Author

Topic: WARNING TO ALL CRYPTOSTOCKS INVESTORS!! SECURITY ISSUE (Read 1080 times)

420
hero member
Activity: 756
Merit: 500
My account was compromised and stolen funds on March 15th; doesn't look like they got into my email;

shows a password reset email same day; then stocks sold and funds withdrawn.
hero member
Activity: 700
Merit: 500
Daily Bitcoins for your Paypal/Skrill
For tl;dr crowd, what he's saying is this:

2FA was turned on, and the following occurred, bypassing 2FA completely.

  • Someone gained unauthorized access to an email address associated with a cryptostock account.
  • They then requested a password reset, which sent a link to the email address.
  • The link then allowed the password to be reset, and opened access to the cryptostock account.

To the Op - no, they are running a MtGox shop. Resetting your password should have required completion of the 2FA chain.

I have said repeatedly, and will continue to say so. If you want to invest your money, put it in something real. Cryptostocks are nothing more than Venture Capital disguised as stocks. I have yet to see one worth more than a roll of toilet paper in the hands of a charismatic salesperson.

Checkout DiamondCircle    -  I think they are good but cryptostocks can kiss my ass.  How in the hell they let a password reset, disabled 2FA, stock price reduction of 10000% followed by an immediate withdrawal of btc to a wallet is beyond me
member
Activity: 70
Merit: 10
Writer $0.10/word +
For tl;dr crowd, what he's saying is this:

2FA was turned on, and the following occurred, bypassing 2FA completely.

  • Someone gained unauthorized access to an email address associated with a cryptostock account.
  • They then requested a password reset, which sent a link to the email address.
  • The link then allowed the password to be reset, and opened access to the cryptostock account.

To the Op - no, they are running a MtGox shop. Resetting your password should have required completion of the 2FA chain.

I have said repeatedly, and will continue to say so. If you want to invest your money, put it in something real. Cryptostocks are nothing more than Venture Capital disguised as stocks. I have yet to see one worth more than a roll of toilet paper in the hands of a charismatic salesperson.
hero member
Activity: 700
Merit: 500
Daily Bitcoins for your Paypal/Skrill

THIS IS SERIOUS

If you have stocks at cryptostocks, please read.

Long story short: Our companies stock was sold at pennies and we realized that someone gained access to the CEO account, lowered the price and sold all our remaining stock for pennies and cashed out about 1 bitcoin.  We could not figure out how they gained access but I just tested it and it is, in my opinion a very serious flaw yet I just got the answer from cryptostocks.com and they say it is not a flaw....  (see email below)

If someone has access to your email, despite you having 2fA set-up, they can click lost password, and then a new password link will be sent, when you click that link and make a new password, it logs you in and overrides or disables your 2FA!!!!

To me, this is an issue as our CEO felt safe since he had 2fA on but someone got into his email and that's all they needed.  SECURE YOUR EMAIL WITH LONG PASSWORDS IMMEDIATELY

I emailed cryptostocks for 2 days trying to get a response about this....  first email I got was the following:

Dear user, we are have quite a backlog of emails to answer and thus please bear
with us, we will surely come back to you but this might take a few days. We hope
to have completed the backlog by latest Monday next week.


Finally the addressed my concern by saying this....

Dear user, assuming that you have protected your email account (e.g. with 2FA) then this is not a flaw, you can only reset the password if you have access to the email account.

It is the same process as when you request 2FA reset (currently being implemented). We have to contact you somehow and that is by email, hence an email is send and if you click the link the 2FA will be disabled. Therefore it does not make sense to have a different approach for email resets.

==================================
Best regards
Your Cryptostocks Team


To me, there is no reason why if you click reset password, that it should not force you to re-sign in using 2FA?Huh

Anyone?
Jump to: