Categories
I have been performing security audits and scans of various currency exchanges, forums and websites. All crypto related. Many of these websites and exchanges make bold claims about how secure they are and how "unhackable" they are. I will be providing proof as to whether any such claims are valid, or just hot air. I will definitively prove that a given exchange or forum is secure and trust worthy, or full of shit. I am sorting through all of my archives and I will be posting them here. All of the results were obtained with professional grade software and cross referenced with the swiss army knife known as robtex.
First I am going to provide the surface scans of bitcointalk.org. Also commonly referred to as "shitcointalk", and for good reason. Besides the fact that it is a haven for scams and trolls, the security is poor. Some of the results you will see may be flagged as low level alerts, but in the hands of a professional, or even a moderately skilled individual, these low level alerts can be exploited and used to take total control of the website. Including, but not limited to, taking over admin accounts, deleting accounts, changing themes or doing other things. they use Simple Machines Forum, which is free software, and not very secure. It does have a few packages that could increase the security, but they did not use them. Here is a screen capture of the initial scan being performed.
Attached is the pdf printout of the results of the surface scan. More in-depth scanning can be provided but really is not necessary. Just the vulnerabilities discovered and depicted here are enough to cause serious, if not irreparable damage to the website. Edit: I have to shrink the zip file so it meets the 1.95 MB maximum file size.
Edit: I used a file upload service to host the pdf file. I could not shrink it to 1.95 MB. Here is the link to the pdf containing surface scan data.
http://www.filehosting.org/file/details/561050/shitcointalk.pdf
Here is a snippet of code for the yobit chatbox. As you will see, the users' text right out of chat gets displayed in the view source function of your browser. Not only is the full source displayed and unprotected, but key points are easily identifiable. I will not identify things for you, but anyone with a small bit of skill should be able to point out the necessary things needed to use click jacking and other exploits.