Pages:
Author

Topic: Poloniex security review - page 2. (Read 6590 times)

sr. member
Activity: 322
Merit: 250
Spray and Pray
October 16, 2016, 04:26:36 AM
#42
Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).
hero member
Activity: 729
Merit: 545
October 16, 2016, 04:09:01 AM
#41

So you rely on a post posted by the website himself ? Sure, they will say Yes, we fucked up, withdraws your coins. That's just stupid.
Again, it isn't FUD, I like to believe after that, they will consider their customers and increase security.
sr. member
Activity: 322
Merit: 250
Spray and Pray
October 16, 2016, 04:05:13 AM
#39
Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.
hero member
Activity: 546
Merit: 500
October 16, 2016, 03:43:53 AM
#38
Not sure why POLO BOSS BUSONI is so angry on XAVIER59..

Xavier59 tried to help, report vulnerablilites and move on with the support guys.

He had to post this public only because of the support team, keep pushing the tickets in a circle

But as usual, support guys behave like dicks even in emergencies like these and take 48hrs for each reply.

I guess both XAVIER59 and BUSONI can sign a peace treaty or something!!!
newbie
Activity: 27
Merit: 0
October 16, 2016, 03:38:25 AM
#37
Xavier59 has my full support along with a huge group of concerned people who will make polo wake up and hopefully (fingers crossed) hire a decent coder. This isn't the 1990's. Wake up and smell the payload. Polo is more so as was before now in the radar of malicious users looking to get rich from this.

And I won't spoil it for you, but there are many more vulnerabilities left wide open. Do your research and get educated. Xavier isn't spreading FUD, but all those who are trying to cover this up realize they will lose money over this if polo loses clientele or memberships.
hero member
Activity: 729
Merit: 545
October 16, 2016, 03:29:00 AM
#36
Answer to Poloniex reddit post : https://www.reddit.com/r/CryptoCurrency/comments/57q9gf/poloniex_is_secure_were_good/

Quote
-- Anyone who is familiar with web services should know that multithreading, in and by itself, is not a vulnerability. In fact, it is necessary when processing more than one request at any given time. Our trading engine processes 200-300 transactions per second, and that's on a slow day.

You're totally off the mark. Never said multithreadying is a vulnerability, as well as get request. It's the way you use them wich is a vulnerability. It becomes one when multiple thread can share the same ressources at the same time.

Quote
-- For those who may be concerned with us using GET in any context: We agree that POST is best practice, and we currently use POST for sensitive information. We have plans to move more requests to POST, but in the meantime, it’s worth noting that GET is not inherently insecure and POST is not inherently secure. What matters much more is how each is used.

I wonder how you can say that after what I did write in my reports. I reported you every GET request you did was easily shared with the moderator clickable link. This wouldn't be possible using POST request. Same for Open URL Vulnerability. So YES, you're using GET request in the bad way, and if you can't see that, I feel only much worried.

Quote
-- This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes

As I wrote, I'm not a professionnal pentester. I feel the need to test my payloads before reporting them, because I'm never sure it will work. I have been posting exactly 3 messages using the moderator client-side privilege. I wonder where you see in my article that I did a falsefy report ! Quoting me : "Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."
This is exactly what it did, and I specified that it was moderation client privilege only.
If you think I wrote as moderator just to be spectacular, remember that I only posted 3 messages, and then directly reported the vulnerability as suggested by the moderators.

Quote
Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective?

And this is your principal mistake. Because I didn't neither I do hide myself. Some research on any search engines could easily lead you to my identify. Moreover, I would like to remind you that I shared my personnal identy with the support.


I would be very interested knowing which company did a security audit of your website ?


Btw, I'm still waiting your answer, tickets #66023. Pending since 29 days now. Tic tac tic tac ...

Quote
but if your story is a mash-up of half-truths and inaccuracies, what are you really after?
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 15, 2016, 11:44:50 PM
#35
Regardless, besides being a trader or getting good lending rates from polo (>80% p.a for me), anyone storing their coins on exchanges is asking for trouble.

member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 15, 2016, 11:39:29 PM
#34
Do not believe the bad news entirely but we should also be careful.

There's no current danger.

It's just a huge question mark hanging over polo, and how seriously they take security?
OP has been upfront, notified polo a month ago, got a tiny bounty for one of the issues, and they won't respond about another vulnerability despite fixing that too

That pdf would sell on the darkweb for much more than 0.2 btc. I hope people here realise that.

Keen to hear Polo response.
legendary
Activity: 3122
Merit: 1492
October 15, 2016, 10:20:24 PM
#33
It is already starting coming out of the news sites in the cryptosphere.

https://www.cryptocoinsnews.com/cryptocurrency-exchange-poloniex-insecure-security-review-claims/

It would be good to choose the safer option of holding your coins in your wallet or maybe even convert back to bitcoins. If the security flaws are exploited by some other hacker that is smarter than the thread starter then panic selling of the altcoins listed in Poloniex might be possible. No one believed in the Cryptsy situation now look what happened with that exchange.

Do not believe the bad news entirely but we should also be careful.
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 15, 2016, 09:49:25 PM
#32
I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds

Moderator privilege escalation doesn't worry you? That's a social engineering disaster waiting to happen.
He didn't have mod privileges, it just changed the way his posts appeared to others in the box. I think that's just his bad English and poor translation.
"Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."

As i said that's ripe to be exploited. Social engineering is one of the greatest threats. You could infect people with all sorts of malware, after that, loss of funds.

Do you also assert "OP cannot exploit any vulnerability against Poloniex that involves loss of funds"?

Because I'd say that's a straight up lie.
sr. member
Activity: 458
Merit: 265
October 15, 2016, 09:31:38 PM
#31
I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds

Moderator privilege escalation doesn't worry you? That's a social engineering disaster waiting to happen.
He didn't have mod privileges, it just changed the way his posts appeared to others in the box. I think that's just his bad English and poor translation.
"Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 15, 2016, 09:14:49 PM
#30
I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds

Moderator privilege escalation doesn't worry you? That's a social engineering disaster waiting to happen.
sr. member
Activity: 596
Merit: 251
October 15, 2016, 07:20:26 PM
#29
When Poloniex did a code review of Vcash we performed a 3 month security audit including penetration tests and double spending tests against many assets. We personally discussed this with Tristan and made "minor" recommendations "at best". Why can we talk to Tristan yet you post this here? I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds, in fact he should prove his loose and fast wording is not simply hand waving instead of Bantha fodder. Cool
sr. member
Activity: 416
Merit: 250
October 15, 2016, 01:36:37 PM
#28
dont worry guys, DEx are starting to make there way into the crypto world.  and there will always be vulnerabilities in centralized exchanges.  soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.

ok...  but is there any exchanges that are proveably free of bugs, or even worse human error or manipulation...  Nope.
Its time for poloniex, and all centralized exchanges to move aside so  crypto can finally become what it was meant to be.

On Wall Street, Customers are protected with insurance funds and policies...
There is no way to make any exchange of any kind fully secure.

Based on crypto history...
Any rational trader must assume that Polo has roughly a 50% chance of suffering a total loss...
So if you are leaving > 10-20% of your BTC on Polo you are a hardcore gambler.

As for decentralized versus centralized exchanges...
There is some sort of fundamental law that prevents them from developing comparable liquidity...
But this is never addressed by people hyping all things decentralized.


could you please go into greater depth about the fundamental law?
member
Activity: 78
Merit: 10
October 15, 2016, 01:35:37 PM
#27
I've read the .pdf and I support Xavier59. Keep it up Smiley

All arguments are valid, and while they might not be exploitable right now, they're proof of bad coding practices and should not be ignored.
legendary
Activity: 1588
Merit: 1000
October 15, 2016, 01:16:56 PM
#26
dont worry guys, DEx are starting to make there way into the crypto world.  and there will always be vulnerabilities in centralized exchanges.  soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.

ok...  but is there any exchanges that are proveably free of bugs, or even worse human error or manipulation...  Nope.
Its time for poloniex, and all centralized exchanges to move aside so  crypto can finally become what it was meant to be.

On Wall Street, Customers are protected with insurance funds and policies...
There is no way to make any exchange of any kind fully secure.

Based on crypto history...
Any rational trader must assume that Polo has roughly a 50% chance of suffering a total loss...
So if you are leaving > 10-20% of your BTC on Polo you are a hardcore gambler.

As for decentralized versus centralized exchanges...
There is some sort of fundamental law that prevents them from developing comparable liquidity...
But this is never addressed by people hyping all things decentralized.
sr. member
Activity: 416
Merit: 250
October 15, 2016, 12:52:07 PM
#25
dont worry guys, DEx are starting to make there way into the crypto world.  and there will always be vulnerabilities in centralized exchanges.  soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.


ok...  but is there any exchanges that are proveably free of bugs, or even worse human error or manipulation...  Nope.
Its time for poloniex, and all centralized exchanges to move aside so  crypto can finally become what it was meant to be.
hero member
Activity: 729
Merit: 545
October 15, 2016, 12:48:25 PM
#24
dont worry guys, DEx are starting to make there way into the crypto world.  and there will always be vulnerabilities in centralized exchanges.  soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.
sr. member
Activity: 416
Merit: 250
October 15, 2016, 12:46:26 PM
#23
dont worry guys there will always be vulnerabilities in centralized exchanges, but DEx's are starting to make there way into the crypto world.  Soon you will be able to trade without worrying about leaving your BTC in someone elses control, and will finally be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!
Pages:
Jump to: