BitFunder - Lets grow together! A request to all users - https://bitfunder.com - page 2.

furuknap

sr. member

Activity: 294

Merit: 250

http://coin.furuknap.net/

Quote from: zoinky on June 22, 2013, 11:33:19 AM

The transfer function was being abused with a cross site attack, anyone could have sent POST data to the /transfer page, no matter what website they were sending the data from, and as long as the use was logged in, the transfer would go through.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

You may want to set up a transfer confirm email, or you may want to add a CSRF hash to your form data so that it can't be spoofed and the server is checking that each submission is in fact from the right server.

This bug will circumvent 2FA. So I probably won't stay logged in and clicking external links until this problem is fixed.

Just my two cents.

Glad to see that its disabled right now, guess you are looking into it? I saw some poor souls getting scammed on reddit Sad

Ukyo, are you starting to see my point yet?

.b

JoseRolles

newbie

Activity: 23

Merit: 0

Hi,

For now, is it possible to have the current server time listed somewhere on the top where the menu is on each page?

I live in a different time zone and often want to analyze when the last trade actually happen. It would be even better if on our settings page, we can save a setting to display time in our own time zones. But the first will suffice in the meantime so we can compare when things were posted.

Thanks,
Joe

Eric Muyser

full member

Activity: 224

Merit: 100

You can't kill math.

API keys please?

statdude

legendary

Activity: 1498

Merit: 1000

Quote from: OgNasty on July 02, 2013, 05:41:23 PM

I think an options market would be helpful. Something similar to the securities market screen where you can view all the available options for all the securities, sorted by volume. I'd like to view options without having to go through each security and also would like to see what people are actually buying to help identify potentially good deals.

+1

OgNasty

donator

Activity: 4760

Merit: 4323

Leading Crypto Sports Betting & Casino Platform

I think an options market would be helpful. Something similar to the securities market screen where you can view all the available options for all the securities, sorted by volume. I'd like to view options without having to go through each security and also would like to see what people are actually buying to help identify potentially good deals.

auto2nr1

sr. member

Activity: 350

Merit: 250

PM sent with a suggestion.

felix123

newbie

Activity: 50

Merit: 0

I want to automatically have my G.ASICMINER-PT dividends reinvested into TAT.ASICMINER. Would this be a good feature? Otherwise, email notification of dividend payments would be good too.

TECHICENINE

newbie

Activity: 28

Merit: 0

Quote from: 2weiX on June 21, 2013, 11:06:14 AM

biggest bug imho: not being able to bring assets online.
i've been following you around for close to three weeks now (pm, irc) to no avail.

BTCT hit the big boards i bet anyone got 1btc.. I'LL SHOW YOU! i know why !..lol

iCEBREAKER

legendary

Activity: 2156

Merit: 1072

Crypto is the separation of Power and State.

Quote from: Ukyo on June 22, 2013, 11:38:55 AM

Quote from: lagmo on June 21, 2013, 09:29:49 PM

Make that 3 people now, personally hate Google 2F, having an alternative would be nice. Wink

Agreed. I am going to add Yubikey, and I am working on a new method in the industry that some people will like, others will hate.

Make it 4 people who hate/nullroute Google and will never use Android/SpyOS Hitlerphones.

+1 for Yubikey and soon, Trezor as well. Cool

As a buy-and-hold long term investor, I'd like an option to 'Lock down' my account, requiring two email confirmations sent 48 hours apart to transfer or change anything.

Ukyo

sr. member

Activity: 448

Merit: 250

There have only been a very small amount of accounts abused so far in comparison to the normal daily users who do not have 2-factor enabled.
We have seen a large number of failed login attempt for email accounts that do not exist on our system. One thought is that another site has been compromised.

I lowered the failed retry amount as some people noticed to lessen the speed at which the list can be tested.

Cross-site POST's using logged in sessions are a bit more difficult but I am putting a check for that.

These transfers happened when users were not at the computer at all.

I am looking to enable an 'email confirmation' method for things.

Ukyo

sr. member

Activity: 448

Merit: 250

Quote from: lagmo on June 21, 2013, 09:29:49 PM

Quote from: Ukyo on June 03, 2013, 05:06:22 PM

Quote from: thatbluedude on June 03, 2013, 04:56:43 PM

add good yubikey support (register several keys, can't remove yubikey auth. without yubikey, set conditions that require yubikey authorisation)
it's also annoying that I can't open an asset in a new tab with the middle mousebutton

I think you are the second person to ask for Yubikey support.
I will look into it.

As for the asset page, I was just discussing changes for it with TAT earlier today that will make things better for a lot of people I think.

-Ukyo

Make that 3 people now, personally hate Google 2F, having an alternative would be nice. Wink

Agreed. I am going to add Yubikey, and I am working on a new method in the industry that some people will like, others will hate.

zoinky

hero member

Activity: 811

Merit: 1000

Web Developer

The transfer function was being abused with a cross site attack, anyone could have sent POST data to the /transfer page, no matter what website they were sending the data from, and as long as the use was logged in, the transfer would go through.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

You may want to set up a transfer confirm email, or you may want to add a CSRF hash to your form data so that it can't be spoofed and the server is checking that each submission is in fact from the right server.

This bug will circumvent 2FA. So I probably won't stay logged in and clicking external links until this problem is fixed.

Just my two cents.

Glad to see that its disabled right now, guess you are looking into it? I saw some poor souls getting scammed on reddit Sad

2dogs

legendary

Activity: 1267

Merit: 1000

got it, thanks.

now i can sleep better.... Cheesy

carpetbagger

sr. member

Activity: 258

Merit: 250

You can trust me, I have an avatar

Quote from: 2dogs on June 22, 2013, 02:01:49 AM

In setting up 2 factor:

Write this down and save it!
Enter code to enable:

Huh

What code do you enter? Huh

??

The code from the Authenticator app.

2dogs

legendary

Activity: 1267

Merit: 1000

In setting up 2 factor:

Write this down and save it!
Enter code to enable:

Huh

What code do you enter? Huh

??

lagmo

member

Activity: 67

Merit: 10

Quote from: Ukyo on June 03, 2013, 05:06:22 PM

Quote from: thatbluedude on June 03, 2013, 04:56:43 PM

add good yubikey support (register several keys, can't remove yubikey auth. without yubikey, set conditions that require yubikey authorisation)
it's also annoying that I can't open an asset in a new tab with the middle mousebutton

I think you are the second person to ask for Yubikey support.
I will look into it.

As for the asset page, I was just discussing changes for it with TAT earlier today that will make things better for a lot of people I think.

-Ukyo

Make that 3 people now, personally hate Google 2F, having an alternative would be nice. Wink

BitOmni

newbie

Activity: 24

Merit: 0

I actually like the User Interface of BitFunder a lot more than BTCT, and the BitFunder name is easy to remember.

Quote from: Caesium on May 31, 2013, 09:51:15 AM

The margin-left: -30px on the .row class annoys me the most, everything on the page below the header is shifted left - does nobody else see this?

(Firefox/Aurora on OSX)
https://dl.dropboxusercontent.com/u/38877106/Screenies/Screen%20Shot%202013-05-31%20at%2014.50.31.png

The WeExchange requirement was just another hurdle for me. I opened BitFunder and BTCT at the same time, with the sole intention of getting some ASICMINER-PT - you wanted me to go sign up to another website just to get some money in, BTCT didn't, so I went with the one that gave me less work.

murfshake

member

Activity: 84

Merit: 10

Quote from: ThickAsThieves on June 21, 2013, 07:53:07 PM

Quote from: murfshake on June 21, 2013, 07:36:30 PM

Suggestion:
I don't want to use 2 Factor Authenticaion every single time I login to just check my portfolio, but FFS I want it on when I trade or withdraw. I will be pulling all assets out of BItfunder and moving them to BTC-TC for this very reason in 4 weeks if this is not enabled.

Thank you,

1. Open Public Asset List https://bitfunder.com/assetlist
2. Ctril+F
3. Paste in your registered wallet address.
4. You're Welcome!

lol, thanks TAT but that is way harder and impossible to get an overview on! I check this from my offices, the car, home, etc and would like to just login and get a great overview. When I want to trade, I pull out the phone for 2FA!

But ty =)

*** Edit - If that "Asset List" showed the price and my total price of each asset that would actually work.

ThickAsThieves

hero member

Activity: 518

Merit: 500

Quote from: murfshake on June 21, 2013, 07:36:30 PM

Suggestion:
I don't want to use 2 Factor Authenticaion every single time I login to just check my portfolio, but FFS I want it on when I trade or withdraw. I will be pulling all assets out of BItfunder and moving them to BTC-TC for this very reason in 4 weeks if this is not enabled.

Thank you,

1. Open Public Asset List https://bitfunder.com/assetlist
2. Ctril+F
3. Paste in your registered wallet address.
4. You're Welcome!

murfshake

member

Activity: 84

Merit: 10

Suggestion:
I don't want to use 2 Factor Authenticaion every single time I login to just check my portfolio, but FFS I want it on when I trade or withdraw. I will be pulling all assets out of BItfunder and moving them to BTC-TC for this very reason in 4 weeks if this is not enabled.

Thank you,

Topic: BitFunder - Lets grow together! A request to all users - https://bitfunder.com - page 2. (Read 16626 times)