Topic: Poloniex security review - page 2. (Read 6574 times)

Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).

So you rely on a post posted by the website himself ? Sure, they will say Yes, we fucked up, withdraws your coins. That's just stupid.
Again, it isn't FUD, I like to believe after that, they will consider their customers and increase security.

FUD: https://www.reddit.com/r/CryptoCurrency/comments/57q9gf/poloniex_is_secure_were_good/

Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

Not sure why POLO BOSS BUSONI is so angry on XAVIER59..

Xavier59 tried to help, report vulnerablilites and move on with the support guys.

He had to post this public only because of the support team, keep pushing the tickets in a circle

But as usual, support guys behave like dicks even in emergencies like these and take 48hrs for each reply.

I guess both XAVIER59 and BUSONI can sign a peace treaty or something!!!

Xavier59 has my full support along with a huge group of concerned people who will make polo wake up and hopefully (fingers crossed) hire a decent coder. This isn't the 1990's. Wake up and smell the payload. Polo is more so as was before now in the radar of malicious users looking to get rich from this.

And I won't spoil it for you, but there are many more vulnerabilities left wide open. Do your research and get educated. Xavier isn't spreading FUD, but all those who are trying to cover this up realize they will lose money over this if polo loses clientele or memberships.

Answer to Poloniex reddit post : https://www.reddit.com/r/CryptoCurrency/comments/57q9gf/poloniex_is_secure_were_good/


You're totally off the mark. Never said multithreadying is a vulnerability, as well as get request. It's the way you use them wich is a vulnerability. It becomes one when multiple thread can share the same ressources at the same time.


I wonder how you can say that after what I did write in my reports. I reported you every GET request you did was easily shared with the moderator clickable link. This wouldn't be possible using POST request. Same for Open URL Vulnerability. So YES, you're using GET request in the bad way, and if you can't see that, I feel only much worried.


As I wrote, I'm not a professionnal pentester. I feel the need to test my payloads before reporting them, because I'm never sure it will work. I have been posting exactly 3 messages using the moderator client-side privilege. I wonder where you see in my article that I did a falsefy report ! Quoting me : "Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."
This is exactly what it did, and I specified that it was moderation client privilege only.
If you think I wrote as moderator just to be spectacular, remember that I only posted 3 messages, and then directly reported the vulnerability as suggested by the moderators.


And this is your principal mistake. Because I didn't neither I do hide myself. Some research on any search engines could easily lead you to my identify. Moreover, I would like to remind you that I shared my personnal identy with the support.


I would be very interested knowing which company did a security audit of your website ?


Btw, I'm still waiting your answer, tickets #66023. Pending since 29 days now. Tic tac tic tac ...

Regardless, besides being a trader or getting good lending rates from polo (>80% p.a for me), anyone storing their coins on exchanges is asking for trouble.

There's no current danger.

It's just a huge question mark hanging over polo, and how seriously they take security?
OP has been upfront, notified polo a month ago, got a tiny bounty for one of the issues, and they won't respond about another vulnerability despite fixing that too

That pdf would sell on the darkweb for much more than 0.2 btc. I hope people here realise that.

Keen to hear Polo response.

It is already starting coming out of the news sites in the cryptosphere.

https://www.cryptocoinsnews.com/cryptocurrency-exchange-poloniex-insecure-security-review-claims/

It would be good to choose the safer option of holding your coins in your wallet or maybe even convert back to bitcoins. If the security flaws are exploited by some other hacker that is smarter than the thread starter then panic selling of the altcoins listed in Poloniex might be possible. No one believed in the Cryptsy situation now look what happened with that exchange.

Do not believe the bad news entirely but we should also be careful.

As i said that's ripe to be exploited. Social engineering is one of the greatest threats. You could infect people with all sorts of malware, after that, loss of funds.

Do you also assert "OP cannot exploit any vulnerability against Poloniex that involves loss of funds"?

Because I'd say that's a straight up lie.

He didn't have mod privileges, it just changed the way his posts appeared to others in the box. I think that's just his bad English and poor translation.
"Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."

Moderator privilege escalation doesn't worry you? That's a social engineering disaster waiting to happen.

When Poloniex did a code review of Vcash we performed a 3 month security audit including penetration tests and double spending tests against many assets. We personally discussed this with Tristan and made "minor" recommendations "at best". Why can we talk to Tristan yet you post this here? I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds, in fact he should prove his loose and fast wording is not simply hand waving instead of Bantha fodder.

could you please go into greater depth about the fundamental law?

I've read the .pdf and I support Xavier59. Keep it up

All arguments are valid, and while they might not be exploitable right now, they're proof of bad coding practices and should not be ignored.

On Wall Street, Customers are protected with insurance funds and policies...
There is no way to make any exchange of any kind fully secure.

Based on crypto history...
Any rational trader must assume that Polo has roughly a 50% chance of suffering a total loss...
So if you are leaving > 10-20% of your BTC on Polo you are a hardcore gambler.

As for decentralized versus centralized exchanges...
There is some sort of fundamental law that prevents them from developing comparable liquidity...
But this is never addressed by people hyping all things decentralized.

ok...  but is there any exchanges that are proveably free of bugs, or even worse human error or manipulation...  Nope.
Its time for poloniex, and all centralized exchanges to move aside so  crypto can finally become what it was meant to be.

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.

dont worry guys there will always be vulnerabilities in centralized exchanges, but DEx's are starting to make there way into the crypto world.  Soon you will be able to trade without worrying about leaving your BTC in someone elses control, and will finally be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!