Topic: [100bit.co.in] Earn up to 0.1 BTC for finding bugs - page 5. (Read 7137 times)

100bit.co.in is optimized for mobile view and CAPTCHA should behave the same way on laptop as well as on mobile.


We wanted to cover EURO as a currency and hence added Europe as a country. Once the technical glitches get fixed, more countries & currencies will be added gradually. If you find your country/currency is missing, you may inform us here. We will add it ASAP.

Yes, what I was saying is that the problem wasn't just on the buy-order text box or in the About me box from your site, it was on the support zone of 100bit.co.in, too  

---

Ok, now I tried to log-in with a random ID and the log-in form return only this message:
You have entered wrong login credentials or your account is not activated.

IMO, now it's ok, because then I logged in with the correct credentials and it's working.

Cheers!

1. 2FA might be implemented after some time. I would like to mention here that 100bit.co.in does not require your fund to stay deposited in any site wallet. User just need to deposit fund only when a trade is in progress. So, even if your account is compromised when you are not doing a trade, it will not financially affect you.

2. If you have registered an account, you need to authenticate it by clicking a link sent to your email ID. If you have forgot your password, you may recover it through your authenticated email ID.

Thanks for pointing out. Should be fixed by now.



This is because you clicked the authentication link twice. We prefer to keep it this way, because if for some reason the mail function does not work in the first click, recipient can click it again to get his/her "Account Creation" mail.



Can you please re-create this situation and PM me the login credentials for which you are facing this problem ? In fact, the ID is generated only after registration. At the time of registration, user can enter name & email ID.

yes it looks fixed now, same page is there, so good now, waiting for bounty

Yes. There was a small glitch here, which is now fixed. You will get some bounty for finding this out. Can you please confirm that this issue is not appearing anymore at your end ?

did you checkd the error i told, will i get my bounty ?

Yes... we already have reports of the XSS and SQL injection problem. Still we would like to know which SQL injection problem you have found. You may post here or PM.

It seems, no one has found any problem in order execution so far. Would like to hear about testing report of that part...

I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported???

http://i62.tinypic.com/vq5jlf.png

i'm talking about the "Preferred payment mode" input. franckuestein must be talking about that section too... but in the screenshot we see the ticket code injection.

ERROR FOUND !

http://www.100bit.co.in/recover.php

when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email.

i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php

btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw

Thank you for your testing time. We are now aware of the existing XSS vulnerability on all the text box. All of them will be fixed ASAP.

Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ?

In the country selection option why are there so little countries to chose from? And why it says europe as a country

Hi devs and congrats for the site!
I was trying the most common things that a "normal" user would do with your site and I've found some interesting details.

---

This is not a bug, but first of all, take a look to the "Lost you password" page. There's a mistake because it's Forgot Password and not Forgot Passowrd (in the header and in the button).


Then, once I registered my account I've received two direct messages on my mail account, you have to solve this automated messages problem. Maybe people receive more than one while they submit the registration form

Another thing:
If you try to log-in with the ID that you wrote on the registration form and not with the ID specified on the email, you're going to see this warning:
This message it's the one that pops up in case that you try to register with an email address that's been registered before, not once you try to log-in.

As well, IMO users have to be able to log-in with their ID and not with the code (numbers) that they receive on their mail account.

And the last thing  
I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage.

---

Hope to help you!  
Good luck 100bit team!

Find another one.

I can inject code in: http://www.100bit.co.in/order.php > Preferred payment mode (optional):



http://i62.tinypic.com/vq5jlf.png



http://i59.tinypic.com/wmf983.png

Make a test with http://cash.com">Cash, and in the second try i test with .

***UPDATE***

I can inject code in the Ticket support too...

I send you my addy in a PM. The problem i found:

1.-No captcha in the "Create a New Support Ticket"
2.-Can inject code on "http://www.100bit.co.in/settings.php > About me"

I make some test and dont find a vuln for xss


And about SQL injection im not sure.

Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works

your site is looking great well i checked the site but i found no bug unfortunately and thts mean your site is out of bug . Above users ^^ found the bug further i cant find . as it is a buying selling platform you should add 2FA or something else . i see that it is not so protected . and the security level is too low. also i just registered my account but now i m unable to login dont know why . i dont know thats a bug or whats is it.

Thank you, btw the message from "seoincorporation" was sent after my PMs (listing more vulnerability and in details)

Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.