/100) for Well-Known Scam Address Report details: I used Google to search and investigate a well-known scam address, 1DVhaBdbp5mx5Y8zR1qR9NBiQtrgL9ZNQs, that operated since 2017. Surprisingly, the AI Detective gave it a Risk score of 50% and Confidence score of 54%. This shows that the scoring logic fails to prioritize known scam addresses. This incorrect risk classification undermines trust. The key factor segment of the report states Only one reporting source (ScamBreaker) labels it as scam; lacks OFAC/Chainalysis backing. This is an indication that the system heaviky discounts single-source reports. A scam address should never be rated neutral. 70 BTC inflow and 0 BTC balance should be a typical scam address behavior.  |
|
|
|
ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
|
May 06, 2026, 11:11:53 AM |
|
Report Title: AI Detective Misidentifies Legitimate Bitfinex Cold Wallet As Scam Report Details: AI Detective misidentified a legitimate address as a scam. I searched Bitfinex cold wallet, 3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r using the AI Detective. Despite being a well-known wallet, AI Detective gave it a risk score of 50% and Confidence score of 54%. It further alluded to the potential use for impersonation and dust attacks. It further mistook it for a mixer address. Obviously, the Risk score should be very low (10% or less) and it should be described as a Legitimate Exchange wallet. It is obvious that AI Detective treats high volume addresses as "suspicious" Address likely used as a mixing hub or impersonation target, receiving massive amounts and immediately moving them out. Reports may refer to dust attacks or OP_RETURN spam rather than genuine scam proceeds. It is obvious that ncorrect classification of legitimate entities damages credibility of the platform.  |
|
|
|
ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
|
May 06, 2026, 12:43:03 PM |
|
Report Title: Incorrect Terminology Use By AI Detective Report Details: Transaction metrics of the AI Detective includes terms like "tokens" which have no bearing with the Bitcoin network. The right terms should be sats, BTC, transactions (txs), etc and not Tokens: 1785 in / 146 out | Duration: 5.9s | 27.47 tok/s. Incorrect use of terminology affects the credibility of the platform. Bitcoin-specific language and terms are appropriate for a platform like Omnisee. Sloppy use of terms gives the impression that platform supports altcoins such as ETH. Right terms should be total BTC received, BTC sent and transactions per second.  |
|
|
|
ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
|
May 07, 2026, 01:12:43 PM
Last edit: May 07, 2026, 11:01:45 PM by ContentWriter |
|
Report Title: WordPress Configuration Files Present Are On Non-WordPress Server Report Details: During security testing, I saw paths associated with WP configuration files that return 403 Forbidden status codes. This confirms the existence of these files which didn't return 404. Some of these include /.wp-config.php.swp, /wp-config.php, /.wp-config.php, and /wp-config.php~. These shouldn't exist on Omnisee, a platform that runs custom Bitcoin analytics and so should be cleaned out. This is evidenced by the presence of a Vim swap file (.swp) indicating incomplete cleanup. This points to the fact that server contains obsolete or forgotten but useless files or even WP installation not in use. This bug demands an audit of the server and the deletion of forgotten files. Simply run find / -name 'wp-config.php*' 2>/dev/null on the server to locate all WordPress-related files I found over 30 WordPress configuration file variants, including numbered backups (wp-config.php.1, .2, etc.), Vim swap files (.swp, .swn, .swo), and common backup extensions (.bak, .old, .save, .orig, .backup, .zip, .txt).  |
|
|
|
irfan_pak10
Legendary
Activity: 3710
Merit: 1720
🧙♂️ #kycfree
|
|
May 07, 2026, 06:53:14 PM |
|
Report Title: /api/address/{addr}/analyze has no rate limit AI Detective endpoint is unauthenticated and unthrottled. Each call burns ~2,000 LLM tokens (7-18 s wall time). 10 sequential POSTs all returned 200. Sustained spam drains the LLM budget and slows service for real users. Reproducer for i in $(seq 1 10); do
curl -s -o /dev/null -X POST \
"https://omnisee.io/api/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa/analyze" \
-H "Content-Type: application/json" -d '{}' \
-w "%{http_code} "
done
# Result: 200 200 200 200 200 200 200 200 200 200 Impact • Attacker sustains ~5-10 RPS to drain the LLM budget (potentially thousands of dollars per day in tokens). • Analysis queue backs up; legitimate users see 7-18 s+ latency. • Combines with next bug (no body schema) to amplify the attack with arbitrary payload size. Fix • Per-IP token-bucket rate limit on /analyze (e.g., 5/min, 50/hour for anonymous). • Optional: require a lightweight challenge (Cloudflare Turnstile / hCaptcha) before invoking the LLM. • Reject request bodies that do not match a Pydantic schema see next bug  |
|
|
|
irfan_pak10
Legendary
Activity: 3710
Merit: 1720
🧙♂️ #kycfree
|
|
May 07, 2026, 06:55:43 PM |
|
Report Title: /openapi.json publicly exposes 38 internal API endpoints FastAPI auto-docs were not disabled in production. The full OpenAPI 3.1 schema (21 KB) is reachable, enumerating every internal route, parameter name, and operationId. Reproducer $ curl -sI https://omnisee.io/openapi.json
HTTP/1.1 200 OK
Content-Type: application/json
$ curl -s https://omnisee.io/openapi.json | jq '.paths | keys | length'
38 Impact • Free roadmap of every endpoint without path-fuzzing. • Internal route names like get_address_scam_check_api_address__address__scam_check_get leak Python function names. • New endpoints are advertised the moment they are added to the codebase. Fix app = FastAPI(openapi_url=None, docs_url=None, redoc_url=None) • Or gate them behind an admin-only dependency.  |
|
|
|
irfan_pak10
Legendary
Activity: 3710
Merit: 1720
🧙♂️ #kycfree
|
|
May 07, 2026, 06:58:07 PM |
|
Report Title: /docs (FastAPI Swagger UI HTML) reachable anonymously Same root cause as Bug #2. CSP partially blocks the JS payload from cdn.jsdelivr.net, but the HTML still serves and references /openapi.json. Bots, search engines and threat-intel tools index it. Reproducer $ curl -sI https://omnisee.io/docs
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8 Impact • Title "Bitcoin Analytics API - Swagger UI" is indexable by search engines. • Reveals the use of FastAPI to attackers fingerprinting the stack. Fix Disable in production via the FastAPI constructor  |
|
|
|
ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
|
May 07, 2026, 11:06:33 PM |
|
Report Title: /docs (FastAPI Swagger UI HTML) reachable anonymously Same root cause as Bug #2. CSP partially blocks the JS payload from cdn.jsdelivr.net, but the HTML still serves and references /openapi.json. Bots, search engines and threat-intel tools index it. Reproducer $ curl -sI https://omnisee.io/docs
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8 Impact • Title "Bitcoin Analytics API - Swagger UI" is indexable by search engines. • Reveals the use of FastAPI to attackers fingerprinting the stack. Fix Disable in production via the FastAPI constructor Report Title: Additional endpoint /redoc exposes the same OpenAPI specification Report Details: I also found that the same FastAPI documentation exposure is also present on the /redoc endpoint. Here are the steps to reproduce: Navigate to https://omnisee.io/redocView page source Findings: Returns 200 OK (905B - /redoc) Page source contains: <redoc spec-url="/openapi.json"> Also note that it references the same /openapi.json specification as /docs The impact is the same as /docs — API specification is referenced and could be indexed Additional endpoint fingerprinting FastAPI usage Page source reveals the location of /openapi.json  You may observe that the ReDoc UI does not render, the endpoint itself is publicly accessible nontheless and confirms the same information disclosure. |
|
|
|
ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
|
May 08, 2026, 07:34:10 AM
Last edit: May 08, 2026, 09:28:48 AM by ContentWriter |
|
Report Title: Public API Endpoint /api/stats/price Returns Data Without Authentication Report Details: The public API endpoint /api/stats/price can return data without authentication thereby allowing unrestricted scaping and abuse. https://omnisee.io/api/stats/price returns current Bitcoin price data in several fiat currencies (USD, EUR, GBP, CAD, CHF, AUD, JPY), and this is done without the requisite API key, token or authentication. The consequence of this bug is automatic scraping, data abuse and potential denial of service attacks. Steps to Reproduce: Open a web browser Navigate to https://omnisee.io/api/stats/priceObserve the JSON response containing price data  |
|
|
|
ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
|
May 08, 2026, 08:28:43 AM |
|
Report Title: Public API Endpoint /api/address/{address} Returns Blockchain Address Data Without Authentication Report Details: The endpoint https://omnisee.io/api/address/{address} returns Bitcoin data such as balance, transaction count, volume received and sent without due authentication, token or API key. This enables unrestricted and automated scraping and surveillance. Unlimited requests could overwhelm backend providers and should be discouraged. Steps to Reproduce: Open a web browser Navigate to https://omnisee.io/api/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa (Satoshi's Genesis address) Observe the JSON response containing address details  |
|
|
|
ContentWriter
Member
Activity: 403
Merit: 15
Earn from your cryptocurrencies
|
|
May 08, 2026, 09:28:04 AM |
|
Report Title: Block Pages Display Transaction Count But No Transaction List Report Details: Clicking the block pages on the Omnisee homepage does not reveal transaction lists. The only data available are height, hash, timestamp, size, weight, version, nonce, difficulty, merkle root, etc. The transactions in the block are not listed. Transaction table is absent. There are no pagination, and no "load more" button. So there is no way for users to view or access individual transactions within the block. This is supposed to be a core feature of any blockchain explorer. Steps to Reproduce: Navigate to https://omnisee.io/block/948,438 (or any block from the Latest Blocks list) Observe the block details page Scroll down to find the transaction list You would expect a paginated or scrollable list of all transactions in the block, with links to each transaction's detail page (e.g., /tx/[txid]), including inputs, outputs, amounts, and fees. However, only block metadata is displayed. Height
948,438
Hash
00000000000000000001b94547385af991606982a7b3acb8e90d86bcb433fa00
Timestamp
May 08, 2026 08:52:01 AM
Transactions
4,295
Size
2.07 MB
Weight
3,993,614 WU
Version
536952832
Nonce
678,623,967
Difficulty
1.3247e+14
Merkle Root
6f8ecf9fb4fdd8cb68cab1edbb2645a82359937364771fb8b6e889556fc8c6d3
Previous Block
00000000000000000001f1b55ce8b9c856936b973c43d31246ef75ed423b3dac Suggestion: Omnisee should add a transaction table below the block metadata  |
|
|
|
irfan_pak10
Legendary
Activity: 3710
Merit: 1720
🧙♂️ #kycfree
|
|
May 08, 2026, 06:49:16 PM |
|
MAJOR /redoc (ReDoc API browser) reachable anonymouslySecond API documentation surface. Same root cause as Bugs #2 and #3. Reproducer $ curl -sI https://omnisee.io/redoc
HTTP/1.1 200 OK Impact • Duplicate exposure of the same internal schema through a different UI. Fix Disable in production (redoc_url=None in the FastAPI constructor). 
|
|
|
|
irfan_pak10
Legendary
Activity: 3710
Merit: 1720
🧙♂️ #kycfree
|
|
May 08, 2026, 06:49:51 PM |
|
MAJOR TLSv1.0 and TLSv1.1 accepted on the edgeRFC 8996 (March 2021) deprecates TLSv1.0/1.1. Modern browsers refuse them, but legacy bots and downgrade-attack tooling still negotiate them. PCI-DSS, NIST SP 800-52r2 disallow them. Reproducer $ nmap --script ssl-enum-ciphers -p 443 omnisee.io | grep -E "TLSv1\.[01]"
| TLSv1.0:
| TLSv1.1: Impact • Audit/compliance flag. • Legacy bots and TLS downgrade attacks remain possible. Fix Cloudflare → SSL/TLS → Edge Certificates → Minimum TLS Version → set to TLS 1.2 (or 1.3). 
|
|
|
|
|
