Author

Topic: Dumb Question : If I found a security flaw with a major bitcoin company .. (Read 7384 times)

sr. member
Activity: 448
Merit: 251
Bitcoin
You did the right thing dude, now can we close this thread please?

kthx

yea i'm done with it.   
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
You did the right thing dude, now can we close this thread please?

kthx
sr. member
Activity: 448
Merit: 251
Bitcoin

2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it,  show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.
Just go to page 2 of google and search for "https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10
(how do you think google found "your" links vs how google found "my" links?)

=== The link in Google that you showed me didn't show any instawallet addresses,  however they did show a bunch of pastebin crap with instawallet URL's in there (including the one you displayed above), it's not the same thing,  not even close.    Those URL's didn't come from Instawallet in Google's index,  they came from pastebin


3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten me.
omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail" Roll Eyes

=== In this case you're saying "I want your username and password"  instead I just want to google your e-mail address and automatically log into your account.  I don't want your username and password,  in your example google has the username and passwords included in the click though url.


hero member
Activity: 854
Merit: 500

There is 0.0005496 BTC in that wallet but minimum to take receive it is 0.01 BTC. That means that to get it someone has to transfer 0.0094504 BTC into it and immediatly take everything out. However it's risky because someone else might take out everything while you are depositing.
newbie
Activity: 39
Merit: 0
1 -  freaking linking like that to someone's wallet ? seriously?
Someone decided to post it public (not me) and everyone (Google) can access this.
Also it's not even what I usually pay in transaction fee :lol: It's not like someone is going to miss these coins.

2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it,  show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.
Just go to page 2 of google and search for "https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10
(how do you think google found "your" links vs how google found "my" links?)

3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten me.
omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail" Roll Eyes
sr. member
Activity: 448
Merit: 251
Bitcoin
it's better to robots.txt-disable it anyway.

I'm going to repeat here what I stated in the other thread.

Quote from: The Founder
Google's Definition of Robots.Txt file isn't what you guys think it is.

1. You guys all believe it's not a "do not list these directories and pages"  
2. Google's definition is "do not spider these directories and pages"

They are NOT the same definition.  Not even close.

If you saw the screenshots on the article listed on this thread,  you'd see immediately that it was not the robots.txt file.
full member
Activity: 203
Merit: 100
Quote
3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten all of us.

Urls showing up in google does not mean that it was instawallet that "leaked" them.
If there was some magical page on instawallet that listed all adresses then this "bug" of yours would not be about ~100BTC, but about much more. Thus, this simply is about google crawling some urls from people's browsers, toolbars, links on other websites, etc. Not a "bug" in instawallet per se, but sure, it's better to robots.txt-disable it anyway.
sr. member
Activity: 448
Merit: 251
Bitcoin
On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g.

 Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.

But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.

Changing the "site" command to e.g. "allintext" and volá free bitcoins:

But no, I'm not blaming instawallet.

1 -  freaking linking like that to someone's wallet ? seriously?

2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it,  show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.

3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten all of us.

newbie
Activity: 39
Merit: 0
On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g. https://plus.google.com/114827336297709201563/posts/TQNiDpqtwxT). Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.

But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.

Changing the "site" command to e.g. "allintext" and volá free bitcoins:
https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g
https://i.imgur.com/aDx3rfO.png

But no, I'm not blaming instawallet.
legendary
Activity: 1512
Merit: 1001
Bitcoin - Resistance is futile
Lol, this is not a security flaw in instawallet Roll Eyes

If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?

Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.

And I really don't hope you spend 6 hours telling them to add two lines to a txt file?

Of course not spending 6 hours telling them how to fix their robots.txt file.  

For some reason everyone keeps saying it was the robots.txt file,  it wasn't.   If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file.



Anyway, thanks for this responsible disclosure.
sr. member
Activity: 448
Merit: 251
Bitcoin
Lol, this is not a security flaw in instawallet Roll Eyes

If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?

Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.

And I really don't hope you spend 6 hours telling them to add two lines to a txt file?

Of course not spending 6 hours telling them how to fix their robots.txt file.  

For some reason everyone keeps saying it was the robots.txt file,  it wasn't.   If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file.

newbie
Activity: 39
Merit: 0
Lol, this is not a security flaw in instawallet Roll Eyes

If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?

Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.

And I really don't hope you spend 6 hours telling them to add two lines to a txt file?
legendary
Activity: 1512
Merit: 1001
Bitcoin - Resistance is futile
legendary
Activity: 1540
Merit: 1049
Death to enemies!
This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.

By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
I heard that Google sometimes crawls webpages that its users (Chrome) visit?  True/not true?
True. Also some antivirus and firewall companies does this. By now they have at least dozen instawallet urls.
legendary
Activity: 1400
Merit: 1005
This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.

By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
I heard that Google sometimes crawls webpages that its users (Chrome) visit?  True/not true?
member
Activity: 84
Merit: 10
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
Or Instawallet could have included wallet URL's in its sitemap.
legendary
Activity: 952
Merit: 1000
This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.

By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
legendary
Activity: 1400
Merit: 1005
Dear Instawallet,

Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium

The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.

After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.

http://www.adaptiveglass.com/?p=656

Davout... don't you think this guy deserves some BTC for his work?

EDIT:  Also, Google is still spitting out one wallet to me:  https://instawallet.org/r/aHR0cHM6Ly9pbnN0YXdhbGxldC5vcmc=
sr. member
Activity: 448
Merit: 251
Bitcoin
Dear Instawallet,

Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium

The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.

After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.

http://www.adaptiveglass.com/?p=656
sr. member
Activity: 351
Merit: 250

I tried exactly this once with a popular social media site half a decade ago, and they pretended to be thankful for finding the glaring security holes and kept asking me for more help and even asked for me to write up some security suggestions for them. They even offered me points on their website for a reward and such, and because I accepted, they tried to later say that I had blackmailed them. Turns out, they were trying to collect information to post about me and brand me as a "blackmailer hacker". They even recorded our phone calls (which was illegal in their state and thus they didn't use it). The employees who did this were subsequently fired of course by the corporate owners who took over the company and brought in an entirely new management group that I became friends with.

Moral of the story? There isn't one. Some people are dicks and you have to do what you do and deal with it as it comes.

The duplicity of security standards annoys me. I have no way of knowing if the bank doors are locked at night. Shouldn't I be allowed to check?

If I try and test to see if the bank doors are locked and someone sees me I might get arrested. If no one sees me and I tell the bank, "hey your doors aren't locked!" I will go down hard and there are no repercussions for the bank.

What a strange world we've created...
legendary
Activity: 1540
Merit: 1049
Death to enemies!
What was the exploit? Bitcoind available for everyone without password?
full member
Activity: 196
Merit: 100
Another block in the wall
Can we say names or...?

The OP's 8 hour timeline seems to coincide with the announced resolved from said company.

uk1
copper member
Activity: 546
Merit: 500
hero member
Activity: 560
Merit: 500
Can we say names or...?
full member
Activity: 196
Merit: 100
Another block in the wall
100 coin max exploit? It's obvious who the company is then. 

Yep.

Should be fix soon.
legendary
Activity: 1540
Merit: 1049
Death to enemies!
100 coin max exploit? It's obvious who the company is then. 
BFL ?
full member
Activity: 160
Merit: 100
100 coin max exploit? It's obvious who the company is then. 
sr. member
Activity: 448
Merit: 251
Bitcoin
I once worked for a guy who said "Do the right thing" pretty often.
He ended up ripping me off.


just remember this.

NO GOOD DEED GOES UNPUNISHED

watch your back.

The OP is right to be an honest person.
just remember this:
You get what you deserve.

I dont think many here understand what I meant.
So he pokes around and finds a bug (felony already).
He discloses info to the web site. (nice guy).
Website fixes bug but the CEO is pissed anyway and files police report (it happens).
Good guy OP gets arrested for trying to do a good deed.


I seriously hope that is not the outcome,  I protected the identity (and will continue until the bug is fixed)  and the poking around was purely an accident... which led me to believe that this was an idiot level mistake.

The owner is on it,  and confirmed the exploit.


legendary
Activity: 2072
Merit: 1001
I once worked for a guy who said "Do the right thing" pretty often.
He ended up ripping me off.


just remember this.

NO GOOD DEED GOES UNPUNISHED

watch your back.

The OP is right to be an honest person.
just remember this:
You get what you deserve.

I dont think many here understand what I meant.
So he pokes around and finds a bug (felony already).
He discloses info to the web site. (nice guy).
Website fixes bug but the CEO is pissed anyway and files police report (it happens).
Good guy OP gets arrested for trying to do a good deed.
legendary
Activity: 1540
Merit: 1049
Death to enemies!
When You will be old, sitting alone next to crappy computer, You will remember this possibility of getting 100 coins worth about 8 millions. Life is not fair and never will be, get used to it and act!
sr. member
Activity: 448
Merit: 251
Bitcoin
I promise you that I will.

legendary
Activity: 966
Merit: 1004
Keep it real
ok I gave them exactly how to duplicate the flaw.

I also showed them how to correct it.

After it's been corrected could you explain what the flaw was and who it was with?
sr. member
Activity: 448
Merit: 251
Bitcoin
ok I gave them exactly how to duplicate the flaw.

I also showed them how to correct it.

legendary
Activity: 1540
Merit: 1049
Death to enemies!
THEY RESPONDED

Text of the response: F**k off! There is no exploit. Thanks for ass king!
hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Send them an email, tell them that you will take the coins so they are safe and no one else steal them (if someone else steal the coins, you'll be on the hook for it since you contacted them)
Grab the coins and email them and telling them you did it to prevent a not so honest person do the same..

I'm sure when they see the issue, they'll understand.


What about taking the coins then sending them to a known address of the company or company's owner. That might work.

Sure, whatever, but if the coins are left there in the open, someone else might find that flaw and actually steal the coins.
I'd grab them and send them to an address and then simply give them the private key once they acknowledge how stupid they are.
They better reward you or at least offer you a reward even if you choose not to accept it!


I tried exactly this once with a popular social media site half a decade ago, and they pretended to be thankful for finding the glaring security holes and kept asking me for more help and even asked for me to write up some security suggestions for them. They even offered me points on their website for a reward and such, and because I accepted, they tried to later say that I had blackmailed them. Turns out, they were trying to collect information to post about me and brand me as a "blackmailer hacker". They even recorded our phone calls (which was illegal in their state and thus they didn't use it). The employees who did this were subsequently fired of course by the corporate owners who took over the company and brought in an entirely new management group that I became friends with.

Moral of the story? There isn't one. Some people are dicks and you have to do what you do and deal with it as it comes.
legendary
Activity: 1330
Merit: 1000
Bitcoin
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
sr. member
Activity: 448
Merit: 251
Bitcoin
sr. member
Activity: 273
Merit: 250
Do not publish the bug. And do not exploit it. Keep trying to reach them. Usually it takes some time for your email to reach the right person within the company. Do not rush and do not take any action to be blamed about in the future.
legendary
Activity: 1036
Merit: 1000
The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Send them an email, tell them that you will take the coins so they are safe and no one else steal them (if someone else steal the coins, you'll be on the hook for it since you contacted them)
Grab the coins and email them and telling them you did it to prevent a not so honest person do the same..

I'm sure when they see the issue, they'll understand.

Like noticing someone dropped their wallet, picking it up and handing it back to them?
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
...
Sounds like it's not a major bitcoin company...

Seems so...

legendary
Activity: 1540
Merit: 1049
Death to enemies!
I remember one guy who discovered flaw in university system, notified about it the responsible persons and got kicked out afterwards. If he would not be such white knight on donkey and instead anonymously vandalized the database and then leaked it on piratebay, no one would know who did it.

It really was bad idea to contact the owners about exploit.
hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Send them an email, tell them that you will take the coins so they are safe and no one else steal them (if someone else steal the coins, you'll be on the hook for it since you contacted them)
Grab the coins and email them and telling them you did it to prevent a not so honest person do the same..

I'm sure when they see the issue, they'll understand.


What about taking the coins then sending them to a known address of the company or company's owner. That might work.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.

If the flaw is truly boneheaded, disclosing the name might be risky.

How does a bitcoin business manage to amass hundreds of coins with an obvious flaw in their system? Does not compute!



@the founder disclose the name please, or PM a bitcointalk staff member that can assist you further.
sr. member
Activity: 448
Merit: 251
Bitcoin
Fuck the law, if you live in another country just grab the damn coins!
Wow, you definitely make it on to my "do not trust, ever" list.
One thing is exploiting flaws in computer systems, another thing is exploiting social trust of people. I never exploited trading or other forms of commerce where some degree of trust is essential. In long run it will make some forms of e-trade impossible and will hurt my goals in long term. Contrary exploiting flaws in computer security improves overall security in long term. Without such activities internet would be insecure, censored and boring place. But I used social engineering to get payload into losers computers or phish passwords. But this is more technical than exploiting pure trust. Everyone will slight knowledge will notice wrong URL or different checksums.

I will give OP idea - if trying to crash market, announce here that it it MtGox and post receiving address here and say you will transfer there n amount of coins from MtGox. Then transfer coins from your MtGox account to the address afterwards. No exploit involved but many would believe in that and start sell sell sell

IT'S NOT THAT BIG OF A FLAW TO CRASH ANY MARKET! 

It's a major bitcoin company... but the exploit isn't freaking stealing their whole wallet, just some people that utilize it.



legendary
Activity: 966
Merit: 1004
Keep it real
The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Hmm.. Not responding to emails, only holds a hundred coins... sounds like a bitgem ripoff site or gambling site to me.

Sounds like it's not a major bitcoin company...
legendary
Activity: 1540
Merit: 1049
Death to enemies!
Fuck the law, if you live in another country just grab the damn coins!
Wow, you definitely make it on to my "do not trust, ever" list.
One thing is exploiting flaws in computer systems, another thing is exploiting social trust of people. I never exploited trading or other forms of commerce where some degree of trust is essential. In long run it will make some forms of e-trade impossible and will hurt my goals in long term. Contrary exploiting flaws in computer security improves overall security in long term. Without such activities internet would be insecure, censored and boring place. But I used social engineering to get payload into losers computers or phish passwords. But this is more technical than exploiting pure trust. Everyone with slight knowledge will notice wrong URL or different checksums.

I will give OP idea - if trying to crash market, announce here that it is MtGox and post receiving address here and say you will transfer there n amount of coins from MtGox. Then transfer coins from your MtGox account to the address afterwards. No exploit involved but many would believe in that and start sell sell sell
sr. member
Activity: 448
Merit: 251
Bitcoin
The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Hmm.. Not responding to emails, only holds a hundred coins... sounds like a bitgem ripoff site or gambling site to me.

Trust me it's a widely used service,  but the exploit only shows a limited number of coins...  there's an easy fix to this.   

This is not a problem that would destabilize bitcoin... it's the type of flaw that could get media writing though.. which is what I am trying to prevent.

Bitcoin has a 850 million dollar economy,  we're talking about at most a few thousand dollars worth of exploit...  it's something that should be fixed... but it's not something crazy like millions of dollars.



 
hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Hmm.. Not responding to emails, only holds a hundred coins... sounds like a bitgem ripoff site or gambling site to me.
sr. member
Activity: 448
Merit: 251
Bitcoin
The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands
full member
Activity: 182
Merit: 100
If they keep ignoring you there is only one way, give them a ultimatum.

Tell them to fix the problem within a set time frame if they don't respond or fix the problem you will share the info with the public. Put this ultimatum up in a public place, name them and wait for response ...

if they don't fix it or ignore you disclose the info. If they sew you have the right to inform people about possible threads to there well being. (unless you had to break it to there systems to get the info)

speaking from experience it usually doesn't get that far Wink
hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.

If the flaw is truly boneheaded, disclosing the name might be risky.

Indeed.

1.  I will not steal or publish the results.   

I had a few hundred coins stolen from me 2 years ago,  at today's prices it would be $20,946.88
I do not wish that to happen to anyone ever.

2.  I attempted for a second time to inform the company,  no response yet.  When it comes in I will let you guys know what I found and how the exploit happened... that's after giving the owners time to correct the problem.

I got blasted via private message on bitcointalk for not publishing the exploit and stealing coins.

I hope that a few years from now if I was on the other side of the table people would handle it like this rather than freaking stealing coins.   If people were Honourable they would reward this type of behaviour rather than sending private messages like that... 

Remember a few years back I called you because your site dropped off the internet and i wanted to see if you were okay?

Well, now I know. You're okay.  Cool
legendary
Activity: 1615
Merit: 1000
There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.

If the flaw is truly boneheaded, disclosing the name might be risky.
hero member
Activity: 910
Merit: 1000
Items flashing here available at btctrinkets.com
Fuck the law, if you live in another country just grab the damn coins!
Wow, you definitely make it on to my "do not trust, ever" list.
I also felt the urge to give that ignore button a go, dispicable.
legendary
Activity: 1400
Merit: 1005
Fuck the law, if you live in another country just grab the damn coins!
Wow, you definitely make it on to my "do not trust, ever" list.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
No Reply to the first or second attempt. 



There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.
legendary
Activity: 1330
Merit: 1000
Bitcoin
Send me all their coins?
legendary
Activity: 966
Merit: 1004
Keep it real
You are either attention whore trying to cause bubble burst and there is no exploit

or

You are so rich that don't care about money or reward for your unique skills.

I'm guessing option #1, this combine with someone else trying to cause a panic makes more sense than either post does alone.
legendary
Activity: 1540
Merit: 1049
Death to enemies!
You are either attention whore trying to cause bubble burst and there is no exploit

or

You are so rich that don't care about money or reward for your unique skills.
sr. member
Activity: 448
Merit: 251
Bitcoin
No Reply to the first or second attempt. 

hero member
Activity: 927
Merit: 1000
฿itcoin ฿itcoin ฿itcoin
1.  I will not steal or publish the results.   

I had a few hundred coins stolen from me 2 years ago,  at today's prices it would be $20,946.88
I do not wish that to happen to anyone ever.

2.  I attempted for a second time to inform the company,  no response yet.  When it comes in I will let you guys know what I found and how the exploit happened... that's after giving the owners time to correct the problem.

I got blasted via private message on bitcointalk for not publishing the exploit and stealing coins.

I hope that a few years from now if I was on the other side of the table people would handle it like this rather than freaking stealing coins.   If people were Honourable they would reward this type of behaviour rather than sending private messages like that... 
Good for you man! This is what we need, more genuine and honest people like yourself around here.
If you found a flaw in one of my sites I would be sure to buy you a beer or two at the very least!
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
I once worked for a guy who said "Do the right thing" pretty often.
He ended up ripping me off.


just remember this.

NO GOOD DEED GOES UNPUNISHED

watch your back.

The OP is right to be an honest person.
just remember this:
You get what you deserve.
sr. member
Activity: 448
Merit: 251
Bitcoin
whoever just tipped me .035 thank you!

legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
...If people were Honourable they would reward this type of behaviour rather than sending private messages like that... 


Thank you for setting a good example.
legendary
Activity: 2072
Merit: 1001
1.  I will not steal or publish the results.   

I had a few hundred coins stolen from me 2 years ago,  at today's prices it would be $20,946.88
I do not wish that to happen to anyone ever.

2.  I attempted for a second time to inform the company,  no response yet.  When it comes in I will let you guys know what I found and how the exploit happened... that's after giving the owners time to correct the problem.

I got blasted via private message on bitcointalk for not publishing the exploit and stealing coins.

I hope that a few years from now if I was on the other side of the table people would handle it like this rather than freaking stealing coins.   If people were Honourable they would reward this type of behaviour rather than sending private messages like that... 









just remember this.

NO GOOD DEED GOES UNPUNISHED

watch your back.
sr. member
Activity: 448
Merit: 251
Bitcoin
1.  I will not steal or publish the results.   

I had a few hundred coins stolen from me 2 years ago,  at today's prices it would be $20,946.88
I do not wish that to happen to anyone ever.

2.  I attempted for a second time to inform the company,  no response yet.  When it comes in I will let you guys know what I found and how the exploit happened... that's after giving the owners time to correct the problem.

I got blasted via private message on bitcointalk for not publishing the exploit and stealing coins.

I hope that a few years from now if I was on the other side of the table people would handle it like this rather than freaking stealing coins.   If people were Honourable they would reward this type of behaviour rather than sending private messages like that... 






legendary
Activity: 1227
Merit: 1000
I found a security flaw which allowed a thief to steal bitcoins from a company.
I contacted them and they don't reply,  what should I do?
I want to see the security issue resolved,  and the company in question is not responding to me.

The security flaw is so stupid that it most likely got overlooked.



Take 100 BTC to prove it. Make it public. Return the coins when you get an apology and a thankyou.



Seriously, if I was in charge of that co. I would be desperate to be the first to know about potential flaws and would offer a sizeable bounty for anybody that pointed them out (with proof).
legendary
Activity: 3598
Merit: 2386
Viva Ut Vivas
Is it the MtGox one where you can put anyone else's public Bitcoin address in the url and automatically get all of their bitcoins?
Please tell me this is a joke.

 Tongue
member
Activity: 84
Merit: 10
Is it the MtGox one where you can put anyone else's public Bitcoin address in the url and automatically get all of their bitcoins?
Please tell me this is a joke.
legendary
Activity: 3598
Merit: 2386
Viva Ut Vivas
Is it the MtGox one where you can put anyone else's public Bitcoin address in the url and automatically get all of their bitcoins?
legendary
Activity: 1540
Merit: 1049
Death to enemies!
Fuck the law, if you live in another country just grab the damn coins!
sr. member
Activity: 451
Merit: 250
Make the flaw public will be the fastest way of been fixed.

This also invites a lawsuit.
legendary
Activity: 2618
Merit: 1007
Well, if you're a customer there you might not want them to be robbed from the outside...?!

You could transfer a nontrivial but also not business threatening amount of BTC to one of your addresses (maybe ennounce that here? On the other hand it might be easy to know which business has this flaw via network analysis) and then immediately send them back - that should hopefully trigger some alerts...
sr. member
Activity: 451
Merit: 250
I found a security flaw which allowed a thief to steal bitcoins from a company.
I contacted them and they don't reply,  what should I do?
I want to see the security issue resolved,  and the company in question is not responding to me.

The security flaw is so stupid that it most likely got overlooked.



Don't steal the coins.  You will be criminally liable for that even if you intend to return them and even if you do return them.  In fact returning them becomes evidence against you.

Just try again.
rme
hero member
Activity: 756
Merit: 504
Make the flaw public will be the fastest way of been fixed.
sr. member
Activity: 448
Merit: 251
Bitcoin
THEY RESPONDED

I found a security flaw which allowed a thief to steal bitcoins from a company.
I contacted them and they don't reply,  what should I do?
I want to see the security issue resolved,  and the company in question is not responding to me.

The security flaw is so stupid that it most likely got overlooked.

EDIT:  We're talking a minor exploit that at most can yield 100 coins or so.   Not thousand,  not millions,  just 100 or so bitcoins.

It's not going to destabilize bitcoin, or affect prices to any large extent.  It's a single company that has a minor problem that they haven't contacted me back yet.

That's the extent of this flaw.   I asked for advice not because I wanted to freaking start a panic,  it's just how to get a company to respond.

100 BTC at max.... that's it.. nothing more.







Jump to: