Pages:
Author

Topic: C-CEX.com Trusted, Secure & Friendly Exchange Since 2013. 200+ Alts,USD,Low Fees - page 13. (Read 254684 times)

newbie
Activity: 1
Merit: 0
Taкaя жe бeдa,Я HE MOГУ

ПOПACTЬ B MOЙ AККAУHT Увaжaeмый C-cex,

«Пoльзoвaтeль нe нaйдeн или oтключeн aккayнт». Я нe мoгy пoлyчить дocтyп к cвoeй yчeтнoй зaпиcи.
Ecть ли пpoблeмы c мoeй yчeтнoй зaпиcью?

Пoжaлyйcтa, пoмoгитe мнe peшить этy пpoблeмy. 
hero member
Activity: 2926
Merit: 722
DGbet.fun - Crypto Sportsbook
@MODS:  Isn't it about time this entire thread was moved to the scam section where it belongs?  This would help stop noob users being scammed any further.

No support.
Customers accounts being closed.
Customers funds vanishing.
No withdrawals.
Missing funds.
Page after page after page of complaints.



Finally something we both agree on! Cheesy
Agree on this one too since this thread have been already abandoned maybe this would suit out to be put up on
scam accusations where there are lots of people continue to come here complaining that accounts been blocked
other after another.

Is there any possible action with this?
legendary
Activity: 1282
Merit: 1051
One of the worst exchange i have seen

Bad support and delisting coins without any proper time

Shame on Ccex team
legendary
Activity: 2506
Merit: 1030
Twitter @realmicroguy
@MODS:  Isn't it about time this entire thread was moved to the scam section where it belongs?  This would help stop noob users being scammed any further.

No support.
Customers accounts being closed.
Customers funds vanishing.
No withdrawals.
Missing funds.
Page after page after page of complaints.



Finally something we both agree on! Cheesy
hero member
Activity: 1438
Merit: 574
Always ask questions. #StandWithHongKong
@MODS:  Isn't it about time this entire thread was moved to the scam section where it belongs?  This would help stop noob users being scammed any further.

No support.
Customers accounts being closed.
Customers funds vanishing.
No withdrawals.
Missing funds.
Page after page after page of complaints.

member
Activity: 226
Merit: 34
Пoxoдy cocкaмилиcь. SCAM!!
newbie
Activity: 9
Merit: 0
These are indeed serious bypass that you had mentioned but it doesnt really matter at all yet this exchange do already fallen to scam anyone.Im reading once in a while
Outside this, there are also weak practices like using MD5 based session cookies and don't change it across requests.

into this thread.I havent seen any response of OP on whats happening and also reading up continuous complaints about account disabled and lost funds.
What's happenning? Do you remember how they were hacked in February 2014? Please notice how the last 9 september and the Februrary 2014 are similar (both repeated the same withdrawal several time).
Well it might not be the same guys as in 2014, but I think the hackers just found a variant of the same vulnerability in order to bypass the February 2014 protection which was put after the first attack.

Without C-cex explaining how it exactly happenned. We'll won't know.
Remembering C-cex glory days but they do end up like this after on that 3 months vacation alibi.
What glory days? Trust me, you can be sure even by 2014 security standards, that you wouldn't see GET requests on Facebook or Paypal.
You can be sure those weakness exists since the beggining and aren't the result of a code update.
legendary
Activity: 3094
Merit: 1127

But with c-cex, it's hard to find something protected on client side. For starting, everything is vulnerable to CSRF even with 2FA enabled:

Wanna change the user's chatname of someonelse? It's possible to do it by making cliking a link which trigger a POST to http://c-cex.com/?id=profile&rett=chat_b.
Wanna write a chat message with an account you don't own?  It's possible to do it by making cliking a link which simply works through a GET request.
You hacked the e-mail account linked to a c-cex account? Just make the target user click a link and you'll receive the confirmation link. You also don't need to login to confirm the withdrawal (an other vulnerability combined).

In that case, the only thing protected against CSRF I found is posting limit orders. And even then it's still performed through GET requests.
I also found making someone losing all funds through clicking https://c-cex.com/?id=funds&dump=btc requires an origin matching c-cex.com. Though that’s still possible to hide and trigger the target through a redirect.

There is also their internal captcha system which is easy to solve fully automatically through things like IBM Watson or Google Cloud vision with high sucess rates.

These are indeed serious bypass that you had mentioned but it doesnt really matter at all yet this exchange do already fallen to scam anyone.Im reading once in a while
into this thread.I havent seen any response of OP on whats happening and also reading up continuous complaints about account disabled and lost funds.
Remembering C-cex glory days but they do end up like this after on that 3 months vacation alibi.
newbie
Activity: 9
Merit: 0
Sorry c-cex, but you don't seems to care about bug reports tickets.

Normally, even when you go on coinexchange.io, it's hard to find something vulnerable.
But with c-cex, it's hard to find something protected on client side. For starting, everything is vulnerable to CSRF even with 2FA enabled:

Wanna change the user's chatname of someonelse? It's possible to do it by making cliking a link which trigger a POST to http://c-cex.com/?id=profile&rett=chat_b.
Wanna write a chat message with an account you don't own?  It's possible to do it by making cliking a link which simply works through a GET request.
You hacked the e-mail account linked to a c-cex account? Just make the target user click a link and you'll receive the confirmation link. You also don't need to login to confirm the withdrawal (an other vulnerability combined).

In that case, the only thing protected against CSRF I found is posting limit orders. And even then it's still performed through GET requests.
I also found making someone losing all funds through clicking https://c-cex.com/?id=funds&dump=btc requires an origin matching c-cex.com. Though that’s still possible to hide and trigger the target through a redirect.

There is also their internal captcha systemhttps://c-cex.com/cp.html?s=385353503 which is easy to solve fully automatically through things like IBM Watson or Google Cloud vision with high sucess rates.

There are many ways to bypass users completely and steal funds directly from servers like with the recent attack (though I failed to see the vulnerabilty recently used by the attacker).

The exchange is definitely less secure than Mt.Gox. There are even known bugs used in the past elsewhere that aren't fixed on the exchange (1 task when you are in charge of security is to read the news about recent discovered attacking methods). Maybe they also run outdated third party libraries else too, but that's something to invastigate.
The only thing postive over Mt.Gox is funds are correctly managed manually outside the lack of fund audits: they can't "find" a forgotten wallet like it happened with Mt.Gox since no wallet are susceptible to be forgotten.

In some way, the bugs users are noticing with unexecuted withdrawals or disappearing deposits as well as disabled account is only the top of the iceberg.
hero member
Activity: 1134
Merit: 525
Less hops. More wins.
member
Activity: 489
Merit: 12
When is the next 3-month vacation?  
newbie
Activity: 1
Merit: 0
I CAN NOT ACCESS MY ACCOUNT

Dear C-cex,

“User not found or account disabled”. I can’t access my account.
Is there any problem with my account?

Please help me solving this problem.

also, i try to get lost password and never get an email to change it.
my email is [email protected]
newbie
Activity: 1
Merit: 0
I CAN NOT ACCESS MY ACCOUNT

Dear C-cex,

“User not found or account disabled”. I can’t access my account.
Is there any problem with my account?

Please help me solving this problem.

Thanks!
newbie
Activity: 2
Merit: 0
Same f**** problem for almost 2month's!
copper member
Activity: 12
Merit: 0
Why I have "User not found or account disabled" when would login ?!?

HI, I also have account disabled, and every time I try to post a ticket to report it (trying for 2 weeks now), get the answer "Out support queue is full, try again later"...

Is there an CCEX support email address I can send my issue too? I have not been able to logon since April actually when I first found issue. I want to move some of my balances held on your exchange...
member
Activity: 132
Merit: 10
Why I have "User not found or account disabled" when would login ?!?
legendary
Activity: 3094
Merit: 1127
Dear C-Cex,
The petition was signed too.

Planning to push it to our traders community.

ArtyomVasenin
3 days since posted but still we do got this numbers.I'll spread this link for the petition.

newbie
Activity: 15
Merit: 0
Dear C-Cex,
The petition was signed too.

Planning to push it to our traders community.

ArtyomVasenin
newbie
Activity: 15
Merit: 0
My account hasn't been activated yet.
Dear C-Cex support, please activate it.

I am a trader, I make your money!

Artyom Vasenin Angry
newbie
Activity: 6
Merit: 0
My Account is also deactivated and it is impossible to create a Support Tickets. Could I place reqeust here?
Pages:
Jump to: