Poloniex security review - page 3. | Bitcointalksearch.org

keyboard warrior

sr. member

Activity: 266

Merit: 251

Quote from: Xavier59 on October 15, 2016, 10:39:34 AM

Quote from: rapazev on October 15, 2016, 10:34:04 AM

virustotal scan? i've some fear of these bitcointalk random links...

It is safe :
https://www.virustotal.com/en/url/536e926f2ec715ca3287356073b275d762e96dabe50d274f4c2f224cc369125e/analysis/1476545937/

It's probably safe, but virustotal isn't infallible. This warning is stickied at the top of the altcoin section. It warns that virus scans is no longer sufficient to ensure safety. There are sophisticated attacks that are undetectable, you only find out you've been hacked after you realise you've been robbed.

Quote from: grue on January 25, 2015, 05:33:22 PM

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

Xavier59

hero member

Activity: 729

Merit: 545

Quote from: rapazev on October 15, 2016, 10:34:04 AM

virustotal scan? i've some fear of these bitcointalk random links...

It is safe :
https://www.virustotal.com/en/url/536e926f2ec715ca3287356073b275d762e96dabe50d274f4c2f224cc369125e/analysis/1476545937/

rapazev

full member

Activity: 210

Merit: 100

virustotal scan? i've some fear of these bitcointalk random links...

bluewaters

newbie

Activity: 11

Merit: 0

Quote from: Xavier59 on October 15, 2016, 09:57:29 AM

Quote

I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.

That's the point ! There is no need of valid hash to confirme those actions ! Check yourself !
Here is a capture of the complete request !

https://i.gyazo.com/0afa447c3c27f5d5076d0d8f3264fc1d.png

Since source code is client side i suggest you read up on how a "buy transaction" is done.

Code:

$("#buyForm").submit(function (event) {
    event.preventDefault();
    
    if ($("#dimmer").is(":visible"))
    	return $("#alertDivOK").click();
    
    if (document.getElementById('buyAmount').value < 0.0001) {
        $("#result").empty().append("Amount must be greater than 0.0001.");
        showAlert();
        return;
    }

    if (document.getElementById('buyRate').value < 0.00000001) {
        $("#result").empty().append("Price must be greater than zero.");
        showAlert();
        return;
    }

    showProgressBar();
    var $form = $(this),
    url = '/private.php';
    params = {	currencyPair: currencyPair,
	    		rate: $('#buyRate').val(),
	    		amount: $('#buyAmount').val(),
	    		command: (margin ? 'marginBuy' : 'buy')};
	if (margin)
		params['maxRate'] = $("#buyMaxRate").val() === undefined ? 0.005 : $("#buyMaxRate").val();
	
	if (webSocketCall(params))
		return true;
	
    var posting = $.get(url, params);
    posting.done(function (data) {
        var content = $(data);
        $("#result").empty().append(content);
        showAlert();
        updatePrivateInfo();
    });

});

Code:

function webSocketCall(params,id){
	return false;
	if ('conn' in window && window.conn.readyState == 1 && 1000 in window.conn.subscriptions){
		if (typeof id == "undefined")
			id = ++wNonce + usid;
		window.conn.send(JSON.stringify({command: "private",channel: 2000,id: id,params: params}));
		return true;
	} else {
		return false;
	}
}

Xavier59

hero member

Activity: 729

Merit: 545

Quote

The best you could hope for is that you post a link, someone click it, they have sufficient balance to make a transaction, all this before a mod catches it. The result is that the victim makes a shitty purchase. ...and that's the bug they acknowledged and paid you for. The others are nonsense.

Exactly, that's only a proof of concept. How much people could I get to click on my link ? If I have luck, I fall on someone with 100+ BTC balance, which is not that rare.
But I can also use Open URL Vulnerability, which will set the Referer as poloniex.com and redirect to the GET buying/selling request.
They never paid me neither replied to my ticket reporting this vulnerability.

poochpocket

sr. member

Activity: 458

Merit: 265

Quote from: Xavier59 on October 15, 2016, 09:57:29 AM

Quote

I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.

That's the point ! There is no need of valid hash to confirme those actions ! Check yourself !
Here is a capture of the complete request !

The best you could hope for is that you post a link, someone click it, they have sufficient balance to make a transaction, all this before a mod catches it. The result is that the victim makes a shitty purchase. ...and that's the bug they acknowledged and paid you for. The others are nonsense.

Xavier59

hero member

Activity: 729

Merit: 545

Quote

I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.

That's the point ! There is no need of valid hash to confirme those actions ! Check yourself !
Here is a capture of the complete request !

poochpocket

sr. member

Activity: 458

Merit: 265

Quote from: Xavier59 on October 15, 2016, 09:47:21 AM

Quote from: poochpocket on October 15, 2016, 09:41:31 AM

Quote from: Xavier59 on October 15, 2016, 09:36:36 AM

Quote from: poochpocket on October 15, 2016, 09:29:35 AM

Quote from: Xavier59 on October 15, 2016, 09:20:18 AM

Quote from: poochpocket on October 15, 2016, 09:09:52 AM

Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.

They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

You should really consult security pentester. They will all agree with my arguments.
As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum.

I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much.

Proof of concept links, you wouldn't have had valid hashes.
"..what is your goal from making this information public?"

That's the major problem ! There is no csrf tokens or "valid hashes" that protect those links. You should really read my paper better, or maybe my english was wrong.
My goal is to ring the alarm at the Poloniex team and expect them to have a better protection of there customers funds. This isn't FUD, a simple 4 page PDF will not destroy a big company in 1 day.

I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.

Xavier59

hero member

Activity: 729

Merit: 545

Quote from: poochpocket on October 15, 2016, 09:41:31 AM

Quote from: Xavier59 on October 15, 2016, 09:36:36 AM

Quote from: poochpocket on October 15, 2016, 09:29:35 AM

Quote from: Xavier59 on October 15, 2016, 09:20:18 AM

Quote from: poochpocket on October 15, 2016, 09:09:52 AM

Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.

They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

You should really consult security pentester. They will all agree with my arguments.
As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum.

I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much.

Proof of concept links, you wouldn't have had valid hashes.
"..what is your goal from making this information public?"

That's the major problem ! There is no csrf tokens or "valid hashes" that protect those links. You should really read my paper better, or maybe my english was wrong.
My goal is to ring the alarm at the Poloniex team and expect them to have a better protection of there customers funds. This isn't FUD, a simple 4 page PDF will not destroy a big company in 1 day.

poochpocket

sr. member

Activity: 458

Merit: 265

Quote from: Xavier59 on October 15, 2016, 09:36:36 AM

Quote from: poochpocket on October 15, 2016, 09:29:35 AM

Quote from: Xavier59 on October 15, 2016, 09:20:18 AM

Quote from: poochpocket on October 15, 2016, 09:09:52 AM

Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.

They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

You should really consult security pentester. They will all agree with my arguments.
As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum.

I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much.

Proof of concept links, you wouldn't have had valid hashes.
"..what is your goal from making this information public?"

Xavier59

hero member

Activity: 729

Merit: 545

Quote from: poochpocket on October 15, 2016, 09:29:35 AM

Quote from: Xavier59 on October 15, 2016, 09:20:18 AM

Quote from: poochpocket on October 15, 2016, 09:09:52 AM

Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.

They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

You should really consult security pentester. They will all agree with my arguments.
As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum.

I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much.

Shiroslullaby

sr. member

Activity: 434

Merit: 250

I would actually be very interested to know if Poloniex and other sites ever did actual security auditing.
They would be foolish not to pay for this type of service,
but nothing would surprise me with these exchanges.

I actually asked a question regarding security on these exchanges a week or two ago and got zero replies in the thread lol.
No one cares about security until millions of dollars in coins go missing.

poochpocket

sr. member

Activity: 458

Merit: 265

Quote from: Xavier59 on October 15, 2016, 09:20:18 AM

Quote from: poochpocket on October 15, 2016, 09:09:52 AM

Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.

They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

Xavier59

hero member

Activity: 729

Merit: 545

Quote from: poochpocket on October 15, 2016, 09:09:52 AM

Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong in my review and arguments a little more ...

poochpocket

sr. member

Activity: 458

Merit: 265

Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Xavier59

hero member

Activity: 729

Merit: 545

Quote from: buxlover on October 15, 2016, 08:14:32 AM

Quote from: Xavier59 on October 15, 2016, 08:05:23 AM

Quote from: dranster on October 15, 2016, 08:02:45 AM

Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat

I'm waiting reply since 27 days.
I've been pushing my ticket via moderator more than 6+ times. They are literally having fun of me.
That's why I wanted to share this review to show the irresponsability of their team.

Do you have some proof regarding the above statement, If you can provide that we do need to be more cautions while using poloniex to trade. But how will such a famous site ignore their security vulnerability, Which might cause them to loose members.

Yep we had our lessons from mt gox bitfinex but we will never remember anything after the heat reduces, But as far as bitcoins and altcoins trading we have to rely on some trading platforms online.

I can provide screen, but we cannot really consider it a proof as the source code can be edited to modify data.
I have also some e-mail that I sent to Poloniex.

buxlover

full member

Activity: 224

Merit: 100

Quote from: Xavier59 on October 15, 2016, 08:05:23 AM

Quote from: dranster on October 15, 2016, 08:02:45 AM

Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat

I'm waiting reply since 27 days.
I've been pushing my ticket via moderator more than 6+ times. They are literally having fun of me.
That's why I wanted to share this review to show the irresponsability of their team.

Do you have some proof regarding the above statement, If you can provide that we do need to be more cautions while using poloniex to trade. But how will such a famous site ignore their security vulnerability, Which might cause them to loose members.

Yep we had our lessons from mt gox bitfinex but we will never remember anything after the heat reduces, But as far as bitcoins and altcoins trading we have to rely on some trading platforms online.

SalmonBraker

newbie

Activity: 31

Merit: 0

Quote from: Xavier59 on October 15, 2016, 07:43:23 AM

Hey !

I've been writing a security review for poloniex those last few days.
Sorry for my poor english Embarrassed

https://www.pdf-archive.com/2016/10/15/poloniex/poloniex.pdf

Nice job you little bitch Cheesy

Xavier59

hero member

Activity: 729

Merit: 545

Quote from: dranster on October 15, 2016, 08:02:45 AM

Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat

I'm waiting reply since 27 days.
I've been pushing my ticket via moderator more than 6+ times. They are literally having fun of me.
That's why I wanted to share this review to show the irresponsability of their team.

dranster

hero member

Activity: 546

Merit: 500

Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat

Topic: Poloniex security review - page 3. (Read 6574 times)