Pages:
Author

Topic: Blockchain.com & HackerOne.com didn't pay a major bug bounty & fixed bug. (Read 982 times)

jr. member
Activity: 42
Merit: 2
This website also talks about 2FA flaw of Blockchain.com
Not sure if it's the same flaw or similar one.

https://blockchaindotcomsucks.com
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Sorry I didn't follow the full thread, but did you ever proceed with the legal action against them? I am not sure you stand any legal recourse in this case but just curious how it turned out if you did.

I talked to my lawyer, but the type of judge it would need to go in front of requires a grievance of at least $70,000.

I didn't really lose anything here and I didn't lose much time... We decided we wouldn't waste a Federal Judges time or my money.

Soooo regardless of being wronged... there isn't really shit I can do about it except warn others!

(I agree, A is likely what happened... it's at least best-case scenario for them IMO.)
hero member
Activity: 882
Merit: 563
Bitcoin to the moon!
Blockchain.com now claiming that the issue I reported was a bug... but... they knew about it prior to my report! LOL



Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.

So either...

A:  They fucked me.

B:  They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.

Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.

I bet it's 'A'. Them fixing the security issue same day as you reported it and then claiming they were aware of it doesn't add up.

Sorry I didn't follow the full thread, but did you ever proceed with the legal action against them? I am not sure you stand any legal recourse in this case but just curious how it turned out if you did.
legendary
Activity: 2716
Merit: 2093
Join the world-leading crypto sportsbook NOW!
Blockchain.com now claiming that the issue I reported was a bug... but... they knew about it prior to my report! LOL



Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.

So either...

A:  They fucked me.

B:  They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.

Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.

"We've paid out over $30,000" ...what a lame and stupid defense.
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Blockchain.com now claiming that the issue I reported was a bug... but... they knew about it prior to my report! LOL



Dude, if you have a website that you're advertising as military grade security and you know about a problem like that, but allow people to keep using millions and millions of dollars on your website... holy shit.

So either...

A:  They fucked me.

B:  They knowingly put their users at extreme risks and gave their users a false case of security due to their exchange design flaws.

Both are prime examples of corporate dishonest fuckery with shitty engineers covering their tracks and making excuses.
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Good traction on another Reddit post today.

I had a white hat hacker recommend that I post my experience on /r/netsec today.

https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

Enjoy and thank you! Smiley

Edit: looks like it got removed off /r/netsec by a mod.  The post had 170 upvotes @ 94%... good ole reddit  Roll Eyes

Post is still up, but a bunch of comments have been removed

https://www.removeddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/





 Roll Eyes *an heros*
legendary
Activity: 2716
Merit: 2093
Join the world-leading crypto sportsbook NOW!
Good traction on another Reddit post today.

I had a white hat hacker recommend that I post my experience on /r/netsec today.

https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

Enjoy and thank you! Smiley

Edit: looks like it got removed off /r/netsec by a mod.  The post had 170 upvotes @ 94%... good ole reddit  Roll Eyes

Post is still up, but a bunch of comments have been removed

https://www.removeddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Good traction on another Reddit post today.

I had a white hat hacker recommend that I post my experience on /r/netsec today.

https://www.reddit.com/r/netsec/comments/ixvhuz/bug_bounty_blockchaincom_exchange_2fa_could_be/

Or skip Reddit and just read the story here: https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing

Enjoy and thank you! Smiley

Edit: looks like it got removed off /r/netsec by a mod.  The post had 170 upvotes @ 94%... good ole reddit  Roll Eyes
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Generally, I think someone who leaves his computer in a coffee shop with the trading platform open, logged in, and hell, even with the password manager open, deserves some kind of lesson, though. This is not how you're supposed to opsec when dealing with crypto. now.

A user doesn't just have to leave a computer reckless unintended for this flaw to be dangerous!

Imagine just being shot in the face, and the person picks up your computer!  There are thousands of ways "something" could go wrong with this flaw.

These security flaws in systems designed for people to keep millions of dollars of value that can be sent nonreversible with a few clicks put people at severe risks.
legendary
Activity: 2320
Merit: 1292
Encrypted Money, Baby!
They treated the whole situation in the worst way possible. The very least thing they could have done was to acknowledge that their implementation of 2FA was pointless, instead of pretending it worked as intended. What's the point of second factor auth as an additional barrier, if anyone can gain access to that barrier once the previous barrier(s) the 2FA is supposed to harden are broken? This doesn't make sense.

Generally, I think someone who leaves his computer in a coffee shop with the trading platform open, logged in, and hell, even with the password manager open, deserves some kind of lesson, though. This is not how you're supposed to opsec when dealing with crypto. But the way they treated this whole thing is just ridiculous. Best part is how they play offended by revoking the 50 bucks now.
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
HackerOne reached out to me yesterday and let me know I no longer qualified for the $50 they were awarding me for "trying".  Keep in mind they were trying to requiring my social security and personal information for that $50! lol!



lol...  Roll Eyes

I also noticed Blockchain.com has dropped "The Pit" name from most of the website except for the Terms of Service and long typed legal things.

Read the whole story:  https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Powerpoint added to the OP that more clearly breaks down what happened and how it happened.

https://docs.google.com/presentation/d/1B7Edd-fj3wSegL2_JMwKBglPzk3pBG9DUVLuz3HPP-w/edit?usp=sharing
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
I just wanna know why he help you with your shitty scam.

My extent of helping bb was encouraging him not to kill himself when he messaged me that he gambled it all away.  I also encourage him to keep pushing on and making people right.  Pay the urgent ones first and the chill people interest later.

If he killed himself... no one's getting paid for sure.

Edit:  One time I let bb be a camgirl on MyFreeCams on a spare account... it was unrelated to this KYLEMAX nonsense, but still had to do with webcamming I guess you could say! We just pretended he was a girl with cancer lol kind of fucked up, but o well.Tongue

I have info that he didnt pay all bitcoins and he ignore investor's:)

Open a new thread and address the issue because as far as I understand, that isn't the case.

That's why i make this post, but if you wanna to deal with lowlife scammer it is ok, but people shouldn't trust you Bay.

That's part of what makes Bitcoin so amazing, I am able to transact with bb safely as long as he sends first... it keeps the playing field honest.

KLYE and I are lovers... we are not business partners and our trust doesn't have anything to do with each other. (har har)

I don't understand why someone wouldn't trust me due to bb, but if they don't... it's probably not someone I want to deal with anyways.  Tongue

I feel like I've addressed your post even though it was nonrelated to the OP of this thread.  If you wish to discuss this further, please create a new thread and PM me the link!  Thank you!

full member
Activity: 377
Merit: 110
Better bump topic about your best friend klye and his scam Smiley
3 years without active and i think he still didn't pay scammed money.

Bayareacoins is my lover, not my best friend. Get your facts straight bitch. Smiley

Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3

Cheers Fuckface. Cheesy

I just wanna know why he help you with your shitty scam.
I have info that he didnt pay all bitcoins and he ignore investor's:)
That's why i make this post, but if you wanna to deal with lowlife scammer it is ok, but people shouldn't trust you Bay.
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Better bump topic about your best friend klye and his scam Smiley
3 years without active and i think he still didn't pay scammed money.

Bayareacoins is my lover, not my best friend. Get your facts straight bitch. Smiley

Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3

Cheers Fuckface. Cheesy

I was actually going to correct him to "Butt Buddies" rather than besties, but I figured I'd keep our love in the cummy-shadows bb Wink <3.

Mwahaha

Thanks for responding... Im glad to see everyone is squared away for the moment and lots of luck with STEEM bb.  Don't let Justin Sun buttfuck your community too bad!  #resistcommunism
legendary
Activity: 1358
Merit: 1003
Designer - Developer
Better bump topic about your best friend klye and his scam Smiley
3 years without active and i think he still didn't pay scammed money.

Bayareacoins is my lover, not my best friend. Get your facts straight bitch. Smiley

Scammed money? I don't deal with fiat, sorry buddy.
Anyways, I'd like to know why my name is in your filthy whorish mouth. <3

Cheers Fuckface. Cheesy
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Better bump topic about your best friend klye and his scam Smiley
3 years without active and i think he still didn't pay scammed money.

Actually, believe it or not... I believe bb (KYLE) has paid everyone that has demanded their investment back and all his current people are up to date payment wise.

If KYLE owes you money from his shit, please contact me and I'll reach out to him.  

(Mind you, none of that had anything to do with me... I just helped him a tiny bit manage the crisis.)
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
Still demanding sensitive personal information for a $50 payment in BTC on a critical bug that would have resulted in user funds being lost that they said wasn't a bug, but fixed anyways.
legendary
Activity: 2716
Merit: 2093
Join the world-leading crypto sportsbook NOW!
I'm sorry but you act like r/ChoosingBeggars.
They clearly won't pay and even if they pay, the reason will be:

- F*ck, this guy talks so much, pay his shit and make him shut up.


If you just skimmed the OP and thread I can see how you would think that.  You're wrong though.

It doesn't matter how obvious or easy to fix a bug is.  It only matters how critical it is.

The fact the bug existed and the way it was handled is a pretty big deal imo. 

Pages:
Jump to: