Pages:
Author

Topic: 1Broker.com - Vulnerabilty & bug bounty - page 2. (Read 7521 times)

full member
Activity: 154
Merit: 100
February 15, 2013, 03:44:53 PM
#32


Yes you can count me in, and thanks for the payment :-)
full member
Activity: 187
Merit: 100
February 15, 2013, 12:48:09 PM
#31
Quote
Nothing found apart of Leet ports and Gangnam Style cookies :p

I'm not really skilled I guess
Good Tongue Thanks for trying!


Quote
If it was me I would word it totally differently though,

Quote
Account Security
We advice that you keep your login details secure and never reveal them or write them down. You use our service at your own risk and liability, every effort has been taken in ensuring your account is secure and our servers and software are tested regularly. As such, should your account be compromised as a result of your negligence we accept no liability and will not refund your account.
Very good! Rewarded you with 0.075 BTC

In general our language quality is not what I expect it to be. Therefore, I'm now searching for an English native speaker who helps us to rewrite some things, write "news" and helps with language problems in general. Of course this person gets some BTCs for his/her work.

If anyone is interested to do this small job (<1h/week) convince me that you have the required language skills, especially with formal/marketing language. If more persons want to do this I will try to pick the best one in the next few days. Can I count you in, whitenight639?
legendary
Activity: 1512
Merit: 1001
Bitcoin - Resistance is futile
February 14, 2013, 11:57:15 PM
#30
Nothing found apart of Leet ports and Gangnam Style cookies :p

I'm not really skilled I guess
full member
Activity: 154
Merit: 100
February 14, 2013, 10:25:30 PM
#29
https://1broker.com/?c=about_tos

Quote
Account Hack
If our system has/had no weaknesses which make a hack of a customer account possible we will not refund stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place.


This is Bad Grammar,  and doesn’t make sense are you trying to say the following:


Quote
Account Hack
If our system has or is found to have weaknesses which make compromising customer account(s) possible we will not refund the stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place.

OR are you trying to say:

Quote
Account Hack
Our system has no known weaknesses which make a hack of a customer account possible, we will not refund stolen Bitcoins. Every customer is advised to use safe and unique passwords and to store the Master Key at a safe place.



If it was me I would word it totally differently though,


Quote
Account Security
We advice that you keep your login details secure and never reveal them or write them down. You use our service at your own risk and liability, every effort has been taken in ensuring your account is secure and our servers and software are tested regularly. As such, should your account be compromised as a result of your negligence we accept no liability and will not refund your account.


P.s I can re-write the rest of you Legal pages if you like.

12j2DRmNAW9ZQRGbSFvZUT56PuGNRj1bW7


full member
Activity: 187
Merit: 100
February 10, 2013, 04:34:27 PM
#28
Quote
1; Upon transaction sent, show the user that the transaction is confirming and the amount of it. Just to have the newcomers to know things are happening behind.
Good suggestion. Added it to the TODO list.

Quote
2; Create a dashboard page, having data centralized is much more easy to navigate.
I'll think about this.

Quote
3; API, of course, which could grab the Bitcoin community attention + increase your service popularity.
It is on the long-term TODO list.

Quote
Wish you good business.
Thanks  Smiley
hero member
Activity: 784
Merit: 1000
Casper - A failed entrepenuer who looks like Zhou
February 10, 2013, 06:42:15 AM
#27
Hi, glad I found this service despite I am only holding a really tiny amount of coins.
Just a bit of suggestion to your service.

1; Upon transaction sent, show the user that the transaction is confirming and the amount of it. Just to have the newcomers to know things are happening behind.

2; Create a dashboard page, having data centralized is much more easy to navigate.

3; API, of course, which could grab the Bitcoin community attention + increase your service popularity.


Wish you good business.
full member
Activity: 187
Merit: 100
January 22, 2013, 01:04:40 PM
#26
Sorry for the delayed answer.

Quote
https://1broker.com/?c=contact
it says "bug- and feature requests send to:" with a '-' after 'bug'

In Searching:
Not sure if it's bug:
when search for 'inc', there's a name "Nokia Oyj" on the bottom, with 0 bid and ask, and it doesn't show in any categories
Good finds! Thanks!

Quote
1. it seems that leverage has 1~15 range, as it keeps jumping to 15 input a larger number, but input as 0.1 is allowed, which will jump to 1 when clicking -/+ again, it's confusing.
Intentional. The more auto corrections, the more annoying it can get when editing the value. You can see a list of the maximum leverages here: https://1broker.com/?c=cfds

Quote
2. not sure if desired: when right click on the -/+ for leverage, the number auto-decrease/increase, and click again will stop it
In general a slider would be better here and will be implemented sometime.

Quote
3. if input any invalid charactors in leverage, like '-', '*', when there's an amount, the feedback says "In words: If the price of *** goes up by 1% you will win NaN BTC", the NaN looks too Javascript
Right.

Quote
suggestion:
highlight the current one if selected:
Account Info
Access Log
Transaction Log
Account Settings
Yeah this needs a redesign.

Sent you 0.125 BTC.
QA
newbie
Activity: 20
Merit: 0
January 21, 2013, 01:07:13 AM
#25
https://1broker.com/?c=contact
it says "bug- and feature requests send to:" with a '-' after 'bug'


In Searching:
Not sure if it's bug:
when search for 'inc', there's a name "Nokia Oyj" on the bottom, with 0 bid and ask, and it doesn't show in any categories


In 'Open order':
(Chrome Version 24.0.1312.52)
1. it seems that leverage has 1~15 range, as it keeps jumping to 15 input a larger number, but input as 0.1 is allowed, which will jump to 1 when clicking -/+ again, it's confusing.

2. not sure if desired: when right click on the -/+ for leverage, the number auto-decrease/increase, and click again will stop it

3. if input any invalid charactors in leverage, like '-', '*', when there's an amount, the feedback says "In words: If the price of *** goes up by 1% you will win NaN BTC", the NaN looks too Javascript


suggestion:
highlight the current one if selected:
Account Info
Access Log
Transaction Log
Account Settings
newbie
Activity: 14
Merit: 0
full member
Activity: 187
Merit: 100
January 17, 2013, 05:28:46 PM
#23
edit: I think if you capitalize the last V it works:
19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsV
Worked  Smiley
newbie
Activity: 14
Merit: 0
January 16, 2013, 07:35:23 PM
#22

Thanks for the research. Wanted to send 0.025 BTC but bitcoind says to your signature address:
Code:
<./bitcoind validateaddress 19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv
>{
>   "isvalid" : false
>}


hmm, 9 transactions have been successfully processed to this address: http://blockchain.info/address/19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv

edit: I think if you capitalize the last V it works:

19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsV


I don't know how that happened. thank you, btw!
full member
Activity: 187
Merit: 100
January 16, 2013, 05:39:56 PM
#21
On https://1broker.com/?c=about_privacy there are 7 occurrences of "Personal identification information." The conventional way to state this according to http://en.wikipedia.org/wiki/Personally_identifiable_information is in one of four ways:

Personally Identifiable Information
Personally Identifying Information
Personal Identifying Information
Personal Identifiable Information


Other sources for this nomenclature:
http://www.doncio.navy.mil/ContentView.aspx?id=2428
http://www.dol.gov/dol/ppii.htm#.UPZoVaG8HrE
http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf

Thanks for the research. Wanted to send 0.025 BTC but bitcoind says to your signature address:
Code:
<./bitcoind validateaddress 19VYu6KyJ56jegfYCqSWxgZDnSkHLb8gsv
>{
>   "isvalid" : false
>}
member
Activity: 112
Merit: 10
January 16, 2013, 03:59:33 AM
#20
Anyone confirms this is legit?
newbie
Activity: 14
Merit: 0
January 16, 2013, 03:44:48 AM
#19
On https://1broker.com/?c=about_privacy there are 7 occurrences of "Personal identification information." The conventional way to state this according to http://en.wikipedia.org/wiki/Personally_identifiable_information is in one of four ways:

Personally Identifiable Information
Personally Identifying Information
Personal Identifying Information
Personal Identifiable Information


Other sources for this nomenclature:
http://www.doncio.navy.mil/ContentView.aspx?id=2428
http://www.dol.gov/dol/ppii.htm#.UPZoVaG8HrE
http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf
full member
Activity: 187
Merit: 100
January 13, 2013, 12:05:48 PM
#18
I closed position at BTC/USD, got 0.09603989 BTC, placed all on "Short" with leverage at 5 and immidiately lost 0.0028 BTC (-2.95%).  Huh

I haven't noticed any price change inbetween moment of closing and opening position. What I am missing there?

Every CFD has a Bid and an Ask price. If you open a short position you sell for the bid price. The -2.95% shows what you would get if you close the position (buy it back for the ask price).
The bid is always lower than the ask price price so everytime a position is opened you start with a small loss. (... and higher leverages result in a greater initial loss of course) This is called the spread which exists in all financial markets around the world.
full member
Activity: 187
Merit: 100
January 12, 2013, 06:04:52 PM
#17
Balance shown on right side should be accurate to 8 digits. I just tried to ForEx a little with BTC/USD, clicked on "Short", copy
pasted balance value shown - 0.0976 - to "Amount/Margin" field, clicked on "Open Order" and ended surprised with "Insufficient
funds!" message. It took me a while to find out I actualy have less than 0.0976 BTC!

https://i.imgur.com/NSyR6.png
Known problem. Full precision is not shown everywhere, because it wouldn't look good. However, I changed it to Math.floor() instead of Math.round() => you won't see that problem again. Additionally, now it also shows a full precision tooltip onmouseover.
full member
Activity: 187
Merit: 100
January 12, 2013, 10:49:25 AM
#16
Autocomplete attribute is not disabled in HTML form / input element containing password type input. Passwords may be stored in browsers
and retrieved.

or

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate and private.
This is intentional. I don't want to overrule users here. Some people want to handle their passwords with Lastpass or a Firefox master password. (including myself) The autocomplete=off is really annoying sometimes. (However, Master Key inputs have the autocomplete=off parameter of course)

0.1 BTC for the private attribute in Cache control of images (very few attack possibilities, if any)
You want it to your 1Broker account or to a specific Bitcoin address?

1Broker account please, I'm currious how long will it take me to lose everything due to my (stock)exchange bad luck.  Grin

BTW, fees page could be more clear - 0.00 BTC does not neccessarly equal "no BTC will be taken". 8 decimal places would remove doubt.
Done. Good luck  Cheesy  Fees page updated.

Quote
Quote
Quote
I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg
What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0?
I saw oO0 and l but no I.
Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible)
Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too)
I still can't see the difference. Sorry.
1AWHB4h1ZprDZpBkALPxEuPtvaZRwzrG5D
That would be embarrassing if OCR couldn't read it too, and someone had to manually process this backup.
Turned out it is Calibri: http://prntscr.com/oxmtz Tongue Yeah manual processing would be horrible, but backups are also stored on USB sticks.
Thanks and 0.1 sent!
member
Activity: 65
Merit: 10
January 12, 2013, 10:24:23 AM
#15



I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg
What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0?
I saw oO0 and l but no I.
Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible)
Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too)
I still can't see the difference. Sorry.
1AWHB4h1ZprDZpBkALPxEuPtvaZRwzrG5D
That would be embarrassing if OCR couldn't read it too, and someone had to manually process this backup.
full member
Activity: 187
Merit: 100
January 12, 2013, 08:57:01 AM
#14
Autocomplete attribute is not disabled in HTML form / input element containing password type input. Passwords may be stored in browsers
and retrieved.

or

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate and private.
This is intentional. I don't want to overrule users here. Some people want to handle their passwords with Lastpass or a Firefox master password. (including myself) The autocomplete=off is really annoying sometimes. (However, Master Key inputs have the autocomplete=off parameter of course)

0.1 BTC for the private attribute in Cache control of images (very few attack possibilities, if any)
You want it to your 1Broker account or to a specific Bitcoin address?


I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg
What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0?
I saw oO0 and l but no I.
Extremely good find. I can't remember what font was used, but the l(L) is slightly higher and thinner than the I(i). I think you can see this at the beginning of the second last line of the first sheet. (IRL it's clearly visible)
Nevertheless I'll reward you with 0.1 BTC for this, and I'll switch to better font of course. (And I need your Bitcoin address too)
member
Activity: 65
Merit: 10
January 12, 2013, 07:47:50 AM
#13
I have more of a question than bug. I looked at this picture https://1broker.com/img/about_security1.jpg
What character set is used on this paper and is it font that enables telling the difference between l, I, o, O and 0?
I saw oO0 and l but no I.
Pages:
Jump to: