Pages:
Author

Topic: BitFunder - Lets grow together! A request to all users - https://bitfunder.com - page 2. (Read 16626 times)

sr. member
Activity: 294
Merit: 250
http://coin.furuknap.net/
The transfer function was being abused with a cross site attack, anyone could have sent POST data to the /transfer page, no matter what website they were sending the data from, and as long as the use was logged in, the transfer would go through.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

You may want to set up a transfer confirm email, or you may want to add a CSRF hash to your form data so that it can't be spoofed and the server is checking that each submission is in fact from the right server.

This bug will circumvent 2FA.  So I probably won't stay logged in and clicking external links until this problem is fixed.

Just my two cents.

Glad to see that its disabled right now, guess you are looking into it?  I saw some poor souls getting scammed on reddit Sad

Ukyo, are you starting to see my point yet?

.b
newbie
Activity: 23
Merit: 0
Hi,

For now, is it possible to have the current server time listed somewhere on the top where the menu is on each page?

I live in a different time zone and often want to analyze when the last trade actually happen. It would be even better if on our settings page, we can save a setting to display time in our own time zones. But the first will suffice in the meantime so we can compare when things were posted.

Thanks,
Joe
full member
Activity: 224
Merit: 100
You can't kill math.
legendary
Activity: 1498
Merit: 1000
I think an options market would be helpful.  Something similar to the securities market screen where you can view all the available options for all the securities, sorted by volume.  I'd like to view options without having to go through each security and also would like to see what people are actually buying to help identify potentially good deals.

+1
donator
Activity: 4760
Merit: 4323
Leading Crypto Sports Betting & Casino Platform
I think an options market would be helpful.  Something similar to the securities market screen where you can view all the available options for all the securities, sorted by volume.  I'd like to view options without having to go through each security and also would like to see what people are actually buying to help identify potentially good deals.
sr. member
Activity: 350
Merit: 250
newbie
Activity: 50
Merit: 0
I want to automatically have my G.ASICMINER-PT dividends reinvested into TAT.ASICMINER. Would this be a good feature? Otherwise, email notification of dividend payments would be good too.
newbie
Activity: 28
Merit: 0
biggest bug imho: not being able to bring assets online.
i've been following you around for close to three weeks now (pm, irc) to no avail.



BTCT hit the big boards i bet anyone got 1btc.. I'LL SHOW YOU!  i know why !..lol
legendary
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
Make that 3 people now, personally hate Google 2F, having an alternative would be nice. Wink

Agreed. I am going to add Yubikey, and I am working on a new method in the industry that some people will like, others will hate.

Make it 4 people who hate/nullroute Google and will never use Android/SpyOS Hitlerphones.

+1 for Yubikey and soon, Trezor as well.   Cool

As a buy-and-hold long term investor, I'd like an option to 'Lock down' my account, requiring two email confirmations sent 48 hours apart to transfer or change anything.
sr. member
Activity: 448
Merit: 250
There have only been a very small amount of accounts abused so far in comparison to the normal daily users who do not have 2-factor enabled.
We have  seen a large number of failed login attempt for email accounts that do not exist on our system. One thought is that another site has been compromised.

I lowered the failed retry amount as some people noticed to lessen the speed at which the list can be tested.

Cross-site POST's using logged in sessions are a bit more difficult but I am putting a check for that.

These transfers happened when users were not at the computer at all.

I am looking to enable an 'email confirmation' method for things.
sr. member
Activity: 448
Merit: 250
add good yubikey support (register several keys, can't remove yubikey auth. without yubikey, set conditions that require yubikey authorisation)
it's also annoying that I can't open an asset in a new tab with the middle mousebutton

I think you are the second person to ask for Yubikey support.
I will look into it. Smiley

As for the asset page, I was just discussing changes for it with TAT earlier today that will make things better for a lot of people I think.

-Ukyo

Make that 3 people now, personally hate Google 2F, having an alternative would be nice. Wink


Agreed. I am going to add Yubikey, and I am working on a new method in the industry that some people will like, others will hate.
hero member
Activity: 811
Merit: 1000
Web Developer
The transfer function was being abused with a cross site attack, anyone could have sent POST data to the /transfer page, no matter what website they were sending the data from, and as long as the use was logged in, the transfer would go through.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

You may want to set up a transfer confirm email, or you may want to add a CSRF hash to your form data so that it can't be spoofed and the server is checking that each submission is in fact from the right server.

This bug will circumvent 2FA.  So I probably won't stay logged in and clicking external links until this problem is fixed.

Just my two cents.

Glad to see that its disabled right now, guess you are looking into it?  I saw some poor souls getting scammed on reddit Sad
legendary
Activity: 1267
Merit: 1000
got it, thanks.

now i can sleep better.... Cheesy
sr. member
Activity: 258
Merit: 250
You can trust me, I have an avatar
In setting up 2 factor:


Write this down and save it!
Enter code to enable:



 Huh Huh  What code do you enter?Huh??

The code from the Authenticator app.
legendary
Activity: 1267
Merit: 1000
In setting up 2 factor:


Write this down and save it!
Enter code to enable:



 Huh Huh  What code do you enter?Huh??
member
Activity: 67
Merit: 10
add good yubikey support (register several keys, can't remove yubikey auth. without yubikey, set conditions that require yubikey authorisation)
it's also annoying that I can't open an asset in a new tab with the middle mousebutton

I think you are the second person to ask for Yubikey support.
I will look into it. Smiley

As for the asset page, I was just discussing changes for it with TAT earlier today that will make things better for a lot of people I think.

-Ukyo

Make that 3 people now, personally hate Google 2F, having an alternative would be nice. Wink
newbie
Activity: 24
Merit: 0
I actually like the User Interface of BitFunder a lot more than BTCT, and the BitFunder name is easy to remember.

The margin-left: -30px on the .row class annoys me the most, everything on the page below the header is shifted left - does nobody else see this?

(Firefox/Aurora on OSX)
https://dl.dropboxusercontent.com/u/38877106/Screenies/Screen%20Shot%202013-05-31%20at%2014.50.31.png

The WeExchange requirement was just another hurdle for me. I opened BitFunder and BTCT at the same time, with the sole intention of getting some ASICMINER-PT - you wanted me to go sign up to another website just to get some money in, BTCT didn't, so I went with the one that gave me less work.
member
Activity: 84
Merit: 10
Suggestion:
I don't want to use 2 Factor Authenticaion every single time I login to just check my portfolio, but FFS I want it on when I trade or withdraw.  I will be pulling all assets out of BItfunder and moving them to BTC-TC for this very reason in 4 weeks if this is not enabled.

Thank you,

1. Open Public Asset List https://bitfunder.com/assetlist
2. Ctril+F
3. Paste in your registered wallet address.
4. You're Welcome!

lol, thanks TAT but that is way harder and impossible to get an overview on!  I check this from my offices, the car, home, etc and would like to just login and get a great overview.  When I want to trade, I pull out the phone for 2FA!

But ty =)

*** Edit - If that "Asset List" showed the price and my total price of each asset that would actually work.
hero member
Activity: 518
Merit: 500
Suggestion:
I don't want to use 2 Factor Authenticaion every single time I login to just check my portfolio, but FFS I want it on when I trade or withdraw.  I will be pulling all assets out of BItfunder and moving them to BTC-TC for this very reason in 4 weeks if this is not enabled.

Thank you,

1. Open Public Asset List https://bitfunder.com/assetlist
2. Ctril+F
3. Paste in your registered wallet address.
4. You're Welcome!
member
Activity: 84
Merit: 10
Suggestion:
I don't want to use 2 Factor Authenticaion every single time I login to just check my portfolio, but FFS I want it on when I trade or withdraw.  I will be pulling all assets out of BItfunder and moving them to BTC-TC for this very reason in 4 weeks if this is not enabled.

Thank you,
Pages:
Jump to: