Responsable disclosure

[jimcoin]

Hi,

I have found a commercial website that deals with Bitcoin doing very unethical practices:-

Breaking terms and conditions of Blockchain.info by setting themselves up as a proxy so they don't have to write their own API - this breaks the TOS of Blockchain in 4 different sections. They present this as part of their own API to their own clients. Certainly there is no mention or credit to Blockchain.info

Also there are many security concerns such as math.Random() being used for cryptography, SQL injection possibilities in the API they provide to clients.

Now normally I would approach the CEO or a head of such a company, or if it was a traditional financial institution I could approach the financial regulators and authorities. Maybe this is the work of a rogue programmer, someone non-ethical and who doesn't understand security. But the problem I have is that the CEO is the programmer, thus this is the ethos of the company under his leadership - take shortcuts, and screw security. This is a company with over half a million dollars of funding.

I am thinking of just writing a report on my findings and publishing it publicly for all. Bitcoin should be about ethics, should be about security. These guys take ethics and security as a joke, I don't want them or people like them in the Bitcoin community. Every hack against a Bitcoin site, every fail is a fail for Bitcoin.

What do you guys think I should do? No I will not name the company, not unless I release the report.

[Buffer Overflow]

Breaking terms and conditions of Blockchain.info by setting themselves up as a proxy so they don't have to write their own API - this breaks the TOS of Blockchain in 4 different sections. They present this as part of their own API to their own clients. Certainly there is no mention or credit to Blockchain.info

Maybe they are in partnership or working together as separate companies and have permission to do this.

[jimcoin]

Maybe they are in partnership or working together as separate companies and have permission to do this.

I did think about this. But if you could see how it works it is very very doubtful. If you visit a certain page of their site it is basically the root page of blockchain.info. That is to say you can access any page/image or any other content from blockchain.info by changing the sub-path. Everything is presented as text so whilst the images are proxied they display in your browser as text due to the MIME type still being HTML. This is the worst possible way to link to another site or use another sites data. If you were going to sneakily use the blockchain.info you would wrap your own API functions to properly call theirs. Everything about their publicly available code screams shortcuts and quick-fixes. If they were in partnership with blockchain.info they would be doing things properly. Right now they are open to a DNS attack at their webhost pointing blockchain.info to attackers server, which would feed all of their clients wallet data to attackers server.

For confirmation, if anybody from blockchain.info wants to get in touch I am happy to discuss it 

[Buffer Overflow]

Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.

[jimcoin]

Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.

No it's not a block explorer site.  It is a commercial site offering commercial Bitcoin services and earning money off of the back of sloppy programming, bad security and the great work of blockchain.info. If it was a block explorer site I wouldn't care - it would be like being worried about security vulnerabilities/ethics in a forum or obscure website for some club or whatever.

This is a site with huge press in their market, a site that apparently is one of the leaders in the market. This is why I am concerned, peoples Bitcoins are at stake, the reputation of Bitcoin in this area is open to being damaged due to this.

[bg002h]

Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.

No it's not a block explorer site.  It is a commercial site offering commercial Bitcoin services and earning money off of the back of sloppy programming, bad security and the great work of blockchain.info. If it was a block explorer site I wouldn't care - it would be like being worried about security vulnerabilities/ethics in a forum or obscure website for some club or whatever.

This is a site with huge press in their market, a site that apparently is one of the leaders in the market. This is why I am concerned, peoples Bitcoins are at stake, the reputation of Bitcoin in this area is open to being damaged due to this.

Out with it man. If you're not disclosing a specific security flaw that others could use to steal funds, there's no reason to not tip your hand. Most are too busy to reply to "specific content" free posts

[Get.BTC.Now]

Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.

I really hope that it will not stay like that.

[Willisius]

...
I am thinking of just writing a report on my findings and publishing it publicly for all. Bitcoin should be about ethics, should be about security. These guys take ethics and security as a joke, I don't want them or people like them in the Bitcoin community. Every hack against a Bitcoin site, every fail is a fail for Bitcoin.
...

Agreed. Compose your full disclosure, that's my advice. It sounds to me like they're risking other people's money.

[Elwar]

I use blockchain.info to get the balance for Bitcoin addresses for my site. I never knew they required some sort of credit. I have problem doing so, just never saw anything like that.

[cyberpinoy]

if you didnt already do it the first thing you should have done was contact Blockchain.info and release all the information to them.  the next thing after that is take care of it best you can. get ahold of the right people and email them with the legalities adn let them know what theya re doing is in fact wrong and possibly illegal. Depending on where they are depends on if the  certain laws will stretch all the way to them. Just because you have something copyrighted in USA does not mean you can not copy it and sell it in africa where US laws havfe no jurisdiction. Its a crazy situation that sometimes ends up just wasting time for everyone as nothing legal could ever be done.  

FYI I am not sure why you dont name them, But to be honest I dont care , its up to you, I think I like it better the way you did it to not attract any unnecessary attention to them because people like that only want attention anyways.

[NLNico]

In case of security vulnerabilities, like SQL injections, public disclosure should be your last option. You don't want it to be abused and an attacker steal funds of innocent users of that site because of your disclosure.

IMO you should contact the owner of that site and private disclosure it first. If they don't fix it or change it, you could consider public disclosure and in this case perhaps Blockchain.info first.

[chenka563]

Breaking terms and conditions of Blockchain.info by setting themselves up as a proxy so they don't have to write their own API - this breaks the TOS of Blockchain in 4 different sections. They present this as part of their own API to their own clients. Certainly there is no mention or credit to Blockchain.info

Maybe they are in partnership or working together as separate companies and have permission to do this.

i aggree with you, that  there are more companies would like to join you!

[BrunesBTC45]

Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.

Should someone worry about this?

[TheFootMan]

Why not do a writeup, and send a gentle message to the siteop? You could use anon mail for this.

If siteop is ignorant, then go public.

[TrailingComet]

Private email providing a reasonable period for redressal. Post that go public but leaving door open to them to provide a clarification of their position.