Pages:
Author

Topic: Poloniex security review (Read 6574 times)

newbie
Activity: 31
Merit: 0
August 31, 2018, 07:25:35 AM
#63
Polo are crooks!!!
legendary
Activity: 1652
Merit: 1088
CryptoTalk.Org - Get Paid for every Post!
August 12, 2017, 06:35:12 PM
#61

That's a very concerning thread. The most interesting comment was the following:

https://www.reddit.com/r/PoloniexForum/comments/6t4tvs/i_managed_to_bypass_2fa_and_email_verification_is/dlits1b/

Quote
The Poloniex database wasn't leaked. I found a user reusing credentials from another leaked database that had already been cracked. The user had 2FA, and I managed to use an exploit to make it useless, and another bug caused their email client to verify the transaction by just opening the confirmation email (due to improperly configured robots.txt).

Don't re-use passwords, people. Make a new 14 character password for every site you use.

Also, the email exploit where the email was being confirmed without clicking was an Outlook email. If you use Outlook, change your email to something else.
newbie
Activity: 54
Merit: 0
November 02, 2016, 03:51:39 AM
#59
as long as trading in polo its good exchange
waiting for ICN go to there Grin
sr. member
Activity: 499
Merit: 250
October 28, 2016, 09:03:21 PM
#58
add a #Cloakcoin coin we requested  a so many times
full member
Activity: 235
Merit: 100
October 20, 2016, 07:25:18 PM
#57
Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

you need to take into consideration the volume of a year ago and the volume of today. its a huge difference.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
October 17, 2016, 10:04:00 AM
#56
Ah, I missed the "Referer" part. In that specific case GET is worse then yeh.
hero member
Activity: 729
Merit: 545
October 17, 2016, 09:37:58 AM
#55
Quote
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?
Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

Code:



This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO Tongue The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that Smiley so thanks for sharing that.

Your wrong, they aren't equally vulnerable. As a matter of fact, it wouldn't have been possible to do the attack I described if they were using POST.
They are not verifying the header X-Requested-With: XMLHttpRequest as you supposed. They check for the Referer header (poloniex.com), which only allow an attack via trollbox link (so again, it isn't possible with post)
Glad to see my reports learnt you some security things btw :p
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
October 17, 2016, 01:14:08 AM
#54
Quote
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?
Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

Code:



This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO Tongue The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that Smiley so thanks for sharing that.
hero member
Activity: 729
Merit: 545
October 16, 2016, 03:53:08 PM
#53
Poloniex is safe according to their post on reddit.

They were unlucky that I didn't release all the vulnerability in one row.

Oups ! goo.gl/xcbG5G

This open url vulnerability just got patched. But well, it was just another proof that Polo wasn't safe, even after the reddit post.
hero member
Activity: 729
Merit: 545
October 16, 2016, 01:45:37 PM
#52
Poloniex is safe according to their post on reddit.

They were unlucky that I didn't release all the vulnerability in one row.

Oups ! goo.gl/xcbG5G
legendary
Activity: 1260
Merit: 1002
October 16, 2016, 09:46:11 AM
#51
Somebody exploit the vulnerabilities yet?

I need an exchange to collapse to get more cheap coins. Grin

legendary
Activity: 1960
Merit: 1176
@FAILCommunity
October 16, 2016, 09:38:07 AM
#50
I can't argue on the matter as I'm not a coder.

I think we've crossed streams here.

Nah, all is good.

Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.

As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.

For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.

I agree on everything, but the decent part (well, I may add the size of the bounty, giving the fact that Poloniex is operating with 10s of millions $). Notice part of their response:


Quote
This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes. Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective? Should a 'news source' that eagerly publishes the statements of a person without verifiable identity or proper vetting of his accusations be considered legitimate news?

I thought they are joking. Should that 'news source' name to be Kevin Mitnick in order to investigate the problem? It sounded like: "We are Poloniex and he is nobody".

Not cool.
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 16, 2016, 09:28:24 AM
#49
I can't argue on the matter as I'm not a coder.

I think we've crossed streams here.

Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.

As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.

For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.
legendary
Activity: 1960
Merit: 1176
@FAILCommunity
October 16, 2016, 09:13:05 AM
#48
I can't argue on the matter as I'm not a coder.
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 16, 2016, 09:08:17 AM
#47
We are arguing man? I'm in complete agreeance.
legendary
Activity: 1960
Merit: 1176
@FAILCommunity
October 16, 2016, 08:44:30 AM
#46
As far as it stands now.

Yes.

You do realize that Emin Gun Siner is Associate Professor at Cornell's Computer Science Dept.? And as I said - I don't think their answer is professional. They talked against Xavier for too much and I believe they have better things to do.
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 16, 2016, 08:35:20 AM
#45
As far as it stands now.

Yes.
legendary
Activity: 1960
Merit: 1176
@FAILCommunity
October 16, 2016, 07:48:33 AM
#44
Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo

You think?

https://twitter.com/el33th4xor/status/787610289369784320
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 16, 2016, 07:26:34 AM
#43
Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).

So was it a risk or not? That's the real question.

Polo admits that mod escalation happened, this is admitted on both reddit and btctalk by legitimate spokepeople
Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo

Pages:
Jump to: