Author

Topic: Poloniex security review (Read 6577 times)

newbie
Activity: 31
Merit: 0
August 31, 2018, 07:25:35 AM
#63
Polo are crooks!!!
legendary
Activity: 1652
Merit: 1088
CryptoTalk.Org - Get Paid for every Post!
August 12, 2017, 06:35:12 PM
#61

That's a very concerning thread. The most interesting comment was the following:

https://www.reddit.com/r/PoloniexForum/comments/6t4tvs/i_managed_to_bypass_2fa_and_email_verification_is/dlits1b/

Quote
The Poloniex database wasn't leaked. I found a user reusing credentials from another leaked database that had already been cracked. The user had 2FA, and I managed to use an exploit to make it useless, and another bug caused their email client to verify the transaction by just opening the confirmation email (due to improperly configured robots.txt).

Don't re-use passwords, people. Make a new 14 character password for every site you use.

Also, the email exploit where the email was being confirmed without clicking was an Outlook email. If you use Outlook, change your email to something else.
newbie
Activity: 54
Merit: 0
November 02, 2016, 03:51:39 AM
#59
as long as trading in polo its good exchange
waiting for ICN go to there Grin
sr. member
Activity: 499
Merit: 250
October 28, 2016, 09:03:21 PM
#58
add a #Cloakcoin coin we requested  a so many times
full member
Activity: 235
Merit: 100
October 20, 2016, 07:25:18 PM
#57
Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

you need to take into consideration the volume of a year ago and the volume of today. its a huge difference.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
October 17, 2016, 10:04:00 AM
#56
Ah, I missed the "Referer" part. In that specific case GET is worse then yeh.
hero member
Activity: 729
Merit: 545
October 17, 2016, 09:37:58 AM
#55
Quote
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?
Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

Code:



This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO Tongue The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that Smiley so thanks for sharing that.

Your wrong, they aren't equally vulnerable. As a matter of fact, it wouldn't have been possible to do the attack I described if they were using POST.
They are not verifying the header X-Requested-With: XMLHttpRequest as you supposed. They check for the Referer header (poloniex.com), which only allow an attack via trollbox link (so again, it isn't possible with post)
Glad to see my reports learnt you some security things btw :p
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
October 17, 2016, 01:14:08 AM
#54
Quote
I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?
Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

Code:



This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO Tongue The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that Smiley so thanks for sharing that.
hero member
Activity: 729
Merit: 545
October 16, 2016, 03:53:08 PM
#53
Poloniex is safe according to their post on reddit.

They were unlucky that I didn't release all the vulnerability in one row.

Oups ! goo.gl/xcbG5G

This open url vulnerability just got patched. But well, it was just another proof that Polo wasn't safe, even after the reddit post.
hero member
Activity: 729
Merit: 545
October 16, 2016, 01:45:37 PM
#52
Poloniex is safe according to their post on reddit.

They were unlucky that I didn't release all the vulnerability in one row.

Oups ! goo.gl/xcbG5G
legendary
Activity: 1260
Merit: 1002
October 16, 2016, 09:46:11 AM
#51
Somebody exploit the vulnerabilities yet?

I need an exchange to collapse to get more cheap coins. Grin

legendary
Activity: 1960
Merit: 1176
@FAILCommunity
October 16, 2016, 09:38:07 AM
#50
I can't argue on the matter as I'm not a coder.

I think we've crossed streams here.

Nah, all is good.

Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.

As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.

For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.

I agree on everything, but the decent part (well, I may add the size of the bounty, giving the fact that Poloniex is operating with 10s of millions $). Notice part of their response:


Quote
This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes. Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective? Should a 'news source' that eagerly publishes the statements of a person without verifiable identity or proper vetting of his accusations be considered legitimate news?

I thought they are joking. Should that 'news source' name to be Kevin Mitnick in order to investigate the problem? It sounded like: "We are Poloniex and he is nobody".

Not cool.
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 16, 2016, 09:28:24 AM
#49
I can't argue on the matter as I'm not a coder.

I think we've crossed streams here.

Polo has been decent in their response, and I think take it all seriously but OP raised proper points and has gotten his 0.2 btc bounty for pointing out a 200 btc problem.

As long as companies don't take these things seriously there'll always be incentive for good people to do the wrong thing.

For all the bad PR that's come up, polo should actually be grateful for this guy, he did good.
legendary
Activity: 1960
Merit: 1176
@FAILCommunity
October 16, 2016, 09:13:05 AM
#48
I can't argue on the matter as I'm not a coder.
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 16, 2016, 09:08:17 AM
#47
We are arguing man? I'm in complete agreeance.
legendary
Activity: 1960
Merit: 1176
@FAILCommunity
October 16, 2016, 08:44:30 AM
#46
As far as it stands now.

Yes.

You do realize that Emin Gun Siner is Associate Professor at Cornell's Computer Science Dept.? And as I said - I don't think their answer is professional. They talked against Xavier for too much and I believe they have better things to do.
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 16, 2016, 08:35:20 AM
#45
As far as it stands now.

Yes.
legendary
Activity: 1960
Merit: 1176
@FAILCommunity
October 16, 2016, 07:48:33 AM
#44
Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo

You think?

https://twitter.com/el33th4xor/status/787610289369784320
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 16, 2016, 07:26:34 AM
#43
Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).

So was it a risk or not? That's the real question.

Polo admits that mod escalation happened, this is admitted on both reddit and btctalk by legitimate spokepeople
Their problem is that no one 'informed them first', and that is what needs to be proven.
So where's the proof.
Emails or gtfo

sr. member
Activity: 322
Merit: 250
Spray and Pray
October 16, 2016, 04:26:36 AM
#42
Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.

Your security risk claim has been dealt with (if it was even a 'risk' to begin with...).
hero member
Activity: 729
Merit: 545
October 16, 2016, 04:09:01 AM
#41

So you rely on a post posted by the website himself ? Sure, they will say Yes, we fucked up, withdraws your coins. That's just stupid.
Again, it isn't FUD, I like to believe after that, they will consider their customers and increase security.
sr. member
Activity: 322
Merit: 250
Spray and Pray
October 16, 2016, 04:05:13 AM
#39
Umm... so polo has been hacked before, they raised security measures and repaid the users who lost funds. It has been over a year since then and the staff (both behind the scenes and in the TB) have grown significantly.

You would think that with their history and man power, they would have security pretty tight. The only vulnerabilities I see are "user-error" in which some dumb-ass (either mod or user) makes a mistake. Even if an attacker managed to send withdraw requests, the coins are (from what I remember) in cold storage and you need 2fa or email confirm to do a full withdraw.
hero member
Activity: 546
Merit: 500
October 16, 2016, 03:43:53 AM
#38
Not sure why POLO BOSS BUSONI is so angry on XAVIER59..

Xavier59 tried to help, report vulnerablilites and move on with the support guys.

He had to post this public only because of the support team, keep pushing the tickets in a circle

But as usual, support guys behave like dicks even in emergencies like these and take 48hrs for each reply.

I guess both XAVIER59 and BUSONI can sign a peace treaty or something!!!
newbie
Activity: 27
Merit: 0
October 16, 2016, 03:38:25 AM
#37
Xavier59 has my full support along with a huge group of concerned people who will make polo wake up and hopefully (fingers crossed) hire a decent coder. This isn't the 1990's. Wake up and smell the payload. Polo is more so as was before now in the radar of malicious users looking to get rich from this.

And I won't spoil it for you, but there are many more vulnerabilities left wide open. Do your research and get educated. Xavier isn't spreading FUD, but all those who are trying to cover this up realize they will lose money over this if polo loses clientele or memberships.
hero member
Activity: 729
Merit: 545
October 16, 2016, 03:29:00 AM
#36
Answer to Poloniex reddit post : https://www.reddit.com/r/CryptoCurrency/comments/57q9gf/poloniex_is_secure_were_good/

Quote
-- Anyone who is familiar with web services should know that multithreading, in and by itself, is not a vulnerability. In fact, it is necessary when processing more than one request at any given time. Our trading engine processes 200-300 transactions per second, and that's on a slow day.

You're totally off the mark. Never said multithreadying is a vulnerability, as well as get request. It's the way you use them wich is a vulnerability. It becomes one when multiple thread can share the same ressources at the same time.

Quote
-- For those who may be concerned with us using GET in any context: We agree that POST is best practice, and we currently use POST for sensitive information. We have plans to move more requests to POST, but in the meantime, it’s worth noting that GET is not inherently insecure and POST is not inherently secure. What matters much more is how each is used.

I wonder how you can say that after what I did write in my reports. I reported you every GET request you did was easily shared with the moderator clickable link. This wouldn't be possible using POST request. Same for Open URL Vulnerability. So YES, you're using GET request in the bad way, and if you can't see that, I feel only much worried.

Quote
-- This same person then found another client-side exploit where he could alter the style of his Trollbox name to resemble the color of a moderator. Despite what has been falsely reported, he did not gain moderator privileges. Still, we would have considered this a bounty-worthy bug, but rather than report this to us, he decided it would be a spectacular idea to go into the Trollbox and flaunt what he had found. He was quickly banned, and a fix for this bug was implemented in a matter of minutes

As I wrote, I'm not a professionnal pentester. I feel the need to test my payloads before reporting them, because I'm never sure it will work. I have been posting exactly 3 messages using the moderator client-side privilege. I wonder where you see in my article that I did a falsefy report ! Quoting me : "Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."
This is exactly what it did, and I specified that it was moderation client privilege only.
If you think I wrote as moderator just to be spectacular, remember that I only posted 3 messages, and then directly reported the vulnerability as suggested by the moderators.

Quote
Should a 'security review' of a company by an unknown, unidentifiable person be trusted without asking the question - what is his objective?

And this is your principal mistake. Because I didn't neither I do hide myself. Some research on any search engines could easily lead you to my identify. Moreover, I would like to remind you that I shared my personnal identy with the support.


I would be very interested knowing which company did a security audit of your website ?


Btw, I'm still waiting your answer, tickets #66023. Pending since 29 days now. Tic tac tic tac ...

Quote
but if your story is a mash-up of half-truths and inaccuracies, what are you really after?
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 15, 2016, 11:44:50 PM
#35
Regardless, besides being a trader or getting good lending rates from polo (>80% p.a for me), anyone storing their coins on exchanges is asking for trouble.

member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 15, 2016, 11:39:29 PM
#34
Do not believe the bad news entirely but we should also be careful.

There's no current danger.

It's just a huge question mark hanging over polo, and how seriously they take security?
OP has been upfront, notified polo a month ago, got a tiny bounty for one of the issues, and they won't respond about another vulnerability despite fixing that too

That pdf would sell on the darkweb for much more than 0.2 btc. I hope people here realise that.

Keen to hear Polo response.
legendary
Activity: 3122
Merit: 1492
October 15, 2016, 10:20:24 PM
#33
It is already starting coming out of the news sites in the cryptosphere.

https://www.cryptocoinsnews.com/cryptocurrency-exchange-poloniex-insecure-security-review-claims/

It would be good to choose the safer option of holding your coins in your wallet or maybe even convert back to bitcoins. If the security flaws are exploited by some other hacker that is smarter than the thread starter then panic selling of the altcoins listed in Poloniex might be possible. No one believed in the Cryptsy situation now look what happened with that exchange.

Do not believe the bad news entirely but we should also be careful.
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 15, 2016, 09:49:25 PM
#32
I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds

Moderator privilege escalation doesn't worry you? That's a social engineering disaster waiting to happen.
He didn't have mod privileges, it just changed the way his posts appeared to others in the box. I think that's just his bad English and poor translation.
"Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."

As i said that's ripe to be exploited. Social engineering is one of the greatest threats. You could infect people with all sorts of malware, after that, loss of funds.

Do you also assert "OP cannot exploit any vulnerability against Poloniex that involves loss of funds"?

Because I'd say that's a straight up lie.
sr. member
Activity: 458
Merit: 265
October 15, 2016, 09:31:38 PM
#31
I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds

Moderator privilege escalation doesn't worry you? That's a social engineering disaster waiting to happen.
He didn't have mod privileges, it just changed the way his posts appeared to others in the box. I think that's just his bad English and poor translation.
"Taking this username will grant me moderation client privilege which includes: having my name in blue and the ability to share clickable link."
member
Activity: 106
Merit: 10
Only a fool worries over what he can’t control.
October 15, 2016, 09:14:49 PM
#30
I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds

Moderator privilege escalation doesn't worry you? That's a social engineering disaster waiting to happen.
sr. member
Activity: 596
Merit: 251
October 15, 2016, 07:20:26 PM
#29
When Poloniex did a code review of Vcash we performed a 3 month security audit including penetration tests and double spending tests against many assets. We personally discussed this with Tristan and made "minor" recommendations "at best". Why can we talk to Tristan yet you post this here? I can assert that the OP cannot exploit any vulnerability against Poloniex that involves loss of funds, in fact he should prove his loose and fast wording is not simply hand waving instead of Bantha fodder. Cool
sr. member
Activity: 416
Merit: 250
October 15, 2016, 01:36:37 PM
#28
dont worry guys, DEx are starting to make there way into the crypto world.  and there will always be vulnerabilities in centralized exchanges.  soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.

ok...  but is there any exchanges that are proveably free of bugs, or even worse human error or manipulation...  Nope.
Its time for poloniex, and all centralized exchanges to move aside so  crypto can finally become what it was meant to be.

On Wall Street, Customers are protected with insurance funds and policies...
There is no way to make any exchange of any kind fully secure.

Based on crypto history...
Any rational trader must assume that Polo has roughly a 50% chance of suffering a total loss...
So if you are leaving > 10-20% of your BTC on Polo you are a hardcore gambler.

As for decentralized versus centralized exchanges...
There is some sort of fundamental law that prevents them from developing comparable liquidity...
But this is never addressed by people hyping all things decentralized.


could you please go into greater depth about the fundamental law?
member
Activity: 78
Merit: 10
October 15, 2016, 01:35:37 PM
#27
I've read the .pdf and I support Xavier59. Keep it up Smiley

All arguments are valid, and while they might not be exploitable right now, they're proof of bad coding practices and should not be ignored.
legendary
Activity: 1588
Merit: 1000
October 15, 2016, 01:16:56 PM
#26
dont worry guys, DEx are starting to make there way into the crypto world.  and there will always be vulnerabilities in centralized exchanges.  soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.

ok...  but is there any exchanges that are proveably free of bugs, or even worse human error or manipulation...  Nope.
Its time for poloniex, and all centralized exchanges to move aside so  crypto can finally become what it was meant to be.

On Wall Street, Customers are protected with insurance funds and policies...
There is no way to make any exchange of any kind fully secure.

Based on crypto history...
Any rational trader must assume that Polo has roughly a 50% chance of suffering a total loss...
So if you are leaving > 10-20% of your BTC on Polo you are a hardcore gambler.

As for decentralized versus centralized exchanges...
There is some sort of fundamental law that prevents them from developing comparable liquidity...
But this is never addressed by people hyping all things decentralized.
sr. member
Activity: 416
Merit: 250
October 15, 2016, 12:52:07 PM
#25
dont worry guys, DEx are starting to make there way into the crypto world.  and there will always be vulnerabilities in centralized exchanges.  soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.


ok...  but is there any exchanges that are proveably free of bugs, or even worse human error or manipulation...  Nope.
Its time for poloniex, and all centralized exchanges to move aside so  crypto can finally become what it was meant to be.
hero member
Activity: 729
Merit: 545
October 15, 2016, 12:48:25 PM
#24
dont worry guys, DEx are starting to make there way into the crypto world.  and there will always be vulnerabilities in centralized exchanges.  soon you will be able to make exchanges without worry of leaving your BTC in someone elses control and we will all be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!

This thread isn't about marketing or advertising any other exchange. It is about Poloniex and only Poloniex.
Thanks.
sr. member
Activity: 416
Merit: 250
October 15, 2016, 12:46:26 PM
#23
dont worry guys there will always be vulnerabilities in centralized exchanges, but DEx's are starting to make there way into the crypto world.  Soon you will be able to trade without worrying about leaving your BTC in someone elses control, and will finally be free of this worry.
Imagine the order books of BTC and other projects when we wont have to live in fear of losing our wealth to exchanges when we leave buy orders/sell orders in place.

cant wait to see the true dawn of decentralized trading!!!
sr. member
Activity: 266
Merit: 251
October 15, 2016, 11:24:53 AM
#22

It's probably safe, but virustotal isn't infallible. This warning is stickied at the top of the altcoin section. It warns that virus scans is no longer sufficient to ensure safety. There are sophisticated attacks that are undetectable, you only find out you've been hacked after you realise you've been robbed.

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.


hero member
Activity: 729
Merit: 545
full member
Activity: 210
Merit: 100
October 15, 2016, 10:34:04 AM
#20
virustotal scan? i've some fear of these bitcointalk random links...
newbie
Activity: 11
Merit: 0
October 15, 2016, 10:12:13 AM
#19
Quote
I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.

That's the point ! There is no need of valid hash to confirme those actions ! Check yourself !
Here is a capture of the complete request !

https://i.gyazo.com/0afa447c3c27f5d5076d0d8f3264fc1d.png

Since source code is client side i suggest you read up on how a "buy transaction" is done.

Code:
$("#buyForm").submit(function (event) {
    event.preventDefault();
   
    if ($("#dimmer").is(":visible"))
    return $("#alertDivOK").click();
   
    if (document.getElementById('buyAmount').value < 0.0001) {
        $("#result").empty().append("Amount must be greater than 0.0001.");
        showAlert();
        return;
    }

    if (document.getElementById('buyRate').value < 0.00000001) {
        $("#result").empty().append("Price must be greater than zero.");
        showAlert();
        return;
    }

    showProgressBar();
    var $form = $(this),
    url = '/private.php';
    params = { currencyPair: currencyPair,
    rate: $('#buyRate').val(),
    amount: $('#buyAmount').val(),
    command: (margin ? 'marginBuy' : 'buy')};
if (margin)
params['maxRate'] = $("#buyMaxRate").val() === undefined ? 0.005 : $("#buyMaxRate").val();

if (webSocketCall(params))
return true;

    var posting = $.get(url, params);
    posting.done(function (data) {
        var content = $(data);
        $("#result").empty().append(content);
        showAlert();
        updatePrivateInfo();
    });

});

Code:
function webSocketCall(params,id){
return false;
if ('conn' in window && window.conn.readyState == 1 && 1000 in window.conn.subscriptions){
if (typeof id == "undefined")
id = ++wNonce + usid;
window.conn.send(JSON.stringify({command: "private",channel: 2000,id: id,params: params}));
return true;
} else {
return false;
}
}
hero member
Activity: 729
Merit: 545
October 15, 2016, 10:09:42 AM
#18
Quote
The best you could hope for is that you post a link, someone click it, they have sufficient balance to make a transaction, all this before a mod catches it. The result is that the victim makes a shitty purchase. ...and that's the bug they acknowledged and paid you for. The others are nonsense.

Exactly, that's only a proof of concept. How much people could I get to click on my link ? If I have luck, I fall on someone with 100+ BTC balance, which is not that rare.
But I can also use Open URL Vulnerability, which will set the Referer as poloniex.com and redirect to the GET buying/selling request.
They never paid me neither replied to my ticket reporting this vulnerability.
sr. member
Activity: 458
Merit: 265
October 15, 2016, 10:06:46 AM
#17
Quote
I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.

That's the point ! There is no need of valid hash to confirme those actions ! Check yourself !
Here is a capture of the complete request !


The best you could hope for is that you post a link, someone click it, they have sufficient balance to make a transaction, all this before a mod catches it. The result is that the victim makes a shitty purchase. ...and that's the bug they acknowledged and paid you for. The others are nonsense.
hero member
Activity: 729
Merit: 545
October 15, 2016, 09:57:29 AM
#16
Quote
I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.

That's the point ! There is no need of valid hash to confirme those actions ! Check yourself !
Here is a capture of the complete request !

sr. member
Activity: 458
Merit: 265
October 15, 2016, 09:53:39 AM
#15
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.
They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

You should really consult security pentester. They will all agree with my arguments.
As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum.

I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much.

Proof of concept links, you wouldn't have had valid hashes.
"..what is your goal from making this information public?"

That's the major problem ! There is no csrf tokens or "valid hashes" that protect those links. You should really read my paper better, or maybe my english was wrong.
My goal is to ring the alarm at the Poloniex team and expect them to have a better protection of there customers funds. This isn't FUD, a simple 4 page PDF will not destroy a big company in 1 day.
I did read it. You fail to mention the need for valid hash to confirm any of those actions. Why? Because it would be less sensational, I guess.
hero member
Activity: 729
Merit: 545
October 15, 2016, 09:47:21 AM
#14
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.
They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

You should really consult security pentester. They will all agree with my arguments.
As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum.

I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much.

Proof of concept links, you wouldn't have had valid hashes.
"..what is your goal from making this information public?"

That's the major problem ! There is no csrf tokens or "valid hashes" that protect those links. You should really read my paper better, or maybe my english was wrong.
My goal is to ring the alarm at the Poloniex team and expect them to have a better protection of there customers funds. This isn't FUD, a simple 4 page PDF will not destroy a big company in 1 day.
sr. member
Activity: 458
Merit: 265
October 15, 2016, 09:41:31 AM
#13
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.
They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

You should really consult security pentester. They will all agree with my arguments.
As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum.

I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much.

Proof of concept links, you wouldn't have had valid hashes.
"..what is your goal from making this information public?"
hero member
Activity: 729
Merit: 545
October 15, 2016, 09:36:36 AM
#12
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.
They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.

You should really consult security pentester. They will all agree with my arguments.
As a matter of fact, I described a possible attack in my article, which, when I got the trollbox moderator privilege escalation (which wasn't mush of a security risk ? lol ?), I was able to spread clickable buying, selling, withdraw and lending links. Sorry, but I think it is a serious vulnerability don't you ?

Don't you think I deserved, not a bounty, but maybe something like a ... reply ? "Thanks, we've corrected this bug, rest assure you can trade on Poloniex safety" ? It is the strict minimum.

I do not expect any bounty from poloniex, your theory of the conspiracy sounds a little too much.
sr. member
Activity: 434
Merit: 250
October 15, 2016, 09:31:18 AM
#11
I would actually be very interested to know if Poloniex and other sites ever did actual security auditing.
They would be foolish not to pay for this type of service,
but nothing would surprise me with these exchanges.

I actually asked a question regarding security on these exchanges a week or two ago and got zero replies in the thread lol.
No one cares about security until millions of dollars in coins go missing.
sr. member
Activity: 458
Merit: 265
October 15, 2016, 09:29:35 AM
#10
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong and arguments.
They paid you a bounty for the one bug you found, which wasn't much of a security risk really. The others are not bugs and they are not paying you a bounty for them. That said, what is your goal from making this information public? It's clearly an an attempt to FUD, probably in hopes that Polo will pay you for your "bugs" in the future for fear you will spread more FUD about them.
hero member
Activity: 729
Merit: 545
October 15, 2016, 09:20:18 AM
#9
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.

Could you please tell me where is the nonsense ? Where is the FUD ? Please quote me where I'm wrong in my review and arguments a little more ...
sr. member
Activity: 458
Merit: 265
October 15, 2016, 09:09:52 AM
#8
Well written FUD, none of those are actual vulnerabilities. They probably stopped responding to you because this is complete nonsense.
hero member
Activity: 729
Merit: 545
October 15, 2016, 08:17:44 AM
#7
Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat

I'm waiting reply since 27 days.
I've been pushing my ticket via moderator more than 6+ times. They are literally having fun of me.
That's why I wanted to share this review to show the irresponsability of their team.

Do you have some proof regarding the above statement, If you can provide that we do need to be more cautions while using poloniex to trade. But how will such a famous site ignore their security vulnerability, Which might cause them to loose members.

Yep we had our lessons from mt gox bitfinex but we will never remember anything after the heat reduces, But as far as bitcoins and altcoins trading we have to rely on some trading platforms online.

I can provide screen, but we cannot really consider it a proof as the source code can be edited to modify data.
I have also some e-mail that I sent to Poloniex.
full member
Activity: 224
Merit: 100
October 15, 2016, 08:14:32 AM
#6
Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat

I'm waiting reply since 27 days.
I've been pushing my ticket via moderator more than 6+ times. They are literally having fun of me.
That's why I wanted to share this review to show the irresponsability of their team.

Do you have some proof regarding the above statement, If you can provide that we do need to be more cautions while using poloniex to trade. But how will such a famous site ignore their security vulnerability, Which might cause them to loose members.

Yep we had our lessons from mt gox bitfinex but we will never remember anything after the heat reduces, But as far as bitcoins and altcoins trading we have to rely on some trading platforms online.
newbie
Activity: 31
Merit: 0
October 15, 2016, 08:07:02 AM
#6
Hey !

I've been writing a security review for poloniex those last few days.
Sorry for my poor english  Embarrassed
https://www.pdf-archive.com/2016/10/15/poloniex/poloniex.pdf

Nice job you little bitch  Cheesy Cheesy Cheesy
hero member
Activity: 729
Merit: 545
October 15, 2016, 08:05:23 AM
#5
Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat

I'm waiting reply since 27 days.
I've been pushing my ticket via moderator more than 6+ times. They are literally having fun of me.
That's why I wanted to share this review to show the irresponsability of their team.
hero member
Activity: 546
Merit: 500
October 15, 2016, 08:02:45 AM
#4
Yes, but I believe you could take this to busoni, OMK, MICKD, MOBY DICK or someother admin of POLO through their IRC chat
hero member
Activity: 729
Merit: 545
October 15, 2016, 07:57:55 AM
#3
Post it in public, so POLONIEX could get hacked and almost $1 Billion dollar worth of ALTS/BTC get hacked.


GOOD JOB!!!

I didn't release any unfixed Poloniex vulnerability but I think that customers have to know Poloniex is unsecure and do not even reply to people reporting them vulnerability Wink
hero member
Activity: 546
Merit: 500
October 15, 2016, 07:56:32 AM
#2
Post it in public, so POLONIEX could get hacked and almost $1 Billion dollar worth of ALTS/BTC get hacked.


GOOD JOB!!!
hero member
Activity: 729
Merit: 545
October 15, 2016, 07:43:23 AM
#1
Hey !

I've been writing a security review for poloniex those last few days.
Sorry for my poor english  Embarrassed
https://www.pdf-archive.com/2016/10/15/poloniex/poloniex.pdf
Jump to: