Jump to content

Article published on www.cryptocoinsnews.com ---Cryptocurrency Exchange Poloniex is Insecure, Security Review Claims


RDS

Recommended Posts

 

I really hope this article is wrong but thought to share with you as I am not tech expert but it may make sense to some of you, And xrp chat members  are like family so if one sees something that can help protecting others he should share it...

As per - 

Poloniex, the biggest altcoin exchange with daily volume in tens of thousands, if not hundreds of thousands btc, is insecure according to an anonymous “really light testing” security review.

Xavier59, whose StackExchange profile states “[a]pparently, this user prefers to keep an air of mystery about them,” publicly released three vulnerabilities after claiming Poloniex failed to reply to his emails informing them of security bugs more than a month ago.

The vulnerabilities, according to Xavier59, indicate incompetence and potential risks. The most prominent seems to be using Get (which is mainly employed for public information) instead of Post (mainly used for private info) for cryptocurrency transactions. Xavier59 states:

“It is a terrible bad practice that any person involved in security would scream while discovering it.”

Poloniex apparently does not use what type of data the code is feeding – that is numbers, letters, etc – which “could cause unexpected behavior” and “is representative of bad security policy.” Moreover, the source code is visible to an attacker, making it is easier to find vulnerabilities, according to Xavier59, which would allow an attacker to gain moderator privileges in the infamous troll box thus sharing potentially malware infested links from a position of apparent authority.

Edited by tomxcs
Do not post full articles
Link to comment
Share on other sites

8 hours ago, RDS said:

“Poloniex is using PHP + nginx for their server. Nginx is multithreaded it means it can perform many request at the same time, if the 2 withdrawals request are being performed in 2 different threads at the same time both of them will be validated because the first thread didn’t update the number of bitcoins from one user in the database for the withdraw that the second thread already picked the number of bitcoins available from it.”

This is such complete utter nonsense that you can't take the rest of this "review" serious.

Link to comment
Share on other sites

17 minutes ago, lucky said:

This is such complete utter nonsense that you can't take the rest of this "review" serious.

Hope you are right bro  as none of us wants Ripple to be attached with any bad news. To be honest I am no geek and that is why clarified in previous comments that  i dont understand any of techical part. This news was posted to share the info that I found. 

Link to comment
Share on other sites

Just now, RDS said:

Hope you are right bro  as none of us wants Ripple to be attached with any bad news. To be honest I am no geek and that is why clarified in previous comments that  i dont understand any of techical part. This news was posted to share the info that I found. 

sure, good that you posted! just saying that it contains a claim that's complete bollocks. certainly you should not use any exchange as a form of long term storage., but always assume they can go up in smoke any day.

Link to comment
Share on other sites

1 minute ago, lucky said:

sure, good that you posted! just saying that it contains a claim that's complete bollocks. certainly you should not use any exchange as a form of long term storage., but always assume they can go up in smoke any day.

Do you think Gatehub is any safer..? if xrps are in Ripple wallet...?

Link to comment
Share on other sites

22 minutes ago, RDS said:

Do you think Gatehub is any safer..? if xrps are in Ripple wallet...?

A bit safer at least, yes. At Poloniex your funds are recorded as IOU's on their private ledger (database). If that ledger gets compromised, you'll have a big problem. If the underlying asset of the IOU goes missing, you also have a big problem.  With Gatehub, your XRP funds are recorded on a distributed ledger (RCL), and not as IOU but as a native asset. Still, with Gatehub there is the risk that an attacker had entered their server undetected, lurks, and collects and siphons keys that are transmitted. But then again, even if you are using a cold wallet, there is the risk that your own computer is compromised, that you misunderstand the cold wallet creation process, or that the pieces of paper that you've printed the secret key on get missing, destroyed or stolen. Or that you die and your heirs don't know where that piece of paper is, or, when found: what that code means.

I like the trezor hardware wallet for bitcoin, would be nice to have such hardware wallet for XRP. I'm sure that's just a matter of time...

Edited by Guest
Link to comment
Share on other sites

I don't think this is true.

I have to say that I'm using their API and they are very badly coded and doesn't work very well, BUT if there were such big flaws, some cracker would have already hacked it to steal the MILLIONS of $ worth crypto.

 

PS: then the article asks why there is not a decentralized crypto exchange. But that would be even less safe than a centralized one. Imagine to have the same security issues plus you are in a decentralized context. Imagine doing it in Ethereum...DAO vs 2.0....small coding errors and everybody is screwed.

Edited by tulo
Link to comment
Share on other sites

11 minutes ago, RafOlP said:

The Ripple Consensus Ledger is a decentralized exchange. What we still don't have is a decentralized bridge - a custodian that performs conversions on demand.

Actually we were discussing this, but I don't remember with who.

We would need an automatic gateway (also not decentralized) that takes any crypto and issue IOUs on Ripple. What peercover was when it was alive. And this could also become shapeshift v2.0, where instead of sending crypto and having the IOU on Ripple, an user can ask for direct trading such that the gateway automatically takes an offer on Ripple on its own IOUs and converts crypto2crypto. Anyone? :)

Advantages:

  • Most of the coding for exchange is already done in Ripple and lots of API
  • In the future ILP enabled that means withdrawal (maybe) directly to some banks
  • More volume on Ripple
Edited by tulo
Link to comment
Share on other sites

7 minutes ago, tulo said:

Actually we were discussing this, but I don't remember with who.

We would need an automatic gateway (also not decentralized) that takes any crypto and issue IOUs on Ripple. What peercover was when it was alive. And this could also become shapeshift v2.0, where instead of sending crypto and having the IOU on Ripple, an user can ask for direct trading such that the gateway automatically takes an offer on Ripple on its own IOUs and converts crypto2crypto. Anyone? :)

I think it is on us - Rippex - and Gatehub fifth right?

I know Rippex has been quite silent and ripple inc has made a lot of pivots, but things are clear now and we are taking the steps to help people use and enjoy the RCL.

Link to comment
Share on other sites

7 minutes ago, RafOlP said:

I think it is on us - Rippex - and Gatehub fifth right?

No, they are not completely automatic exchanges and they don't accept "all" the cryptocurrecies. Peercover was the only one close to that.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...