Author

Topic: Responsable disclosure (Read 1403 times)

sr. member
Activity: 462
Merit: 250
October 09, 2014, 02:18:18 AM
#15
Private email providing a reasonable period for redressal. Post that go public but leaving door open to them to provide a clarification of their position.
hero member
Activity: 490
Merit: 500
October 08, 2014, 11:44:27 PM
#14
Why not do a writeup, and send a gentle message to the siteop? You could use anon mail for this.

If siteop is ignorant, then go public.
member
Activity: 103
Merit: 10
October 08, 2014, 08:43:51 PM
#13
Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.


Should someone worry about this?
full member
Activity: 126
Merit: 100
October 06, 2014, 09:42:09 AM
#12
Breaking terms and conditions of Blockchain.info by setting themselves up as a proxy so they don't have to write their own API - this breaks the TOS of Blockchain in 4 different sections. They present this as part of their own API to their own clients. Certainly there is no mention or credit to Blockchain.info
Maybe they are in partnership or working together as separate companies and have permission to do this.

i aggree with you, that  there are more companies would like to join you!
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
October 06, 2014, 09:14:06 AM
#11
In case of security vulnerabilities, like SQL injections, public disclosure should be your last option. You don't want it to be abused and an attacker steal funds of innocent users of that site because of your disclosure.

IMO you should contact the owner of that site and private disclosure it first. If they don't fix it or change it, you could consider public disclosure and in this case perhaps Blockchain.info first.
hero member
Activity: 1008
Merit: 502
October 06, 2014, 09:10:09 AM
#10
if you didnt already do it the first thing you should have done was contact Blockchain.info and release all the information to them.  the next thing after that is take care of it best you can. get ahold of the right people and email them with the legalities adn let them know what theya re doing is in fact wrong and possibly illegal. Depending on where they are depends on if the  certain laws will stretch all the way to them. Just because you have something copyrighted in USA does not mean you can not copy it and sell it in africa where US laws havfe no jurisdiction. Its a crazy situation that sometimes ends up just wasting time for everyone as nothing legal could ever be done.  

FYI I am not sure why you dont name them, But to be honest I dont care , its up to you, I think I like it better the way you did it to not attract any unnecessary attention to them because people like that only want attention anyways.
legendary
Activity: 3598
Merit: 2386
Viva Ut Vivas
October 06, 2014, 09:05:29 AM
#9
I use blockchain.info to get the balance for Bitcoin addresses for my site. I never knew they required some sort of credit. I have problem doing so, just never saw anything like that.
sr. member
Activity: 364
Merit: 250
I'm really quite sane!
October 06, 2014, 08:59:29 AM
#8
...
I am thinking of just writing a report on my findings and publishing it publicly for all. Bitcoin should be about ethics, should be about security. These guys take ethics and security as a joke, I don't want them or people like them in the Bitcoin community. Every hack against a Bitcoin site, every fail is a fail for Bitcoin.
...

Agreed. Compose your full disclosure, that's my advice. It sounds to me like they're risking other people's money.
member
Activity: 116
Merit: 10
★☆★ dont let others hurt your sk
October 06, 2014, 08:48:58 AM
#7
Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.


I really hope that it will not stay like that.
donator
Activity: 1464
Merit: 1047
I outlived my lifetime membership:)
October 05, 2014, 04:19:49 PM
#6
Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.

No it's not a block explorer site.  It is a commercial site offering commercial Bitcoin services and earning money off of the back of sloppy programming, bad security and the great work of blockchain.info. If it was a block explorer site I wouldn't care - it would be like being worried about security vulnerabilities/ethics in a forum or obscure website for some club or whatever.

This is a site with huge press in their market, a site that apparently is one of the leaders in the market. This is why I am concerned, peoples Bitcoins are at stake, the reputation of Bitcoin in this area is open to being damaged due to this.

Out with it man. If you're not disclosing a specific security flaw that others could use to steal funds, there's no reason to not tip your hand. Most are too busy to reply to "specific content" free posts
newbie
Activity: 8
Merit: 0
October 05, 2014, 02:57:19 PM
#5
Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.

No it's not a block explorer site.  It is a commercial site offering commercial Bitcoin services and earning money off of the back of sloppy programming, bad security and the great work of blockchain.info. If it was a block explorer site I wouldn't care - it would be like being worried about security vulnerabilities/ethics in a forum or obscure website for some club or whatever.

This is a site with huge press in their market, a site that apparently is one of the leaders in the market. This is why I am concerned, peoples Bitcoins are at stake, the reputation of Bitcoin in this area is open to being damaged due to this.
legendary
Activity: 1652
Merit: 1016
October 05, 2014, 02:52:48 PM
#4
Well it must be another block explorer site like blockchain.info then I'm guessing. There's only a few.
newbie
Activity: 8
Merit: 0
October 05, 2014, 02:50:12 PM
#3
Maybe they are in partnership or working together as separate companies and have permission to do this.
I did think about this. But if you could see how it works it is very very doubtful. If you visit a certain page of their site it is basically the root page of blockchain.info. That is to say you can access any page/image or any other content from blockchain.info by changing the sub-path. Everything is presented as text so whilst the images are proxied they display in your browser as text due to the MIME type still being HTML. This is the worst possible way to link to another site or use another sites data. If you were going to sneakily use the blockchain.info you would wrap your own API functions to properly call theirs. Everything about their publicly available code screams shortcuts and quick-fixes. If they were in partnership with blockchain.info they would be doing things properly. Right now they are open to a DNS attack at their webhost pointing blockchain.info to attackers server, which would feed all of their clients wallet data to attackers server.

For confirmation, if anybody from blockchain.info wants to get in touch I am happy to discuss it  Smiley
legendary
Activity: 1652
Merit: 1016
October 05, 2014, 02:37:17 PM
#2
Breaking terms and conditions of Blockchain.info by setting themselves up as a proxy so they don't have to write their own API - this breaks the TOS of Blockchain in 4 different sections. They present this as part of their own API to their own clients. Certainly there is no mention or credit to Blockchain.info
Maybe they are in partnership or working together as separate companies and have permission to do this.
newbie
Activity: 8
Merit: 0
October 05, 2014, 02:34:10 PM
#1
Hi,

I have found a commercial website that deals with Bitcoin doing very unethical practices:-

Breaking terms and conditions of Blockchain.info by setting themselves up as a proxy so they don't have to write their own API - this breaks the TOS of Blockchain in 4 different sections. They present this as part of their own API to their own clients. Certainly there is no mention or credit to Blockchain.info

Also there are many security concerns such as math.Random() being used for cryptography, SQL injection possibilities in the API they provide to clients.

Now normally I would approach the CEO or a head of such a company, or if it was a traditional financial institution I could approach the financial regulators and authorities. Maybe this is the work of a rogue programmer, someone non-ethical and who doesn't understand security. But the problem I have is that the CEO is the programmer, thus this is the ethos of the company under his leadership - take shortcuts, and screw security. This is a company with over half a million dollars of funding.

I am thinking of just writing a report on my findings and publishing it publicly for all. Bitcoin should be about ethics, should be about security. These guys take ethics and security as a joke, I don't want them or people like them in the Bitcoin community. Every hack against a Bitcoin site, every fail is a fail for Bitcoin.

What do you guys think I should do? No I will not name the company, not unless I release the report.
Jump to: