To give you an example, there was so far 1 vulnerability, XSS one (so not a major one) on Bitfinex, for the GET variable "locale", where you could input javascript. This has been corrected a long time ago and was as i said the only vuln found.
it's not like we have not been "tried"...
Topic: accidentally entered the address into amount (Read 1120 times)
Hello,
If the address was changed to 1 (the number), then obviously the data has been filtered.
Furthermore, just because we do not check if the bitcoin address is not a valid bitcoin address doesn't mean we do not check for malicious input like SQL, HTML,... But don't take my word for it, go ahead, try to SQL inject or other attacks on Bitfinex and check the result. Every field is parsed and malicious content is removed (and a string like a BTC address is not a malicious content
)
All in all, if the bitcoin address is a wrong string, it will be rejected and cancelled. If the amount contains string garbage, as long as it start by digits, the amount will be those digits. If you enter "10 BTC", then this will be converted to "10".
Thank you anyway
Raphael
If the address was changed to 1 (the number), then obviously the data has been filtered.
Furthermore, just because we do not check if the bitcoin address is not a valid bitcoin address doesn't mean we do not check for malicious input like SQL, HTML,... But don't take my word for it, go ahead, try to SQL inject or other attacks on Bitfinex and check the result. Every field is parsed and malicious content is removed (and a string like a BTC address is not a malicious content
)All in all, if the bitcoin address is a wrong string, it will be rejected and cancelled. If the amount contains string garbage, as long as it start by digits, the amount will be those digits. If you enter "10 BTC", then this will be converted to "10".
Thank you anyway
Raphael
I used bitfinex.com to make the transfer.
It sent 1 btc, so all is good!
Ask support to fix their freaking system. Basic input validation would be nice.
This please let everyone know so they can avoid it like the plague.
Any site not doing the most basic input validation is likely not doing a half dozen other important things like preventing cross site scripting attacks, SQL injection, session hijacking, etc.
Utterly unbelievable a site would simply pass garbage input to bitcoind and hope everything works out ok.
This. Although I think how the system might work is that if you enter a value more than you own (for some reason, works with address) it just sends all of your balance no matter what.
It sent 1 btc, so all is good!
Ask support to fix their freaking system. Basic input validation would be nice.
This please let everyone know so they can avoid it like the plague.
Any site not doing the most basic input validation is likely not doing a half dozen other important things like preventing cross site scripting attacks, SQL injection, session hijacking, etc.
Utterly unbelievable a site would simply pass garbage input to bitcoind and hope everything works out ok.
This. Although I think how the system might work is that if you enter a value more than you own (for some reason, works with address) it just sends all of your balance no matter what.
It sent 1 btc, so all is good!
Ask support to fix their freaking system. Basic input validation would be nice.
This please let everyone know so they can avoid it like the plague.
Any site not doing the most basic input validation is likely not doing a half dozen other important things like preventing cross site scripting attacks, SQL injection, session hijacking, etc.
Utterly unbelievable a site would simply pass garbage input to bitcoind and hope everything works out ok.
It sent 1 btc, so all is good!
Ask support to fix their freaking system. Basic input validation would be nice.
Which exchange are you using?
That seems quite ridiculous... Why doesn't it check if the value entered is a number at all?!
That seems quite ridiculous... Why doesn't it check if the value entered is a number at all?!
It sent 1 btc, so all is good!
Ask support to fix their freaking system. Basic input validation would be nice.
It sent 1 btc, so all is good!
So i was trying to withdraw btc from exchange, and I accidentally entered the address into the amount, everything else was correct, and it still went through...
does this mean i only sent 1 btc, since address starts with 1?
I'm thinking about the last line. So, if i want to withdraw 100BTC, it only sent 1BTC since it starts with 1? does this mean i only sent 1 btc, since address starts with 1?
What you could do is to contact the support about this matter. Im sure the transaction was not sent as it needs a combination for it to be sendable. Should just contact the admin. Wiki says so:
https://en.bitcoin.it/wiki/Address#Addresses_are_case_sensitive_and_exact
So i was trying to withdraw btc from exchange, and I accidentally entered the address into the amount, everything else was correct, and it still went through...
does this mean i only sent 1 btc, since address starts with 1?
does this mean i only sent 1 btc, since address starts with 1?
Jump to: