Topic: Blockchain.com & HackerOne.com didn't pay a major bug bounty & fixed bug. - page 2. (Read 978 times)

I'll live.  I'm not begging.  No need to apologize.  I treated this exactly how I would want my website to be treated as well.

I just think it's wild to claim military security and have 2fa backups dump without reauthenticating.  Then on top of that claim that is how it's supposed to function.  Then offer $50 but demand personal information.  It's just an experience that needs to be documented IMO.  That's worth far more than the $6,000 cap on bug bounties.


How about:

- Hey, this guy found a major flaw in our securities logic that put our customers at risks that could/would result in coins being lost & customers possibly physically hurt. We fixed it asap. Our bug bounty says $2,000-$6,000.  Lets do what we say we will do.

Not:

- Uhhh the feature performs as intended.
(1 day later)
- Actually we fixed it because we already knew about it and Google does it this way too.  (Google does not)
- Here is $50 for trying so hard, but... we need all your personal info to pay you $50 or you get jack shit!  Welcome to the Bitcoin community, thanks for making our website and community more strong... let us know if you see anything else! *an heros  *

I just can't stand getting fed bullshit & lies.  Please don't confuse my bitching as begging.  End of the day, I would have given them this for free... I just dislike the deceptive bullshit.

I'm sorry but you act like r/ChoosingBeggars.
They clearly won't pay and even if they pay, the reason will be:

- F*ck, this guy talks so much, pay his shit and make him shut up.

My only update for today:



Please considering voting at https://www.reddit.com/r/Bitcoin/comments/djpg2m/bug_bounty_scam_blockchaincom_hackeronecom_didnt/

Their handling of the situation is what I would generously class as a complete joke. Being able to get 2FA Backup codes without proving you have access to a 2FA method makes about as much sense as being able to change the password on an account without knowledge of its existing password. It's ridiculous and a failure of basic security principles, and it's pretty worrying that a "military-grade" exchange made such a basic error. If they're making basic security errors like that then they have clearly invested very little in reviewing their security practices which is completely antithetical with claiming that your security is top-notch.

Shame on them.

Seems like this would be good story for some of those clickbait crypto news sites.

BlockchainPIT on their telegram channel is now editing their messages!

I'm so fucking thankful I took screenshots.



Before they edited their response was:


Edit:  Lol I'm just noticing that part of the edit in their telegram removed the "to ensure it's sorted correctly." lol *facepalm* srsly?

Double edit:  I'm not saying editing is bad.  I make about a million edits and typos each post... but to remove the part that says they will get it sorted correctly is kinda funny in a sick way. lol

I am now calling this a scam as of this post due to Blockchain and HackerOne not honoring their Bug Bounty terms of payment. After going back and forth with Blockchain's & HackerOne's customer support, I also believe they made claims that they knew are flat out lies. Please read through and make your own decision.  I have done my best to document everything here.
 
Something feels real off to me about it.  I find it hard to believe that their security team was aware of this problem and purposely chose not to fix it... or at least chose not to fix it until I reported it.

https://twitter.com/SnailsInTheMail/status/1185212527925436416

Jesus Christ on a stick.  Unreal.  I'm totally flabbergasted and at a lost for words.

Needless to say, I will not be claiming that $50 by filling out any tax forms I'm not required to!  Fuck that noise.

Hold on... still a glimmer of hope...

Wow, just wow.



It went from a "working feature, how else would the recover their 2fa if lost?" to "Something they were already planning on fixing."   No fucking way.  This was a horrible security flaw that someone fucked up royally & fixed as soon as I reported it.  I can't even imagine purposely leaving 2fa to be dumped with a password only.

"not a critical security flaw as per the industry-accepted defination of the term"  It should be noted that this is a MAJOR CRITICAL HOLY FUCK security flaw as per industry-accepted definition. Not to re-authenticating a user's 2fa or give the user a "remember this computer" option (which you shouldn't use ffs!) such as what Google does and is most certainly not military-grade "locked down" or likely even good enough for Neopets.



Blockchain.com's bug bounty is a scam or some employees there are very confused about what the industry standard is for 2fa security, holy shit.  I'm going to officially say that at this point.  Updated in the OP.

Thank god I'm not losing my marbles...  I appreciate the second set of eyes Doog.

Google absolutely does prompt for both account password and 2FA code before allowing you to do anything with your 2FA settings if 2FA is enabled.

If your account doesn't, it's likely because you have left "Don't ask again on this computer" checked. It is checked by default every time you provide a 2FA code.

Allowing any logged in account to access its 2FA backup codes without providing a 2FA code means that if anyone gains temporary access to your account they can disable 2FA at any point in the future. That's clearly "a credible attack".

Here is the file I attached (blockchain.info.png) with proof Google requires 2fa before dumping 2fa backup codes:

I've been a namefag for a while.  It's all good!  Thank you though <3 I appreciate you pointing it out.


I don't know if I should laugh, cry, an hero or bang my head against the wall.  

You might want to edit out your name in the letter. I presume you don’t want to dox yourself.

Fascinating reading though & the bounty paid is a joke by the way.

My response to HackerOne staff:



My follow up email to Blockchain.com staff:

Whoa.... $50 for a critical infrastructure error and the HackerOne people STILL claiming it's normal practice & Google does it (Google doesn't don't worry) to display 2fa backup codes without re-authenticating both 2fa and password if the account has both.  What is the point of 2fa in that case?  This is NOT how military-grade 2fa security works at all.



Severity "none"   w-t-f    

"Pipelined for fix" also catches my eye because this fix has already taken place, as indicated in my OP.  These HackerOne people are liars.

"Note that other services, including Google, do not require 2FA code to reveal the backup codes." This is NOT true.  Google absolutely requires 2fa to reveal 2fa codes. (see further down the thread)

(this paragraph is a 10/19/2019 edit) "recognition of your effort to prioritize this fix" At least they are calling it a fix and not a fucking feature! Imagine this story:  You have $10,000,000 on your account and you want to go to a coffee shop to trade.  You know you aren't going to withdraw, so you leave your 2fa at home in your safe.  Your account is covered by 2fa.  You use Lastpass because your passwords are 30 characters long.  While your sitting in the coffee shop, some punk grabs your computer and takes off.  By the time you get done with the police and hot coffee shop girls making sure you're OK, that punk could have withdrawn $10,000,000 without my bug report (half in BTC and half in fiat as per The Pit's withdraw limits).  My bug report just stopped that from happening because now that punk has to have your 2fa code to display your 2fa back up. Please keep in mind, I'm not 100% what the withdraw user experience & security features are like on "The Pit".  I was only on the site for a few minutes to find this.  IF it's like any other website + that bug that only required your password to dump and turn your 2fa... you'd be a fucked duck. End of edit.

According to Blockchain.com's bug bounty they pay $2000 and more for critical infrastructure errors/errors that result in users funds... both of which this bug absolutely is.



Also, the icing on the cake... HackerOne is demanding my personal information for a $50 bounty!!!!!!!!!!!  



Since when does US tax law require personal information for a $50 payment to a nonemployee independent contractor?  In order to get a 1099 tax form in America, you have to earn over $600 in a year! (I'm not a CPA)



Edited:

Here is the actual shit they are trying to force me to fill out to get $50...





https://www.taxgirl.com/2009/03/19/ask-the-taxgirl-can-i-refuse-to-complete-a-form-w-9/