Article published on www.cryptocoinsnews.com ---Cryptocurrency Exchange Poloniex is Insecure, Security Review Claims

[RDS]

It sounds scary that Poloniex exchange may have lenient security as per this article... what do you guys think. I hope this is wrong because i got account with them as well and any issue with them will impact reputation of Ripple as well.  

https://www.cryptocoinsnews.com/cryptocurrency-exchange-poloniex-insecure-security-review-claims/

 

[RDS]

 

I really hope this article is wrong but thought to share with you as I am not tech expert but it may make sense to some of you, And xrp chat members  are like family so if one sees something that can help protecting others he should share it...

As per - 

Poloniex, the biggest altcoin exchange with daily volume in tens of thousands, if not hundreds of thousands btc, is insecure according to an anonymous “really light testing” security review.

Xavier59, whose StackExchange profile states “[a]pparently, this user prefers to keep an air of mystery about them,” publicly released three vulnerabilities after claiming Poloniex failed to reply to his emails informing them of security bugs more than a month ago.

The vulnerabilities, according to Xavier59, indicate incompetence and potential risks. The most prominent seems to be using Get (which is mainly employed for public information) instead of Post (mainly used for private info) for cryptocurrency transactions. Xavier59 states:

“It is a terrible bad practice that any person involved in security would scream while discovering it.”

Poloniex apparently does not use what type of data the code is feeding – that is numbers, letters, etc – which “could cause unexpected behavior” and “is representative of bad security policy.” Moreover, the source code is visible to an attacker, making it is easier to find vulnerabilities, according to Xavier59, which would allow an attacker to gain moderator privileges in the infamous troll box thus sharing potentially malware infested links from a position of apparent authority.

Edited October 28, 2016 by tomxcs
Do not post full articles

[Rchopra]

Luckiliy i am with kraken...but not sure how credible is this report....

[xrpwizard]

It goes without saying don't keep your coins on an exchange for any longer than absolutely necessary. Several years worth of hacks and incompetence on other exchanges should be a good indication that your money is only ever safe in cold wallets.

[Guest]

8 hours ago, RDS said:

“Poloniex is using PHP + nginx for their server. Nginx is multithreaded it means it can perform many request at the same time, if the 2 withdrawals request are being performed in 2 different threads at the same time both of them will be validated because the first thread didn’t update the number of bitcoins from one user in the database for the withdraw that the second thread already picked the number of bitcoins available from it.”

This is such complete utter nonsense that you can't take the rest of this "review" serious.

[RDS]

17 minutes ago, lucky said:

This is such complete utter nonsense that you can't take the rest of this "review" serious.

Hope you are right bro  as none of us wants Ripple to be attached with any bad news. To be honest I am no geek and that is why clarified in previous comments that  i dont understand any of techical part. This news was posted to share the info that I found. 

[Guest]

Just now, RDS said:

Hope you are right bro  as none of us wants Ripple to be attached with any bad news. To be honest I am no geek and that is why clarified in previous comments that  i dont understand any of techical part. This news was posted to share the info that I found. 

sure, good that you posted! just saying that it contains a claim that's complete bollocks. certainly you should not use any exchange as a form of long term storage., but always assume they can go up in smoke any day.

[RDS]

1 minute ago, lucky said:

sure, good that you posted! just saying that it contains a claim that's complete bollocks. certainly you should not use any exchange as a form of long term storage., but always assume they can go up in smoke any day.

Do you think Gatehub is any safer..? if xrps are in Ripple wallet...?

[Guest]

22 minutes ago, RDS said:

Do you think Gatehub is any safer..? if xrps are in Ripple wallet...?

A bit safer at least, yes. At Poloniex your funds are recorded as IOU's on their private ledger (database). If that ledger gets compromised, you'll have a big problem. If the underlying asset of the IOU goes missing, you also have a big problem.  With Gatehub, your XRP funds are recorded on a distributed ledger (RCL), and not as IOU but as a native asset. Still, with Gatehub there is the risk that an attacker had entered their server undetected, lurks, and collects and siphons keys that are transmitted. But then again, even if you are using a cold wallet, there is the risk that your own computer is compromised, that you misunderstand the cold wallet creation process, or that the pieces of paper that you've printed the secret key on get missing, destroyed or stolen. Or that you die and your heirs don't know where that piece of paper is, or, when found: what that code means.

I like the trezor hardware wallet for bitcoin, would be nice to have such hardware wallet for XRP. I'm sure that's just a matter of time...

Edited October 16, 2016 by Guest

[RDS]

Thanks for the info. What is Trezor wallet and how is it safer in layman terms..?

[tulo]

I don't think this is true.

I have to say that I'm using their API and they are very badly coded and doesn't work very well, BUT if there were such big flaws, some cracker would have already hacked it to steal the MILLIONS of $ worth crypto.

 

PS: then the article asks why there is not a decentralized crypto exchange. But that would be even less safe than a centralized one. Imagine to have the same security issues plus you are in a decentralized context. Imagine doing it in Ethereum...DAO vs 2.0....small coding errors and everybody is screwed.

Edited October 16, 2016 by tulo

[RafOlP]

The Ripple Consensus Ledger is a decentralized exchange. What we still don't have is a decentralized bridge - a custodian that performs conversions on demand.

[tulo]

11 minutes ago, RafOlP said:

The Ripple Consensus Ledger is a decentralized exchange. What we still don't have is a decentralized bridge - a custodian that performs conversions on demand.

Actually we were discussing this, but I don't remember with who.

We would need an automatic gateway (also not decentralized) that takes any crypto and issue IOUs on Ripple. What peercover was when it was alive. And this could also become shapeshift v2.0, where instead of sending crypto and having the IOU on Ripple, an user can ask for direct trading such that the gateway automatically takes an offer on Ripple on its own IOUs and converts crypto2crypto. Anyone?

Advantages:

• Most of the coding for exchange is already done in Ripple and lots of API
• In the future ILP enabled that means withdrawal (maybe) directly to some banks
• More volume on Ripple

Edited October 16, 2016 by tulo

[RafOlP]

7 minutes ago, tulo said:

Actually we were discussing this, but I don't remember with who.

We would need an automatic gateway (also not decentralized) that takes any crypto and issue IOUs on Ripple. What peercover was when it was alive. And this could also become shapeshift v2.0, where instead of sending crypto and having the IOU on Ripple, an user can ask for direct trading such that the gateway automatically takes an offer on Ripple on its own IOUs and converts crypto2crypto. Anyone?

I think it is on us - Rippex - and Gatehub fifth right?

I know Rippex has been quite silent and ripple inc has made a lot of pivots, but things are clear now and we are taking the steps to help people use and enjoy the RCL.

[tulo]

7 minutes ago, RafOlP said:

I think it is on us - Rippex - and Gatehub fifth right?

No, they are not completely automatic exchanges and they don't accept "all" the cryptocurrecies. Peercover was the only one close to that.