This website also talks about 2FA flaw of Blockchain.com
Not sure if it's the same flaw or similar one.
https://blockchaindotcomsucks.com
Topic: Blockchain.com & HackerOne.com didn't pay a major bug bounty & fixed bug. (Read 964 times)
March 13, 2021, 04:52:40 PM
January 21, 2021, 10:21:03 PM
Sorry I didn't follow the full thread, but did you ever proceed with the legal action against them? I am not sure you stand any legal recourse in this case but just curious how it turned out if you did.
I talked to my lawyer, but the type of judge it would need to go in front of requires a grievance of at least $70,000.
I didn't really lose anything here and I didn't lose much time... We decided we wouldn't waste a Federal Judges time or my money.
Soooo regardless of being wronged... there isn't really shit I can do about it except warn others!
(I agree, A is likely what happened... it's at least best-case scenario for them IMO.)
January 21, 2021, 11:51:29 AM
Blockchain.com now claiming that the issue I reported was a bug... but... they knew about it prior to my report! LOL
Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.
So either...
A: They fucked me.
B: They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.
Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.
Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.
So either...
A: They fucked me.
B: They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.
Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.
I bet it's 'A'. Them fixing the security issue same day as you reported it and then claiming they were aware of it doesn't add up.
Sorry I didn't follow the full thread, but did you ever proceed with the legal action against them? I am not sure you stand any legal recourse in this case but just curious how it turned out if you did.
January 15, 2021, 10:27:31 PM
Blockchain.com now claiming that the issue I reported was a bug... but... they knew about it prior to my report! LOL
Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.
So either...
A: They fucked me.
B: They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.
Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.
Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.
So either...
A: They fucked me.
B: They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.
Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.
"We've paid out over $30,000" ...what a lame and stupid defense.
January 15, 2021, 07:44:17 PM
Blockchain.com now claiming that the issue I reported was a bug... but... they knew about it prior to my report! LOL
Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.
So either...
A: They fucked me.
B: They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.
Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.
Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.
So either...
A: They fucked me.
B: They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.
Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.
October 09, 2020, 03:33:36 PM
bump
September 24, 2020, 12:44:48 PM
Good traction on another Reddit post today.
I had a white hat hacker recommend that I post my experience on /r/netsec today.
https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
Enjoy and thank you!
Edit: looks like it got removed off /r/netsec by a mod. The post had 170 upvotes @ 94%... good ole reddit
I had a white hat hacker recommend that I post my experience on /r/netsec today.
https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
Enjoy and thank you!
Edit: looks like it got removed off /r/netsec by a mod. The post had 170 upvotes @ 94%... good ole reddit
Post is still up, but a bunch of comments have been removed
https://www.removeddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
*an heros* September 23, 2020, 10:41:38 PM
Good traction on another Reddit post today.
I had a white hat hacker recommend that I post my experience on /r/netsec today.
https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
Enjoy and thank you!
Edit: looks like it got removed off /r/netsec by a mod. The post had 170 upvotes @ 94%... good ole reddit
I had a white hat hacker recommend that I post my experience on /r/netsec today.
https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
Enjoy and thank you!
Edit: looks like it got removed off /r/netsec by a mod. The post had 170 upvotes @ 94%... good ole reddit
Post is still up, but a bunch of comments have been removed
https://www.removeddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
September 22, 2020, 07:34:37 PM
Good traction on another Reddit post today.
I had a white hat hacker recommend that I post my experience on /r/netsec today.
https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
Enjoy and thank you!
Edit: looks like it got removed off /r/netsec by a mod. The post had 170 upvotes @ 94%... good ole reddit
I had a white hat hacker recommend that I post my experience on /r/netsec today.
https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
Enjoy and thank you!
Edit: looks like it got removed off /r/netsec by a mod. The post had 170 upvotes @ 94%... good ole reddit
August 03, 2020, 10:50:29 PM
Generally, I think someone who leaves his computer in a coffee shop with the trading platform open, logged in, and hell, even with the password manager open, deserves some kind of lesson, though. This is not how you're supposed to opsec when dealing with crypto. now.
A user doesn't just have to leave a computer reckless unintended for this flaw to be dangerous!
Imagine just being shot in the face, and the person picks up your computer! There are thousands of ways "something" could go wrong with this flaw.
These security flaws in systems designed for people to keep millions of dollars of value that can be sent nonreversible with a few clicks put people at severe risks.
June 24, 2020, 05:08:07 PM
They treated the whole situation in the worst way possible. The very least thing they could have done was to acknowledge that their implementation of 2FA was pointless, instead of pretending it worked as intended. What's the point of second factor auth as an additional barrier, if anyone can gain access to that barrier once the previous barrier(s) the 2FA is supposed to harden are broken? This doesn't make sense.
Generally, I think someone who leaves his computer in a coffee shop with the trading platform open, logged in, and hell, even with the password manager open, deserves some kind of lesson, though. This is not how you're supposed to opsec when dealing with crypto. But the way they treated this whole thing is just ridiculous. Best part is how they play offended by revoking the 50 bucks now.
Generally, I think someone who leaves his computer in a coffee shop with the trading platform open, logged in, and hell, even with the password manager open, deserves some kind of lesson, though. This is not how you're supposed to opsec when dealing with crypto. But the way they treated this whole thing is just ridiculous. Best part is how they play offended by revoking the 50 bucks now.
June 24, 2020, 02:45:25 PM
HackerOne reached out to me yesterday and let me know I no longer qualified for the $50 they were awarding me for "trying". Keep in mind they were trying to requiring my social security and personal information for that $50! lol!
lol...
I also noticed Blockchain.com has dropped "The Pit" name from most of the website except for the Terms of Service and long typed legal things.
Read the whole story: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
lol...
I also noticed Blockchain.com has dropped "The Pit" name from most of the website except for the Terms of Service and long typed legal things.
Read the whole story: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
May 20, 2020, 07:31:42 PM
Powerpoint added to the OP that more clearly breaks down what happened and how it happened.
https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
March 03, 2020, 08:24:15 PM
I just wanna know why he help you with your shitty scam.
My extent of helping bb was encouraging him not to kill himself when he messaged me that he gambled it all away. I also encourage him to keep pushing on and making people right. Pay the urgent ones first and the chill people interest later.
If he killed himself... no one's getting paid for sure.
Edit: One time I let bb be a camgirl on MyFreeCams on a spare account... it was unrelated to this KYLEMAX nonsense, but still had to do with webcamming I guess you could say! We just pretended he was a girl with cancer lol kind of fucked up, but o well.
I have info that he didnt pay all bitcoins and he ignore investor's:)
Open a new thread and address the issue because as far as I understand, that isn't the case.
That's why i make this post, but if you wanna to deal with lowlife scammer it is ok, but people shouldn't trust you Bay.
That's part of what makes Bitcoin so amazing, I am able to transact with bb safely as long as he sends first... it keeps the playing field honest.
KLYE and I are lovers... we are not business partners and our trust doesn't have anything to do with each other. (har har)
I don't understand why someone wouldn't trust me due to bb, but if they don't... it's probably not someone I want to deal with anyways.
I feel like I've addressed your post even though it was nonrelated to the OP of this thread. If you wish to discuss this further, please create a new thread and PM me the link! Thank you!
March 03, 2020, 08:05:29 PM
Better bump topic about your best friend klye and his scam
3 years without active and i think he still didn't pay scammed money.
3 years without active and i think he still didn't pay scammed money.
Bayareacoins is my lover, not my best friend. Get your facts straight bitch.
Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3
Cheers Fuckface.
I just wanna know why he help you with your shitty scam.
I have info that he didnt pay all bitcoins and he ignore investor's:)
That's why i make this post, but if you wanna to deal with lowlife scammer it is ok, but people shouldn't trust you Bay.
March 03, 2020, 04:06:48 PM
Better bump topic about your best friend klye and his scam
3 years without active and i think he still didn't pay scammed money.
3 years without active and i think he still didn't pay scammed money.
Bayareacoins is my lover, not my best friend. Get your facts straight bitch.
Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3
Cheers Fuckface.
I was actually going to correct him to "Butt Buddies" rather than besties, but I figured I'd keep our love in the cummy-shadows bb
<3.Mwahaha
Thanks for responding... Im glad to see everyone is squared away for the moment and lots of luck with STEEM bb. Don't let Justin Sun buttfuck your community too bad! #resistcommunism
March 03, 2020, 04:03:02 PM
Better bump topic about your best friend klye and his scam
3 years without active and i think he still didn't pay scammed money.
3 years without active and i think he still didn't pay scammed money.
Bayareacoins is my lover, not my best friend. Get your facts straight bitch.
Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3
Cheers Fuckface.
March 03, 2020, 03:35:01 PM
Better bump topic about your best friend klye and his scam
3 years without active and i think he still didn't pay scammed money.
3 years without active and i think he still didn't pay scammed money.
Actually, believe it or not... I believe bb (KYLE) has paid everyone that has demanded their investment back and all his current people are up to date payment wise.
If KYLE owes you money from his shit, please contact me and I'll reach out to him.
(Mind you, none of that had anything to do with me... I just helped him a tiny bit manage the crisis.)
November 15, 2019, 11:46:08 AM
Still demanding sensitive personal information for a $50 payment in BTC on a critical bug that would have resulted in user funds being lost that they said wasn't a bug, but fixed anyways.
October 30, 2019, 07:31:25 PM
I'm sorry but you act like r/ChoosingBeggars.
They clearly won't pay and even if they pay, the reason will be:
- F*ck, this guy talks so much, pay his shit and make him shut up.
They clearly won't pay and even if they pay, the reason will be:
- F*ck, this guy talks so much, pay his shit and make him shut up.
If you just skimmed the OP and thread I can see how you would think that. You're wrong though.
It doesn't matter how obvious or easy to fix a bug is. It only matters how critical it is.
The fact the bug existed and the way it was handled is a pretty big deal imo.
Jump to: