You should pay DAVOUT for the work he has done
I just posted code to exploit the vulnerability to show how simple it was. 
Topic: Bitcoin7 a new exchange - page 4. (Read 20834 times)
davout did you see a real result of the "exploit"? Yes or No?
I will say that while this may revolt you.......
You should pay DAVOUT for the work he has done even though you did not contract with him. You might want to hire him for FURTHER work checking out your site (if he is interested/willing to do so).
I love the idea of an additional exchange, the more the better. But we need them to be secure. It is not just about the fees.
I reported the exploit and posted the POC.
No, I won't work for them. I don't need that on my rep. If they want to give me BTC, that'd be great.
davout did you see a real result of the "exploit"? Yes or No?
I will say that while this may revolt you.......
You should pay DAVOUT for the work he has done even though you did not contract with him. You might want to hire him for FURTHER work checking out your site (if he is interested/willing to do so).
I love the idea of an additional exchange, the more the better. But we need them to be secure. It is not just about the fees.
I was just looking for a way to delete my account and couldn't find any obvious was to do so... could you please give me specifics? (I don't care about the 1 US-cent that's left, keep it as a tip)
Also something strange:
Added funds 1xx.xx USD 1.xx USD <-- the second number = commissions.
WTF?! Why did I get charged commissions for sending money on MtGox suddenly?
Commission % is displayed as 0% by the way... and was at 0% (now it's been changed to 1%!) back then.
Also something strange:
Added funds 1xx.xx USD 1.xx USD <-- the second number = commissions.
WTF?! Why did I get charged commissions for sending money on MtGox suddenly?
Commission % is displayed as 0% by the way... and was at 0% (now it's been changed to 1%!) back then.
davout did you see a real result of the "exploit"? Yes or No?
No. I saw code that was trivially exploitable.This code got fixed because some honest people pointed it out previously in this very thread. (Did you thank them at all ?
) 
davout did you see a real result of the "exploit"? Yes or No?
Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better 
)
)Hrm. Bcrypt, eh?
Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.
Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
I don't speculate, I point at hard facts.We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.
Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
You were vulnerable to one identified CSRF exploit, you fixed it, good.
You still didn't make any statement regarding the amounts storage, the options are :
- "We use floats because we don't have a clue about handling money in a database"
- "We now use decimals instead of floats because we understand the exact implications"
"we store amounts very precisely", "we're monitoring the site closely", "trust us!", "we don't want to communicate about it", "davout is mean", "
I'm not making any assumption regarding your honesty, I'm making statements about technical matters and I have no problem being corrected if I happen to be wrong (see previous posts).
Now I suggest you get your code straight and be open about it.
We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.
This is an outright lie. It was trivially exploitable.On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
more marketing talk...You're salting and hashing your user's passwords before storing them in your database, right?
Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better )
You're salting and hashing your user's passwords before storing them in your database, right?
We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.
Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.
On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
Soo. if it couldn't be used, what was there to FIX? Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.
On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.
Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.
On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.
On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
So for what it's worth.
I have successfully transferred BTC to B7.
I have sold some BTC.
I transferred it to my Dwolla account and it's showing up there....
I have successfully transferred BTC to B7.
I have sold some BTC.
I transferred it to my Dwolla account and it's showing up there....
Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.
Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.
Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
Do you still use floats to store values and are you still vulnerable to CSRF exploits?
Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.
Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.
Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
Exchanges are crucial. If this exchange is shit (smells like it), it damages bitcoin.
So yes, it is time to get vicious.
So yes, it is time to get vicious.
Wow, you guys are hyper-critical. Why so much hate in your reaction?
I agree the reaction has been harsh, but I think it's a good thing.The influx of users have been overwhelming. Many people have seen quick dollars and business opportunities. We need to make sure these new businesses are sound and safe for the users.
If that means aggressively auditing every new project for security holes and taking a "scam until proven otherwise" stance, so be it. Better safe than sorry.
Every project handling people coins needs to have very high security standards. Lotteries need to be provably honest. Exchanges and escrows need to be transparent.
We need to raise the bar.
if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!
it's yours that i'm going to exploit for the lulz
if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!
Wow, you guys are hyper-critical. Why so much hate in your reaction? I mean some posters on this forum outright said that just because they're from Bulgaria it must mean they are scammers.
YOU CAN'T RUN A LIVE MONEY EXCHANGE SITE WITH LARGE SECURITY HOLES.
Seriously, "fixing on the fly" is not an okay way to run a site that is moving money. It doesn't matter whether they are scammers or very well-meaning but incompetent programmers trying to cash in off the lack of exchanges currently out there.
If you are making mistakes at the most basic levels, it is likely that your site is going to be riddled with possible security holes. No one wants to hear "Oh, sorry, we are fixing it now" after their money goes flying out the window. Not to mention any exchange handling any large amounts of money is going to be a target for thieves, hackers, governments, DDOS attacks, etc etc etc. If you are going to paint a target on your back with other people's money, you best be in a position to handle it.
For all I know these folks are the nicest people on earth and I'd be happy to have a beer with them. That doesn't mean they should be programming a currency exchange.
Registered today. Transfered a few euros via SEPA.
I'll let you guys know if everything went smooth.
Jump to: