Author

Topic: Huge security flaw being exploited at Cryptothrift.com? (Read 736 times)

hero member
Activity: 820
Merit: 1000
Just to close this matter, we had an internal problem releasing the funds from escrow to this particular seller, so we manually sent his bitcoins from a different account.  To balance this out and close off the order, we used the refund feature to refund our own wallet out of our escrow account.  It wasn't the prettiest solution but it was the simplest at the time.  The seller received his funds as well as an explanation of what we had done (minutes after he emailed the buyer).  The buyer (OP) also received an email explanation and is satisfied with the the solution.

OP, I would appreciate it if you could post a reply to this to confirm that this was the action we took and that nothing negative occurred here.  I would also appreciate it if you could update the thread title - it's not particularly nice to have posts titled "Huge security flaw being exploited" relating to our site which are totally unjust.

Many thanks

Paul
(CTO CryptoThrift)
hero member
Activity: 882
Merit: 1000
Exhausted
You should send them a support ticket to inform them about the problem.
https://cryptothrift.zendesk.com/hc/en-us/requests/new
full member
Activity: 666
Merit: 108
I experienced something today on Cryptothrift that leads me to believe there is someone exploiting a security flaw on their website. Yesterday I made a purchase on the site--I sent the seller .2 btc. It went into the escrow system no problem. I later released the escrow to the seller. Today I received a message stating my escrow was refunded. I checked my wallet, lo and behold I never received anything. The refund that Cryptothrift sent was directed to a bitcoin address that I never used before.

I just received an angry letter from the seller asking why I had refunded the escrow. I didn't even initiate the refund request and I didn't even receive it. Does anyone think that there is someone exploiting a vulnerability and activating and re-directing escrow refunds to their own bitcoin address? If so then this is a very serious issue.
Jump to: