Saturday, 12 August 2017


Now this could get VERY interesting, very quickly, indeed.

Does POLONIEX (one of THE largest, if not THE largest ALTCOINS exchanges on earth, have an exploitable EXPLOIT right now, allowing a black-hat hacker to RUN OFF WITH ALL YOUR POLO FUNDS, even if you do have 2FA switched on!!!!!!!!!!!!!!!!! 

Updates, at the bottom of this page!

Time to get yourself a SECURE place for your BITCOINS and DIGITAL ASSETS, right NOW :)

Get Rich with Crypto-Currencies!

Stick around for more, more MOAR crypto-assets, digital currencies and crypto-funds news coverage:

Get Rich with Crypto-Currencies!

And that's .... 

UPDATE 1: 22.30 hours BST

We ARE now getting a WOBBLY site from polo ... Namely the list of assets/currencies favoring function, no longer seems to work correctly! :(

UPDATE 2: 16th August 2017

"EDIT2: Vulnerability has been sold. After receiving a couple of messages from other bug reporters who were told they wouldn't receive any bounty since they "used" the exploit to prove it existed, and that I would therefore be at risk to be sued like they were, I decided to instead sell the exploit.

I won't be logging into this account again in the future. 20% of the proceeds will be donated to online open-source projects. 75% will be donated to a charity that accepts bitcoin. Remaining 5% will be pocketed.
Poloniex is no longer safe. Change your passwords. Bye.

I found an active exploit on Poloniex's website. I managed to withdraw cryptocurrencies from an account without having access to the 2FA device, both for login and for withdrawal confirmation. I withdrew from an account that I picked, having access to the password from a leaked database.
Poloniex's security is also so lacking that they haven't stopped crawlers from opening their authentication pages, meaning that my target unknowingly confirmed the outgoing transaction by simply opening the email on a client that crawls links.
You read that right: if like my target, you open your emails in a client that provides those "preview" images, you've confirmed your outgoing transaction by opening the email. Or anything else that requests confirmations.
Luckily for my target, I only withdrew his money into his own deposit address.
A company you trust with your money, and they can't even setup a robots.txt file, or implement proper 2FA. Go ahead, try it out.
Since their support takes over 60 days to respond to my tickets, I'm guessing they have no interest in fixing it, and that it is intentional. Having done previous bug-bounties, the 60 days since the date the bug was reported or, in this case, attempted to be reported, are now over, and I have no qualms about publicly disclosing it.
Anyone interested in exploiting this, feel free to contact me; let me know what you plan on doing. Poloniex doesn't give a shit about its security, and I advise anyone reading this to withdraw their funds ASAP.
If you can't withdraw your funds because you lost your 2FA, also feel free to contact me, I can probably help you out.
If you're from Poloniex, you really shouldn't take 60 days to answer tickets if you want to be treated like a financial institution.

EDIT1: Do not send me any login information. Do not send me anything that connects you to your account. I do not want it. I won't help you if you do. I'm here to raise awareness, and perhaps get Poloniex to finally fix a major vulnerability after 60+ days of attempting to report it"



Further Information - offsite

Latest Breaking Top Stories -->>

No comments :

Post a comment

Only members (obviously) can comment; no moderation; direct to page.

Note: only a member of this blog may post a comment.