Pages:
Author

Topic: PicoStocks, bitcoin stock exchange - page 3. (Read 28450 times)

full member
Activity: 155
Merit: 100
September 06, 2013, 08:49:54 AM
#70
donator
Activity: 1731
Merit: 1008
September 02, 2013, 09:07:20 PM
#69
down for now 3 days
hero member
Activity: 756
Merit: 522
July 25, 2013, 05:44:33 PM
#68
I hold your stocks.And I love your website too.

I want to create a btc  stocks platform.

Then can you give me a clone?I can give you dollar or btc for exchange.

Else,can you give me  a low lever versions?

Else ,can you give me some  suggests?

I come from china , and here the market is large .

Welcome to china .

Poor guy.
newbie
Activity: 7
Merit: 0
July 25, 2013, 08:58:18 AM
#67
Is there any way to find password? I think I lost it...
full member
Activity: 229
Merit: 100
July 10, 2013, 05:24:45 AM
#66
I hold your stocks.And I love your website too.

I want to create a btc  stocks platform.

Then can you give me a clone?I can give you dollar or btc for exchange.

Else,can you give me  a low lever versions?

Else ,can you give me some  suggests?

I come from china , and here the market is large .

Welcome to china .
full member
Activity: 141
Merit: 100
July 03, 2013, 01:37:51 PM
#65
Guess so, since I definitely need a screen shot of the PicoStocks site pointing the link out for me to find it.
hero member
Activity: 756
Merit: 522
July 03, 2013, 01:30:48 PM
#64
Still can't find the overview through the hyperlink structure on the PicoStocks site (my compliments for the clean graphical design).

Are you mentally retarded (but my compliments for the well thought out post that makes sense and is not self-contradictory or anything)?
full member
Activity: 141
Merit: 100
July 03, 2013, 07:55:58 AM
#63
Nice and clean. Tnx.

My conclusions as I expected: floating assets is the core business for now and a while to come. The main shareholder(s) of PicoStocks seems paying for hosting & development I assume? Wait, I'll go reread the business plan.

Still can't find the overview through the hyperlink structure on the PicoStocks site (my compliments for the clean graphical design).
full member
Activity: 141
Merit: 100
July 03, 2013, 05:34:59 AM
#62
Could you also do any reporting of some simple key figures on PicoStocks?

Just some like:
- total trade volume on PicoStocks for the last month
- gross revenue
- total of costs
- short balance with PicoStocks' assets (cash on hand & total (im)material assets) with the liabilities on the other hand (equity, upcoming dividend payment & total of other debt)

In total 8 figures of which any venture should have at least 6 at hand, at least tentatively.
full member
Activity: 141
Merit: 100
July 02, 2013, 08:20:15 AM
#61
What's witholding the automatic payout of PicoStocks dividends? Transaction volume due to the compromised accounts in June.
sr. member
Activity: 250
Merit: 250
June 13, 2013, 09:20:20 AM
#60
Yes, if You click on the login info before redirection something strange happens and the session is lost. I will look at this today or tomorrow. I am too busy with the 100th chips order to move forward with the server as fast as I wanted :-(
hero member
Activity: 631
Merit: 500
June 12, 2013, 11:34:59 PM
#59
i think there is a slight bug with the login. i've had to login twice the last few times i've accessed the site.
sr. member
Activity: 250
Merit: 250
June 11, 2013, 03:43:08 PM
#58
We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.

Consider also sending confirmation links for doing these things via e-mail / SMS.

Yes. We will add mandatory email confirmation and probably withdraw confirmations but confirming each trade by email is not convenient.
The page is up again. Proteon assets are restored.
I will continue adding security / notifications tomorrow.

Sorry for the inconvenience !!!
newbie
Activity: 26
Merit: 0
June 11, 2013, 10:52:28 AM
#57
We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.

Consider also sending confirmation links for doing these things via e-mail / SMS.
hero member
Activity: 756
Merit: 522
June 11, 2013, 07:19:59 AM
#56
wow. was there actually that much liquidity?

Nope, not even close. Tytus just likes to tell stories about imaginary bazillions.
sr. member
Activity: 250
Merit: 250
June 11, 2013, 01:45:38 AM
#55
ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?
In this place only the password, but after that other things as well except the btc accounts.
this bit of code:
$this->Recipe->save($this->request->data);

looks awfully scary
...if it happens in one place, it's likely to happen in other parts of the code.
Yes
...if it happens in one place, it's likely to happen in other parts of the code.
We have reviewed the whole code. This was the only place where this construct was used.
i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.
The code was like this:
$this->User->id=$this->Auth->user('id');
if ($this->User->save($this->data,array('fieldList'=>array('pass','pass2')))) ...
Only 2 elements should be saved, but apparently data[User][id] overwrites User->id.
We try to limit application of 3rd part software to a minimum.

We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.
Modifications will freeze the account for some period of time so that the user can react.
The admin will be also notified of strange trading orders.
hero member
Activity: 631
Merit: 500
June 10, 2013, 08:53:25 PM
#54
We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data (http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html):
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.

Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.

ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?

this bit of code:
$this->Recipe->save($this->request->data);

looks awfully scary...if it happens in one place, it's likely to happen in other parts of the code. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.
sr. member
Activity: 250
Merit: 250
June 10, 2013, 07:16:19 PM
#53
We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data (http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html):
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.

Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.
hero member
Activity: 756
Merit: 522
June 10, 2013, 06:18:31 PM
#52
PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb
We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.

A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address?

The plot thickens.

Looking forward to seeing which will be the third completely imaginary, multi-million dollar mining "investment" this guy makes, after having lost that much on bASIC and seeing how BitFury isn't going to be delivering (or at least, not on the originally promised schedule).
member
Activity: 84
Merit: 10
June 10, 2013, 04:30:28 PM
#51
$145k heist with no repercussions.  Amazing and sad world we live in.
Pages:
Jump to: