down for now 3 days
Yes its bad.
Topic: PicoStocks, bitcoin stock exchange - page 3. (Read 28387 times)
down for now 3 days
I hold your stocks.And I love your website too.
I want to create a btc stocks platform.
Then can you give me a clone?I can give you dollar or btc for exchange.
Else,can you give me a low lever versions?
Else ,can you give me some suggests?
I come from china , and here the market is large .
Welcome to china .
I want to create a btc stocks platform.
Then can you give me a clone?I can give you dollar or btc for exchange.
Else,can you give me a low lever versions?
Else ,can you give me some suggests?
I come from china , and here the market is large .
Welcome to china .
Poor guy.
Is there any way to find password? I think I lost it...
I hold your stocks.And I love your website too.
I want to create a btc stocks platform.
Then can you give me a clone?I can give you dollar or btc for exchange.
Else,can you give me a low lever versions?
Else ,can you give me some suggests?
I come from china , and here the market is large .
Welcome to china .
I want to create a btc stocks platform.
Then can you give me a clone?I can give you dollar or btc for exchange.
Else,can you give me a low lever versions?
Else ,can you give me some suggests?
I come from china , and here the market is large .
Welcome to china .
Guess so, since I definitely need a screen shot of the PicoStocks site pointing the link out for me to find it.
Still can't find the overview through the hyperlink structure on the PicoStocks site (my compliments for the clean graphical design).
Are you mentally retarded (but my compliments for the well thought out post that makes sense and is not self-contradictory or anything)?
Nice and clean. Tnx.
My conclusions as I expected: floating assets is the core business for now and a while to come. The main shareholder(s) of PicoStocks seems paying for hosting & development I assume? Wait, I'll go reread the business plan.
Still can't find the overview through the hyperlink structure on the PicoStocks site (my compliments for the clean graphical design).
My conclusions as I expected: floating assets is the core business for now and a while to come. The main shareholder(s) of PicoStocks seems paying for hosting & development I assume? Wait, I'll go reread the business plan.
Still can't find the overview through the hyperlink structure on the PicoStocks site (my compliments for the clean graphical design).
Could you also do any reporting of some simple key figures on PicoStocks?
Just some like:
- total trade volume on PicoStocks for the last month
- gross revenue
- total of costs
- short balance with PicoStocks' assets (cash on hand & total (im)material assets) with the liabilities on the other hand (equity, upcoming dividend payment & total of other debt)
In total 8 figures of which any venture should have at least 6 at hand, at least tentatively.
Just some like:
- total trade volume on PicoStocks for the last month
- gross revenue
- total of costs
- short balance with PicoStocks' assets (cash on hand & total (im)material assets) with the liabilities on the other hand (equity, upcoming dividend payment & total of other debt)
In total 8 figures of which any venture should have at least 6 at hand, at least tentatively.
What's witholding the automatic payout of PicoStocks dividends? Transaction volume due to the compromised accounts in June.
Yes, if You click on the login info before redirection something strange happens and the session is lost. I will look at this today or tomorrow. I am too busy with the 100th chips order to move forward with the server as fast as I wanted :-(
i think there is a slight bug with the login. i've had to login twice the last few times i've accessed the site.
We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.
Consider also sending confirmation links for doing these things via e-mail / SMS.
Yes. We will add mandatory email confirmation and probably withdraw confirmations but confirming each trade by email is not convenient.
The page is up again. Proteon assets are restored.
I will continue adding security / notifications tomorrow.
Sorry for the inconvenience !!!
We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.
Consider also sending confirmation links for doing these things via e-mail / SMS.
wow. was there actually that much liquidity?
Nope, not even close. Tytus just likes to tell stories about imaginary bazillions.
ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?
In this place only the password, but after that other things as well except the btc accounts.this bit of code:
$this->Recipe->save($this->request->data);
looks awfully scary
...if it happens in one place, it's likely to happen in other parts of the code.
Yes$this->Recipe->save($this->request->data);
looks awfully scary
...if it happens in one place, it's likely to happen in other parts of the code.
...if it happens in one place, it's likely to happen in other parts of the code.
We have reviewed the whole code. This was the only place where this construct was used. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.
The code was like this:$this->User->id=$this->Auth->user('id');
if ($this->User->save($this->data,array('fieldList'=>array('pass','pass2')))) ...
Only 2 elements should be saved, but apparently data[User][id] overwrites User->id.
We try to limit application of 3rd part software to a minimum.
We will add more security by notifying the user via email of any changes to the account, withdraw attempts and many other things that happen on the system.
Modifications will freeze the account for some period of time so that the user can react.
The admin will be also notified of strange trading orders.
We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data (http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html):
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.
Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.
Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.
ugh, so a user/attacker that POSTs a request with an "id" parameter is able to overwrite another user's data?
this bit of code:
$this->Recipe->save($this->request->data);
looks awfully scary...if it happens in one place, it's likely to happen in other parts of the code. i'm not an expert with cake, but i do know it does a lot of automagical things, so passing a user controlled data structure (request->data) to a magical DB storage method just feels wrong.
We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data (http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html):
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.
Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.
Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.
PicoStocks is down for 1 day. A hacker obtained the password of a big shareholder of Proteon and started executing trades that led to a drop of the price of this asset. The hacker was able to transfer around 1300 BTC from PicoStocks to this account: https://blockchain.info/address/1PoYfqyTnxKdCpv5ydzEGepW5GLsRRHgBb
We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.
We will fix the damage today and the trading should continue tomorrow. We will reset the status of Proteon shares to previous state. Other shares were not affected.
A PicoStocks account is supposed to be permanently tied to a specific Bitcoin address. How was the attacker able to withdraw to a seemingly arbitrary address?
The plot thickens.
Looking forward to seeing which will be the third completely imaginary, multi-million dollar mining "investment" this guy makes, after having lost that much on bASIC and seeing how BitFury isn't going to be delivering (or at least, not on the originally promised schedule).
$145k heist with no repercussions. Amazing and sad world we live in.
Jump to: