Jump to content

A critical look at GateHub security


nonce
 Share

Recommended Posts

I have some Ripples from the "Computing for good" era and I was thinking of opening an account at GateHub to buy some more.


However, I have some reservations. I did "due diligence" and I want to share some of my findings with the community.

Although some of these findings are general, I think they can give some hints about security of the wallet.

GH = GateHub


1) The address on GH website is incorrect. Instead of

Suite 44 88-90 Hatton Garden
London
United Kingdom
EC1N 8PN

it should be

Suite 48 88-90 Hatton Garden, London, EC1N 8PN

(Suite 48 instead of 44).

Why did they publish incorrect address?

2) There are almost 200 other companies registered at Suite 48 88-90 Hatton Garden.

Source: companieshouse.gov.uk

Does GH have real office in London? Last time I checked they didn't even have a sign in front of their building.

It looks like their only real office is in Ljubljana, Slovenia.

3) They had only one funding rounding and they raised only 10.000 GBP (???). This is less than a monthly salary of a competent Silicon Valley developer.

Chris Larsen invested only 250 GBP (not sure I'm reading right)? What's the point of his involvement?

Source: companieshouse.gov.uk

4) After one year they are still looking for developers? How many people did they hire in the meanwhile? One (@mazi)?

https://gatehub.net/careers

https://www.linkedin.com/pulse/work-gatehub-gregor-gololicic?articleId=6095235559196753920#comments-6095235559196753920&trk=prof-post

5) One of the reasons for this could their salaries which are not competitive. Salaries of their developers (source: someone from Slovenia) are probably less than 50k EUR annually. For comparison: salaries for senior level developers at IBM Slovenia are in range from 65k to 80k EUR (source: glassdoor or ajpes.si).

6) Mr Gregor Gololicic is GH CTO. He wrote the following text on his LinkedIn profile regarding his education: "University of Ljubljana, Faculty of Computer and Information Science 2012 – 2015"

However, his undergraduate thesis doesn't exist in the following public databases:

http://www.fri.uni-lj.si/si/izobrazevanje/diplome_in_disertacije/arhiv_diplomske_naloge/#
http://www.fri.uni-lj.si/si/izobrazevanje/diplome_in_disertacije/arhiv_magistrske_naloge/#
http://www.cobiss.si/cobiss_eng.html
http://scholar.google.com

Has Mr Gololicic graduated or not? Has he even passed course that covers cryptography? Has he passed course that covers elliptic curves over finite fields? It looks like these topics are maybe not even included in the curriculum of his undergraduate programme.

7) On his LinkedIn profile Mr Gololicic states: "Winner of national competition in web development
Zotks March 2012"

https://si.linkedin.com/in/gololicic

I'm not sure what is "Zotks".

Mr Gololicic competed in 2012 in this Slovenian national (probably state sponsored) computer competition

http://rtk.ijs.si/2012/rezultati.html

He competed in category "programming" (my translation) and not in the category "Development of web applications" (according to Google Translate). He was second-to-last and got only 4 points out of 500.

8) Mr Luka Pusic is GH "security expert". According to his LinkedIn profile he is still studying and he plans to graduate in 2017:
"University of Ljubljana, Faculty of Computer and Information Science 2012 – 2017".

So their main security expert is still a student?

https://si.linkedin.com/in/lukapusic

9) Mr Pusic probably didn't compete at national level at all.

10) GH can maybe decrypt secret keys if they want to.  They maybe also store passwords in plaintext in their log files. And maybe these log files (CloudFlare) are not even stored in the European union. Can someone impartial verify these claims?

11) CEO Mr Pungercar is personally involved in resolving support tickets. He is CEO and he should delegate these tasks to other people. Support is sometimes unresponsive.

12) Why GH didn't register with the UK Information Commissioner last year? Or did they?

13) They probably don't have any liability insurance.

14) What is their incentive to put security of the wallet high on their priority list? They're not making a lot of money with it. It also looks like wallet is their secondary/side project. They're also developing some other stuff at the same time.

 


Why should I trust GateHub? Why do you trust GateHub?

 

 

 

 

 

Link to comment
Share on other sites

While i appreciate your background check i want to add that you can't expect a permanent office in London. Hell we can't even expect that those people work fulltime on Gatehub. The thing is volume on RCL is terribly low. I think the fees earned by Gatehub are ridiculously small. Maybe a few thousand per month? I think the fees maybe cover server costs and that's it. After Rippletrade had to close i think that Gatehub was a coordinated effort to offer at least one Gateway with wallet functions where non-tech-savvy people can move their funds to. I strongly think Gatehub was not founded because of economic incentives but to cover the minimal functionalities. As soon as the RCL gains more traction Gatehub is in a good position to profit and gain big market shares though. They have to play the long game. 

I think our friends at Gatehub do all they can with the very limited amounts of resources they have and we should be glad that someone was willing to fill the vaccum after the shutdown of Rippletrade. As u can see with Bitfinex even the big players act very sloppy and irresponsible. Given the resources GH has they do a very good job IMO. 

Concerning security the most important part is to keep the majority of your funds in cold storage anyways. 

Link to comment
Share on other sites

4 hours ago, nonce said:

their main security expert is still a student?

Anyone creating an API in which password reset is submitted in url, instead of POST data, is NOT, I repeat, NOT a security expert. He did not even read a web programming for dummies, let alone a book about web security. Reading that fact alone, has lead me to decide to only log onto that platform just ONE more time, to transfer my funds to a paper wallet.

Gatehub is a time bomb.

Shame on Ripple for forwarding their rippletrade clients to such a shabby underfunded business. If this goes wrong they will pay a high price for that.

19 minutes ago, Pucguy37 said:

If you're not satisfy, simply go to the other Gateways.

Oh, sure, like there is ton of choice we have.

Link to comment
Share on other sites

22 minutes ago, lucky said:

password reset is submitted in url, instead of POST

May I ask what exactly you mean by "password reset"? Do you mean the token or the id URL parameter that are part of the password reset URL you receive in the email?

Link to comment
Share on other sites

1 hour ago, lucky said:

Anyone creating an API in which password reset is submitted in url, instead of POST data, is NOT, I repeat, NOT a security expert. He did not even read a web programming for dummies, let alone a book about web security. Reading that fact alone, has lead me to decide to only log onto that platform just ONE more time, to transfer my funds to a paper wallet.

Gatehub is a time bomb.

Shame on Ripple for forwarding their rippletrade clients to such a shabby underfunded business. If this goes wrong they will pay a high price for that.

Oh, sure, like there is ton of choice we have.

This is concerning for me especially as I don't understand all the technicals. I am considering withdrawing funds from Gatehub to some kind of cold wallet solution, do you think the risk warrants that?

Link to comment
Share on other sites

1 hour ago, benf86 said:

May I ask what exactly you mean by "password reset"? Do you mean the token or the id URL parameter that are part of the password reset URL you receive in the email?

I think it's referred to http://www.xrpchat.com/topic/1811-what-data-gatehub-stores-in-its-logs/#comment-16432 .

An URL over https by the way is encrypted - as is the POST. So AFAIK not visible for others then yourself and Gatehub. It is then the question if Gatehub logs the URL entries or not. If they log all URL entries then that means that they also log the password from a password reset.

Link to comment
Share on other sites

2 hours ago, lucky said:

Anyone creating an API in which password reset is submitted in url, instead of POST data, is NOT, I repeat, NOT a security expert. He did not even read a web programming for dummies, let alone a book about web security. Reading that fact alone, has lead me to decide to only log onto that platform just ONE more time, to transfer my funds to a paper wallet.

@lucky, we DO NOT submit passwords via GET requests anywhere on our site.

We take security very seriously and it helps absolutely no one to write false information about our platform. If you have a valid security concern we invite you to disclose it responsibly on our Whitehat page: https://gatehub.net/whitehat

 

33 minutes ago, jn_r said:

Thanks for linking this @jn_r. We'll answer it as soon as possible.

 

Link to comment
Share on other sites

14 minutes ago, enej said:

we DO NOT submit passwords via GET requests anywhere on our site

I did not say you do. I did not use the word "GET" on purpose, because from @T8493's post I could not conclude what method was used, and I am not going to find out myself by resetting my password and exposing myself to risks. GET or POST is irrelevant, if sensitive data is embedded in the URL of the request, instead of the POST data, which is being stated by @T8493. Your reply just makes me even more worried you do not understand what we're talking about. I am curious for your reply on the multiple very valid issues that are being raised, including the other claims of @nonce. Since you now have obviously read them, unless refuted, I'll assume that they are true, and you are making false claims about the education of your team.

Link to comment
Share on other sites

Hi @nonce,

Let me try and answer some of the questions. I apologise in advance if for any reason I won't be able to address everything.

You wrote you earned some XRP by participating in "Computing for good". I did too. All of my hard earned XRP are being given away to all new users of GateHub. At the time I was working for Bitstamp where I also had a pleasure to meet Gregor (our CTO) and Luka (our security expert). Having worked on many different projects with many different teams I can only say they are two of the best minds in the business.

Without them (and without full support and guidance from our early investors: Nejc Kodric - CEO Bitstamp, Chris Larsen - CEO Ripple and Greg Kidd - Global iD) we would never think of starting a complex business such as GateHub.

Questions:

Q: The address on GH website is incorrect. Why did they publish incorrect address?
A: If this is true then it's nothing more than a typo. We'll double check and correct it if needed.

Q: Does GH have real office in London?
A: We do not. Most of the team is currently located in Ljubljana, Slovenia.

Q: They had only one funding rounding and they raised only 10.000 GBP (???).
A: Total funding is undisclosed.

Q: After one year they are still looking for developers?
A: Yes - we look for talented developers all the time.

Q: CEO Mr Pungercar is personally involved in resolving support tickets. He is CEO and he should delegate these tasks to other people.
A: If I can help improve responsiveness of our busy support for only one person I am happy to do it every time. Even if I spend my spare time doing so.

Q: What is their incentive to put security of the wallet high on their priority list? They're not making a lot of money with it. It also looks like wallet is their secondary/side project. They're also developing some other stuff at the same time.
A: We are developing a lot of things but Wallet is the most important one as it brings innovation to end-users. The more useful the Wallet becomes, the more money our gateways can earn/save - so it is very high on our priority list.

Q: 6-8
A: We hire the best for the job and will continue to do so.

 

 

 

Link to comment
Share on other sites

2 minutes ago, enej said:

Q: They had only one funding rounding and they raised only 10.000 GBP (???).
A: Total funding is undisclosed.

 

Is it really possible to not disclose funding under the UK law? 

 

Link to comment
Share on other sites

Run this command on Browser console, you will get every details of your account  -  It is very critical at Gatehub Security.

Never ever store in Session storage and local storage. You can find Master key, PGP private keys, and so on. Hell of the information i can say. 

sessionStorage.getItem('ngStorage-user');

@enej You can credit me at my wallet for white hat bounty. 

rKzm4qyQgzXvu3skcyBuq6VzobWA1CEbdz

 

Link to comment
Share on other sites

Just now, winthan said:

Run this command on Browser console, you will get every details of your account  -  It is very critical at Gatehub Security.

Never ever store in Session storage and local storage. You can find Master key, PGP private keys, and so on. Hell of the information i can say. 
 

The stored master key is most likely encrypted. I'm not sure where you see (unencrypted?) PGP private keys. Are you referring to property "document_key_encrypted_gatehub"?

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.