Jokie Smurf
by on April 12, 2016
600 views
I have been performing security audits and scans of various currency exchanges, forums and websites. All crypto related. Many of these websites and exchanges make bold claims about how secure they are and how "unhackable" they are. I will be providing proof as to whether any such claims are valid, or just hot air. I will definitively prove that a given exchange or forum is secure and trust worthy, or full of shit. I am sorting through all of my archives and I will be posting them here. All of the results were obtained with professional grade software and cross referenced with the swiss army knife known as robtex. First I am going to provide the surface scans of bitcointalk.org. Also commonly referred to as "shitcointalk", and for good reason. Besides the fact that it is a haven for scams and trolls, the security is poor. Some of the results you will see may be flagged as low level alerts, but in the hands of a professional, or even a moderately skilled individual, these low level alerts can be exploited and used to take total control of the website. Including, but not limited to, taking over admin accounts, deleting accounts, changing themes or doing other things. they use Simple Machines Forum, which is free software, and not very secure. It does have a few packages that could increase the security, but they did not use them. Here is a screen capture of the initial scan being performed. Attached is the pdf printout of the results of the surface scan. More in-depth scanning can be provided but really is not necessary. Just the vulnerabilities discovered and depicted here are enough to cause serious, if not irreparable damage to the website. Edit: I have to shrink the zip file so it meets the 1.95 MB maximum file size. Edit: I used a file upload service to host the pdf file. I could not shrink it to 1.95 MB. Here is the link to the pdf containing surface scan data. http://www.filehosting.org/file/details/561050/shitcointalk.pdf Here is a snippet of code for the yobit chatbox. As you will see, the users' text right out of chat gets displayed in the view source function of your browser. Not only is the full source displayed and unprotected, but key points are easily identifiable. I will not identify things for you, but anyone with a small bit of skill should be able to point out the necessary things needed to use click jacking and other exploits.
Chat

pugilist555 L1: lets take it to the moon

crazyduck L1: DES maybe

do3amyasa: INC?\

do3amyasahttps://yobit.net/en/trade/DRA/BTC

tutu23 L1: do3amyasa, inco go up

crazyduck L1: SPEX going to 1 sat

do3amyasa: Buy DRA

crazyduck L1: oh it already is there

alilou20 L1: i m new i this, is it possible to buy 5 bitcoin in DRA now?

crazyduck L1: ADZ is dead lol

alilou20 L1: or depends on volume of selling??

tuliorg L0: go go go dra!

crazyduck L1: alilou20, doesnt look like 5 BTC of DRA available

jose22 L0: bitcointalk serch and vote for DBIC at bittrex..

do3amyasa: Buy DRA! only rise

crazyduck L1: I like the biy order on 10 sats

alilou20 L1: so depends on volume available

materazi L1: DRACO

abdi123 L0: dra go go

do3amyasa: DRA see order book. We can pump DRA!

baixandolink L1: DRA to 10k

inc2272016 L5: 800k INC lot for 3 BTC. PM

do3amyasa: DRA see order book. We can pump DRA!

abdi123 L0: buy dra

Chikotamtama: inc2272016, put to sell order dude

crazyduck L1: Chikotamtama, hes lying I bet

wanka35: TRUMP was DUMPED...DBIC WON

orlofff L1: TRUMP2016

WhiteZer0 L1: wanka35, you are annoying as fuck, everyone can see the facts on the charts, dbic is not moving

WhiteZer0 L1: stop fuding

anagamidev: Wow, debic return to 2000 :)

anagamidev: Nice

akaiapc40: Unfed exploded hard today :D

tutu23 L1: buy now dra

Rooxyzin L1: mystic pump extreme o/

do3amyasa: DRA see order book. We can pump DRA!

eduardopjl L1: go go go xdb

anagamidev: Rooxyzin, when?

Rooxyzin L1: anagamidev, now

mahmood215 L0: des now or cry tomorow

hashmaster: 996RSmaker is a scammer do not trust him

tutu23 L1: dra go go go

cyberjnky L1: XDB pumping

eduardopjl L1: xdb go go go

do3amyasa: DRA nice

Rooxyzin L1: Best coin for trading now,TRUMP and MYSTIC other is BAD

tutu23 L1: dra very good buy now

mahmood215 L0: no

mahmood215 L0: des very good coin and trump

do3amyasa: go DRA

This is just the chat box alone. I will upload the scan I performed of yobit as soon as I upload it and a download link available. Yobit is a hot mess of vulnerabilities, poor coding and scammer bullshit. I've been looking into some of the new security threats and also some old ones still being used. Many crypto related websites are vulnerable to many new attacks, as well as old ones. This is unacceptable. Anyone who runs a website or web service needs to keep up with the latest threats and how to prevent them. They also need to check their servers and make sure that they are protected from old threats as well. New Qt5 wallets have XSS in them. XSS is cross site scripting. This is a serious vulnerability. There are wallets that still use the very vulnerable irc "nodes". I have been checking up on exchanges and looking to see if they have made any improvements to their security. Sadly, most have not. A small number have made changes but rendered some of their security ineffective by sacrificing security for speed. I understand that people want faster websites, faster transactions and bells and whistles. All of this can be had but never at the cost of security.
Posted in: Technology
Like (1)
Loading...
1