Author

Topic: Coinone Critical Vulnerabilities (Read 169 times)

newbie
Activity: 9
Merit: 0
January 23, 2018, 05:11:33 AM
#6
Next video will be for SQLi?

I`m waiting for proof.
Yes. Type of sqli: time-based(stacked queries) + dns exfiltration. Run, Forrest, run!
Please don't send private messages. No sale. I will continue to share from here.
member
Activity: 93
Merit: 10
January 22, 2018, 11:00:02 PM
#5
Next video will be for SQLi?

I`m waiting for proof.
newbie
Activity: 9
Merit: 0
January 22, 2018, 05:05:28 PM
#4
First Vulnerability;
CWE - CWE-601: URL Redirection to Untrusted Site
https://coinone.co.kr/language/?code=en&next=https://attacker.org
POC: https://www.youtube.com/watch?v=N74jnUVUccw

Next video will be for SQLi.(Within 24 hours)
newbie
Activity: 9
Merit: 0
January 12, 2018, 06:27:28 PM
#3
Absolutely. I have worked with Poloniex before and Mr. Tristan sent 0.5 BTC for bug bounty.
But Coinone didn't fixed vulnerability... Passed to a month. Blackhat can hack many user accounts.
I will share the first vulnerability here within 24 hours. People have to get their own security. This is not a disclosure, it is purely good faith.
member
Activity: 93
Merit: 10
January 11, 2018, 09:34:04 PM
#2
Is this right?
newbie
Activity: 9
Merit: 0
January 11, 2018, 06:19:32 AM
#1
Hello friends,

I am an ethical hacker. I found vulnerabilities on Coinone. I sent a report 2 months ago for the first vulnerability.

Response of Coinone (2 month ago);
Thank you for the contact. We have an internal bug bounty program, we’ll review your bug and arrange price. We have a rule for the price depending on the impact. Please send us your report.

Response of Coinone (1 month ago);
We have checking your mail with our own team and security partner.
So we need meeting our council and reward program.


Passed to a month... I wrote it 3 times for remind. Coinone doesn't answer, haven't fixed off vulnerability and they didn't send me a bug bounty.
So, I didn't tell them the second vulnerability(SQLi).

Your memberships aren't safe!
Jump to: