Pages:
Author

Topic: 1Broker.com - Vulnerabilty & bug bounty - page 3. (Read 7519 times)

legendary
Activity: 1092
Merit: 1016
760930
January 12, 2013, 04:40:11 AM
#12
- at registration, email addresses with a plus sign (such as [email protected]) are not recognized, while perfectly valid.
Thanks & fixed

- also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"...
Known problem. The message system needs improvements (sometimes).

- when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English.
Either "You do not have enough funds" or just "Not enough funds!"
Fixed.

Rewarded you with 0.1 BTC

Thanks!

Website seems to be down right now, are you aware of this?
full member
Activity: 187
Merit: 100
January 11, 2013, 04:21:12 PM
#11
- at registration, email addresses with a plus sign (such as [email protected]) are not recognized, while perfectly valid.
Thanks & fixed

- also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"...
Known problem. The message system needs improvements (sometimes).

- when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English.
Either "You do not have enough funds" or just "Not enough funds!"
Fixed.

Rewarded you with 0.1 BTC
legendary
Activity: 1092
Merit: 1016
760930
January 11, 2013, 03:07:32 PM
#10
Hi,

I've created an account to try the platform out...  a couple of things already:

- at registration, email addresses with a plus sign (such as [email protected]) are not recognized, while perfectly valid.

- also, if you log out and then click the back button of your browser, you get an unexpected message: "login successful!"...

- when attempting to withdraw with a zero balance: the message "you have not enough funds" is not proper English.
Either "You do not have enough funds" or just "Not enough funds!"

Cheers

full member
Activity: 187
Merit: 100
January 11, 2013, 12:28:33 PM
#9
Unknown unexpected behavior (e.g. endless loops, links to 404 pages, UI issues ...)

I have created account using the same nickname as here - subSTRATA - but I ended up with nickname substrataAngry
Cheesy This is known. Usernames are intentionally converted to lowercase during signup. You can still log in with "subSTRATA" however.
full member
Activity: 187
Merit: 100
January 11, 2013, 12:21:16 PM
#8
https://1broker.com/?c=about_security
Quote
Addresses of offline storage only store small amounts to avoid attack scenarios while importing them back to the server wallet.

A rewording should go like this:
Offline storage addresses only hold small amounts to avoid potential attacks when imported back to the server wallet.

However. this is still quite vague, and implies that offline addresses only store small amounts when in fact you're storing nearly all of your customers' in offline generated Bitcoin addresses. Consider changing this sentence.
Another 0.025 sent, but this is obsolete anyway. Creating offline raw transactions is the better way of doing this, so I'll remove this.
legendary
Activity: 1288
Merit: 1227
Away on an extended break
January 11, 2013, 08:51:10 AM
#7
...


Quote
1Broker may collect and use Users personal information for the following purposes:
the User's.
Isn't this correct: Users'  Huh


Quote
Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above.

Thanks! Smiley Sent you: 0.225 BTC


Thanks!

Yep, it's Users'. Typo here.
You're missing the apostrophe though. Tongue

https://1broker.com/?c=about_security
Quote
Addresses of offline storage only store small amounts to avoid attack scenarios while importing them back to the server wallet.

A rewording should go like this:
Offline storage addresses only hold small amounts to avoid potential attacks when imported back to the server wallet.

However. this is still quite vague, and implies that offline addresses only store small amounts when in fact you're storing nearly all of your customers' in offline generated Bitcoin addresses. Consider changing this sentence.


I'll make an account and play with it later.
legendary
Activity: 2324
Merit: 1125
January 11, 2013, 08:43:02 AM
#6

Quote
1Broker may collect and use Users personal information for the following purposes:
the User's.
Isn't this correct: Users'  Huh


Users' is for the pleural and User's is for the singular form.

The users' is short for: "the users his"
The user's is short for: "the user his"

So you are correct users' is correct here (the personal information of the users)
full member
Activity: 187
Merit: 100
January 11, 2013, 08:38:35 AM
#5
Well, the last two rewards do not seem really substantial enough for what they're worth. What makes you think a hacker finding that kind of exploit would not try to empty your wallets and/or more malicious actions?
I'm still hoping that there are good people in this world.


Quote
1Broker may collect and use Users personal information for the following purposes:
the User's.
Isn't this correct: Users'  Huh


Quote
Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above.

Thanks! Smiley Sent you: 0.225 BTC
legendary
Activity: 1288
Merit: 1227
Away on an extended break
January 11, 2013, 07:49:14 AM
#4
Well, the last two rewards do not seem really substantial enough for what they're worth. What makes you think a hacker finding that kind of exploit would not try to empty your wallets and/or more malicious actions?

That said, there's still some minor wording errors here and there:

https://1broker.com/?c=faq
Quote
On weekends and on holidays currently all markets, except BTC/USD, are closed.
All markets are closed on weekends and holidays except BTC/USD.

https://1broker.com/?c=about_security
Quote
Instantly after creation all private keys of these addresses are gpg (CAST-128) encrypted with a long cipher and backed up at several highly secured locations.
GPG should be caps in this case. A comma between creation and all would be appropriate too.

Quote
No external resources are loaded when logged in.
External. Also, a subject here would improve the sentence; i.e.: when users are logged in.

Quote
Every user can look into a detailed access log of the account.
Every user can look into a detailed access log of their accounts.

Quote
Session cookies are protected from XSS attacks and are only sent with enabled TLS connection.
With an enabled TLS connection, or through a TLS connection.

Quote
HSTS prevents users from man-in-the-middle attacks.

Protects.

https://1broker.com/?c=about_privacy

Quote
...Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site,..
the User's.

Quote
1Broker may collect and use Users personal information for the following purposes:
the User's.


https://1broker.com/?c=about_tos
Quote
If necessary, 1Broker is completely sold and the amount of purchase is divided and payed out to our customers.
If necessary, 1Broker will be completely sold, and the proceeds divided and paid out to our customers.

Quote
If a customer lost high amounts during an unscheduled outage he can contact us and we will try to find a solution for both parties.
Loses.


Whew, that's it so far. There's still some weird wording here and there, but the more blatant errors are listed above.
full member
Activity: 187
Merit: 100
January 10, 2013, 08:31:19 PM
#3
https://1broker.com/?c=about_tos
In my opinion, "withdrawal requests" sounds better than "withdraw requests".
Hit! 0.025

https://1broker.com/?c=about_security
The left picture has no thumbnail; it's only resized via height/width in html, meaning the preview is a 355kB download.
Not a bug, but thanks.

"No externaly resources are loaded when logged in"
I haven't created an account, so I cannot check, but are the Godaddy seal and Twitter/FB/G+/Google-Analytics removed after login?
The godaddy seal is a local gif and yes!

Actually, I assumed the ticker would refresh via ajax now and then.

Sticking CSS/JS into separate files (and selective caching) would reduce the pagesize what increases loading speed and reduces traffic.

It would also be nice if the info boxes close when clicking anywhere on the page and not only on "OK"

Clicking on "Login" without any values filled in drops the user to an error page which looks like a leftover from the devs (also, that html isn't valid at all)

The site doesn't validate as html5. Cosmectic maybe, but personally I'm picky about such things.
Yeah these things are not perfect but I wouldn't call them bugs. Anyway, your post was really useful. Thanks!

Rewarded you with: 0.125 BTC
hero member
Activity: 576
Merit: 514
January 10, 2013, 06:34:56 PM
#2
https://1broker.com/?c=about_tos
In my opinion, "withdrawal requests" sounds better than "withdraw requests".

https://1broker.com/?c=about_security
The left picture has no thumbnail; it's only resized via height/width in html, meaning the preview is a 355kB download.

"No externaly resources are loaded when logged in"
I haven't created an account, so I cannot check, but are the Godaddy seal and Twitter/FB/G+/Google-Analytics removed after login?

https://1broker.com/
Actually, I assumed the ticker would refresh via ajax now and then.

Sticking CSS/JS into separate files (and selective caching) would reduce the pagesize what increases loading speed and reduces traffic.

It would also be nice if the info boxes close when clicking anywhere on the page and not only on "OK"

Clicking on "Login" without any values filled in drops the user to an error page which looks like a leftover from the devs (also, that html isn't valid at all)

The site doesn't validate as html5. Cosmectic maybe, but personally I'm picky about such things.
full member
Activity: 187
Merit: 100
January 10, 2013, 03:19:26 PM
#1
1Broker.com is running for more than 2 months now and it's amazing to look into the access logs. Nearly every day someone tries his/her luck by finding SQL injections, vulnerable services, the admin panel ...
Obviously the more people try the better, so I decided to give rewards even if someone only finds partial SQL injections, harmless XSS problems, endless loops, browser specific bugs ...

It is hard to specify what is a bug, but everything what is unknown and surprises me will be rewarded.
This gives you an overview of how much you can expect:

  • 0.025 BTC Embarrassing language mistakes and typos
  • 0.1 BTC Unknown unexpected behavior (e.g. endless loops, links to 404 pages, UI issues ...)
  • 0.1 BTC Harmless XSS problems
  • 0.5 BTC CSRF and XSS problems
  • 3 BTC Critical CSRF and XSS problems (e.g. possibility of session stealing)
  • 5 BTC Partial (blind) SQL injection which does nothing
  • 5 BTC Manipulating parts of the DB (e.g. close a position which is owned by another user)
  • 10 BTC Bypassing the Master Key system, creating negative balances and other logical bugs of this category
  • 10 BTC RFI/LFI bugs
  • 20 BTC Full access to the Database
  • 20 BTC Stealing coins from the hot wallet.
  • 40 BTC Full root access to the server

Edit (April, 10th): Due to the extreme BTC/USD volatility in the last weeks we will dynamically determine the reward for a reported problem.

Rules:
  • No (D)DoS
  • Problems have to be unknown (e.g. "Master Key system sucks" is not a bug)
  • Security related bugs have to be reported privately
  • Once a bug is abused you won't get a reward anymore
  • UI issues have to apply for at least 2% of the users (IE 6 problems are ignored)


This is good chance for all talented hackers to earn money without breaking the law or moral principles.

Have fun,
exxe
Pages:
Jump to: