Pretty sure I was able to crash veribit with a few lines of code. I'll stop once I prove it works.
No your IP just got auto banned for flooding. That and we deactivated the web service.
You may have done this afterwards, but I was seeing a wall of errors before that was done. Continuing to downplay what I'm finding and pretending it is not real is less healthy for your service than admitting it and working with me to fix these issues, right now you are just putting band-aids on them. I'm not being silicious, I'm giving you essentially free pen-testing (because I work for more than 75 an hour normally).
Pretty sure I could bypass your IP flood and deconstruct the API from your wallet code.
Lol, took 1 second to find the new URL on github:
http://verisend.vericoin.info/apisendbtcThere goes the idea you closed down webservices.
http://verisend.vericoin.info/apisendbtc?sendto=1NsqLEmk7bckyxocJToBYmgkte2j5KMGZp&amount=1You really shouldn't keep talking to me like I'm stupid, your system clearly doesn't automatically ban IP addresses, you didn't ban mine. There is also no automatic price adjustment as you claimed before (which would have been clever if it were real, but also easy to exploit as well).
Talking to you like you're stupid? When did that happen? What I see are developers trying to engage with you directly. Didn't pnosker thank you, and give you a bug bounty already? What more do you want? An ego massage?
As in directly lying to me when it is easy to disprove his claims. He seems to think if he lies to me that I will just believe it and not try to confirm myself, which I did and realized what he was claiming was untrue. This is not about ego this is about having a straightforward discussion without deception.
I really don't think anyone is intentionally trying to deceive you. And it appears to be about ego when you say dipshit things like "You really shouldn't talk to me like I'm stupid" - when that was evidently not the case. Perhaps VericoinDev3 misunderstood and a different IP was banned? Who fucking knows? But before you go on any more of these fucking tirades at least give the man a chance to respond.
You are ignoring the several other claims that are clearly untrue, he is treating me like I'm stupid because he assumes I can't easily check the claims and find out they are false. He talked about features in the software that simply do not exist to downplay the damage that could have been caused by a script like the one I shared.
What are you talking about? We saw a flood of over 2000 requests starting from 2 min after your first exploit post. Your IP was banned by the software from processing any trades. So no, I didn't lie about anything. Did you try to trade at all?
And reducing the exploit time window is not just a patch. It is effective because it is unnecessary due to the way the wallet sends the transaction quickly. We could probably use better flood detection but you're simply DoSing at that point. Anyway, I'll say it again: if you were truly concerned, you would talk privately about this like any legitimate security researcher rather than publicly disclaiming the code and suspecting it of failing. VeriBit has not lost any loaned money and has not kept any sent money without paying out.
Thanks again for the criticism. We take it seriously but it is unfounded.
I offered to talk about it privately but you never private messaged me.
Also, I'm used of discussing issues publicly because the Bitcoin community is traditionally an open source community where we have open discussion about issues. We are all about transparency in the open source world.
I have not tried to steal from veribit, I could have drained the fund by now and done this all in silence and you would have never noticed.
I'm taking time out of my other projects to come here and let you know about your security issues and you continue to downplay them and make up claims about your service. Should it be that easy to DoS your service with a 3 line script? There are definitely engineering solutions for that.
