ICBIT Derivatives Market (USD/BTC futures trading) - LIVE - page 7.

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

There's conversation in another thread that is more appropriate here, so I'm quoting a part of it here for discussion.

Quote from: akwfleaspirit on July 10, 2013, 11:23:04 PM

when you are holding positions that compete with people who can create unlimited contracts and who can see the details of your positions, including available bitcoin.

Is it possible to run an exchange where the exchange operator would not have the ability to enter fabricated orders or to know the positions held in customer accounts?

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: Fireball on April 11, 2013, 06:12:03 PM

so withdrawal requests which would normally be processed are pending now (because otherwise they may not be able to sustain payout requirements of a BTC/USD-4.13 contract due to settle in a couple of days.

The amount displayed as being available for withdrawal shouldn't be a soft number. What conditions would cause a withdrawal request to hang as pending, and for how long would the duration be of that status on a withdrawal request?

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: Stephen Gornick on January 25, 2013, 04:57:37 PM

Feature request:

Ability for me to cause a new deposit address to be generated for my account.

Currently, the blockchain shows all my deposits to a single Bitcoin address that get credited to my wallet at ICBIT.

The whole concept of there being a new Bitcoin address for each transaction is so that privacy is maximized. Because the wallet is a hosted (shared) EWallet, the funds I deposit will likely be withdrawn by someone else, thus there are clues out there that the address is associated with ICBIT deposits and those addresses might get scrutinized further to try to determine the identity or other clues about who is the party responsible.

bump on this feature request.

myself

legendary

Activity: 938

Merit: 1000

chaos is fun...…damental :)

Quote from: Fireball on July 03, 2013, 05:05:09 PM

Quote from: myself on July 02, 2013, 05:59:31 AM

are you considering adding other instruments? synthetic index, options, warrants, turbo-warrants

Yes, if traders actually want to trade them. You can make a proposal.

a start can be something similar to dollar index

Fireball

hero member

Activity: 674

Merit: 500

Quote from: myself on July 02, 2013, 05:59:31 AM

are you considering adding other instruments? synthetic index, options, warrants, turbo-warrants

Yes, if traders actually want to trade them. You can make a proposal.

myself

legendary

Activity: 938

Merit: 1000

chaos is fun...…damental :)

are you considering adding other instruments? synthetic index, options, warrants, turbo-warrants

[Tycho]

hero member

Activity: 742

Merit: 500

Honestly, I don't actually think that altcoins and forks are important. Bitcoin is the power. The only potentially useful altcoin was NMC, but the project is dead now.

myself

legendary

Activity: 938

Merit: 1000

chaos is fun...…damental :)

Quote from: picobit on July 01, 2013, 10:46:01 AM

Settlement in BTC would be natural, as for all other ICBIT instruments.

if i have to chose i pick ltc

picobit

hero member

Activity: 547

Merit: 500

Decor in numeris

Quote from: myself on July 01, 2013, 05:21:15 AM

Quote from: ThePok on July 01, 2013, 04:27:14 AM

If ICBIT starts settlement in Litecoins, i leave Tongue

and for BTCLTC contracts how the settlements should be done ? settlements in fiat are problematic but LTC solve that problem

Settlement in BTC would be natural, as for all other ICBIT instruments.

myself

legendary

Activity: 938

Merit: 1000

chaos is fun...…damental :)

Quote from: ThePok on July 01, 2013, 04:27:14 AM

If ICBIT starts settlement in Litecoins, i leave Tongue

and for BTCLTC contracts how the settlements should be done ? settlements in fiat are problematic but LTC solve that problem

ThePok

full member

Activity: 131

Merit: 100

If ICBIT starts settlement in Litecoins, i leave Tongue

myself

legendary

Activity: 938

Merit: 1000

chaos is fun...…damental :)

Hey OP +Tycho did you guys considered LTC(BTCLTC) and doing the settlements in LTC and BTC ?

picobit

hero member

Activity: 547

Merit: 500

Decor in numeris

Quote from: Stephen Gornick on June 21, 2013, 11:06:33 AM

Quote from: Fireball on June 21, 2013, 08:45:07 AM

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password). Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator

Of course the really difficult thing is to stop vulnerabilities like this, and still have a recovery path in case somebody loose their GA secret. I just to my horror realized that on an iPhone the GA secrets are backed up in a way that they can only be restored on the same device. Secure, but troublesome if I loose the device.

Fireball

hero member

Activity: 674

Merit: 500

Quote from: Stephen Gornick on June 21, 2013, 11:06:33 AM

Quote from: Fireball on June 21, 2013, 08:45:07 AM

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password). Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator

Thanks a lot. We are in the process of fixing this by updating and improving the GA login code. I will publish results here ASAP.

qxzn

hero member

Activity: 609

Merit: 505

Quote from: Fireball on June 20, 2013, 04:33:37 AM

Quote from: qxzn on June 19, 2013, 10:59:29 PM

I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.

Do you have Google Auth enabled for your account?

No.

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: Fireball on June 21, 2013, 08:45:07 AM

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password). Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator

Fireball

hero member

Activity: 674

Merit: 500

Quote from: picobit on June 21, 2013, 06:40:26 AM

Quote from: Stephen Gornick on June 17, 2013, 08:44:35 PM

I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.

Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?

This is serious. That means that 2FA protection for withdrawal is nonexistent. I hope this bug get fixed soon, password reset should not reset 2FA, forgetting the password and loosing access to your phone are two different problems.

No, it's not.

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

picobit

hero member

Activity: 547

Merit: 500

Decor in numeris

Quote from: Stephen Gornick on June 17, 2013, 08:44:35 PM

I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.

Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?

This is serious. That means that 2FA protection for withdrawal is nonexistent. I hope this bug get fixed soon, password reset should not reset 2FA, forgetting the password and loosing access to your phone are two different problems.

Fireball

hero member

Activity: 674

Merit: 500

Quote from: qxzn on June 19, 2013, 10:59:29 PM

I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.

Do you have Google Auth enabled for your account?

qxzn

hero member

Activity: 609

Merit: 505

I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.

Topic: ICBIT Derivatives Market (USD/BTC futures trading) - LIVE - page 7. (Read 97654 times)