Next video will be for SQLi?
I`m waiting for proof.
Yes. Type of sqli: time-based(stacked queries) + dns exfiltration. Run, Forrest, run! I`m waiting for proof.
Please don't send private messages. No sale. I will continue to share from here.
Topic: Coinone Critical Vulnerabilities (Read 159 times)
Please don't send private messages. No sale. I will continue to share from here.
Next video will be for SQLi?
I`m waiting for proof.
I`m waiting for proof.
First Vulnerability;
CWE - CWE-601: URL Redirection to Untrusted Site
https://coinone.co.kr/language/?code=en&next=https://attacker.org
POC: https://www.youtube.com/watch?v=N74jnUVUccw
Next video will be for SQLi.(Within 24 hours)
CWE - CWE-601: URL Redirection to Untrusted Site
https://coinone.co.kr/language/?code=en&next=https://attacker.org
POC: https://www.youtube.com/watch?v=N74jnUVUccw
Next video will be for SQLi.(Within 24 hours)
Absolutely. I have worked with Poloniex before and Mr. Tristan sent 0.5 BTC for bug bounty.
But Coinone didn't fixed vulnerability... Passed to a month. Blackhat can hack many user accounts.
I will share the first vulnerability here within 24 hours. People have to get their own security. This is not a disclosure, it is purely good faith.
But Coinone didn't fixed vulnerability... Passed to a month. Blackhat can hack many user accounts.
I will share the first vulnerability here within 24 hours. People have to get their own security. This is not a disclosure, it is purely good faith.
Is this right?
Hello friends,
I am an ethical hacker. I found vulnerabilities on Coinone. I sent a report 2 months ago for the first vulnerability.
Response of Coinone (2 month ago);
Thank you for the contact. We have an internal bug bounty program, we’ll review your bug and arrange price. We have a rule for the price depending on the impact. Please send us your report.
Response of Coinone (1 month ago);
We have checking your mail with our own team and security partner.
So we need meeting our council and reward program.
Passed to a month... I wrote it 3 times for remind. Coinone doesn't answer, haven't fixed off vulnerability and they didn't send me a bug bounty.
So, I didn't tell them the second vulnerability(SQLi).
Your memberships aren't safe!
I am an ethical hacker. I found vulnerabilities on Coinone. I sent a report 2 months ago for the first vulnerability.
Response of Coinone (2 month ago);
Thank you for the contact. We have an internal bug bounty program, we’ll review your bug and arrange price. We have a rule for the price depending on the impact. Please send us your report.
Response of Coinone (1 month ago);
We have checking your mail with our own team and security partner.
So we need meeting our council and reward program.
Passed to a month... I wrote it 3 times for remind. Coinone doesn't answer, haven't fixed off vulnerability and they didn't send me a bug bounty.
So, I didn't tell them the second vulnerability(SQLi).
Your memberships aren't safe!
Jump to: