Topic: Poloniex security review (Read 6532 times)
Polo are crooks!!!
For informations : https://www.reddit.com/r/PoloniexForum/comments/6t4tvs/i_managed_to_bypass_2fa_and_email_verification_is/
That's a very concerning thread. The most interesting comment was the following:
https://www.reddit.com/r/PoloniexForum/comments/6t4tvs/i_managed_to_bypass_2fa_and_email_verification_is/dlits1b/
Quote
The Poloniex database wasn't leaked. I found a user reusing credentials from another leaked database that had already been cracked. The user had 2FA, and I managed to use an exploit to make it useless, and another bug caused their email client to verify the transaction by just opening the confirmation email (due to improperly configured robots.txt).
Don't re-use passwords, people. Make a new 14 character password for every site you use.
Also, the email exploit where the email was being confirmed without clicking was an Outlook email. If you use Outlook, change your email to something else.
as long as trading in polo its good exchange
waiting for ICN go to there
waiting for ICN go to there
add a #Cloakcoin coin we requested a so many times
Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.
You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.
You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.
you need to take into consideration the volume of a year ago and the volume of today. its a huge difference.
Ah, I missed the "Referer" part. In that specific case GET is worse then yeh.
Quote
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?
Is this really true though?First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:
Code:
The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?
The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.
Overall it seems like the PDF is a bit exaggerated IMO
The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that 
so thanks for sharing that.Your wrong, they aren't equally vulnerable. As a matter of fact, it wouldn't have been possible to do the attack I described if they were using POST.
They are not verifying the header X-Requested-With: XMLHttpRequest as you supposed. They check for the Referer header (poloniex.com), which only allow an attack via trollbox link (so again, it isn't possible with post)
Glad to see my reports learnt you some security things btw :p
Quote
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?
Is this really true though?First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:
Code:
The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?
The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.
Overall it seems like the PDF is a bit exaggerated IMO
The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that so thanks for sharing that. Poloniex is safe according to their post on reddit.
They were unlucky that I didn't release all the vulnerability in one row.
Oups ! goo.gl/xcbG5G
They were unlucky that I didn't release all the vulnerability in one row.
Oups ! goo.gl/xcbG5G
This open url vulnerability just got patched. But well, it was just another proof that Polo wasn't safe, even after the reddit post.
Poloniex is safe according to their post on reddit.
They were unlucky that I didn't release all the vulnerability in one row.
Oups ! goo.gl/xcbG5G
They were unlucky that I didn't release all the vulnerability in one row.
Oups ! goo.gl/xcbG5G
Somebody exploit the vulnerabilities yet?
I need an exchange to collapse to get more cheap coins.
I need an exchange to collapse to get more cheap coins.
I can't argue on the matter as I'm not a coder.
I think we've crossed streams here.
Nah, all is good.
Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.
As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.
For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.
As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.
For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.
I agree on everything, but the decent part (well, I may add the size of the bounty, giving the fact that Poloniex is operating with 10s of millions $). Notice part of their response:
Quote
This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes. Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective? Should a 'news source' that eagerly publishes the statements of a person without verifiable identity or proper vetting of his accusations be considered legitimate news?
I thought they are joking. Should that 'news source' name to be Kevin Mitnick in order to investigate the problem? It sounded like: "We are Poloniex and he is nobody".
Not cool.
I can't argue on the matter as I'm not a coder.
I think we've crossed streams here.
Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.
As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.
For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.
I can't argue on the matter as I'm not a coder.
We are arguing man? I'm in complete agreeance.
As far as it stands now.
Yes.
Yes.
You do realize that Emin Gun Siner is Associate Professor at Cornell's Computer Science Dept.? And as I said - I don't think their answer is professional. They talked against Xavier for too much and I believe they have better things to do.
As far as it stands now.
Yes.
Yes.
Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo
So where's the proof.
Emails or gtfo
You think?
https://twitter.com/el33th4xor/status/787610289369784320
Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).
So was it a risk or not? That's the real question.
Polo admits that mod escalation happened, this is admitted on both reddit and btctalk by legitimate spokepeople
Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo
Jump to: