Correspondence with CEX.io

Full transcript of correspondence with CEX.io. For more details, see Reporting a Vulnerability to CEX.io.

Date: Sun, 13 Oct 2013 14:49:31 -0400
Subject: White Hat Bug Bounty Program
From: Michael
To: webmaster@cex.io

Hi CEX Folks,
Do you have a bug bounty program for ethical security researchers to report
security vulnerabilities to your site?

Thanks,
Michael

 

Date: Sun, 13 Oct 2013 18:59:59 +0000
From: "CEX.IO" <webmaster@cex.io>
To: Michael
Subject: [CEX.IO] Re: White Hat Bug Bounty Program

##- Please type your reply above this line -##

[CEX.IO] Re: White Hat Bug Bounty Program

Your request (199) has been solved. To reopen this request, reply to this email.

----------------------------------------------

Jeffrey, Oct 13 18:59 (UTC)

We can discuss this matter. Please send us an email with your proposal to [redacted]

Thank you.

Yours Truly,
Jeffrey Smith
Head of Customer Service Department

 

Date: Sun, 13 Oct 2013 16:01:19 -0400
Subject: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith

Hi Jeffrey,
I'm a software security consultant in the US as my main profession, but I
enjoy participating in bug bounty programs in my spare time, especially
within the Bitcoin community. I reported a bug to Bitmit a few months ago
and they rewarded me with a bounty. Coinbase has a published bounty program:

https://coinbase.com/whitehat
http://donncha.is/2013/06/coinbase-owning-a-bitcoin-exchange-bug-bounty-program/

And outside of the Bitcoin community, Google has a pretty well respected
bounty program:

https://www.google.com/about/appsecurity/reward-program/

Can you tell me if CEX already has a system in place, or if, not, what you
would pay as rewards for different kinds of vulnerabilities?

Thanks,
Michael

 

Date: Mon, 14 Oct 2013 23:33:26 -0400
Subject: Re: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith

Hi Jeffrey,
Is CEX interested in paying a bounty for vulnerability information?

Thanks,
Michael

 

Date: Tue, 15 Oct 2013 16:09:50 +0300
From: Jeffrey Smith
To: Michael
Subject: Re: White Hat Bug Bounty Program

Hey Michael,
Lets get back to this conversation in a couple of days. 
Thanks. 

 

Date: Tue, 15 Oct 2013 09:45:06 -0400
Subject: Re: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith

Hi Jeffrey,
Is there someone else at CEX I should reach out to? I'd like to get these
issues on your radar as soon as possible. I'm really excited about CEX and
think it's a great idea, but I've had to withdraw all funds from my account
because of the site's security issues.

Thanks,
Michael

 

Date: Fri, 18 Oct 2013 10:11:56 -0400
Subject: Re: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith

Hi Jeffrey,
Any updates on this?

Thanks,
Michael

 

Date: Mon, 21 Oct 2013 19:04:10 +0300
From: Jeffrey Smith
To: Michael
Subject: Re: White Hat Bug Bounty Program

Hi Michael,
We are willing to provide you free GH/s for bug reports. 
Please tell me if you have found any. 

Thank you.  

-- 
Yours Truly,
Jeffrey Smith
CEX.IO

 

Date: Mon, 21 Oct 2013 12:18:03 -0400
Subject: Re: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith

Hi Jeffrey,
Do you have a PGP key or should I just use normal email?

Thanks,
Michael

 

Date: Mon, 21 Oct 2013 19:18:58 +0300
From: Jeffrey Smith
To: Michael
Subject: Re: White Hat Bug Bounty Program

Hi Michael,
I don't have a PGP key. Lets use normal mail for now.

Yours Truly,
Jeffrey Smith
CEX.IO

 

Date: Mon, 21 Oct 2013 20:16:35 -0400
Subject: Re: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith

Hi Jeffrey,
CEX is vulnerable to CSRF attacks. This occurs when sites on other domains
can force users to take actions on the CEX domain without the user's
consent. An attacker can construct a malicious page (e.g. evil.com) and
entice a victim CEX user to visit the evil page. The evil page then uses
JavaScript to force the user's browser to make a request to CEX.
Specifically, they could force the user to sell GHS at a very low price /
buy at a very high price. The attacker can also force victim users to
withdraw to a Bitcoin wallet of the attacker's choosing, though the risk
there is somewhat limited by the fact that your withdrawals require email
confirmation.

I have created two proof of concept pages. Please be aware that visiting
these sites will cause you to perform actions in your CEX account without
your consent (though I have made efforts to make these actions as harmless
as possible for demonstration) .

https://[removed]
If a CEX user visits this page while logged into CEX, it will cause them to
place a buy order for 1 GHS at a price of 0.00001 BTC. Note that I
deliberately chose a low buy price to make the proof of concept safe to
test, as a buy order at 0.00001 BTC is unlikely to be fulfilled, but I
could just as easily have set the price to 100 BTC in order to force victim
users to purchase GHS at very high rates.

https://[removed]
If a CEX user visits this page while logged into CEX, it will cause them to
make a withdrawal request for .01 BTC to my personal Bitcoin wallet. As
mentioned above, this risk is somewhat reduced by the fact that the user
must also confirm the withdrawal via email, but seeing unauthorized
withdrawal requests would likely alarm your users.

The solution is to use CSRF tokens. These are unpredictable values that are
included in every authorized request that causes a change in state (e.g.
buy orders, sell orders, withdrawal, logout). The server must validate that
all such requests include the correct CSRF token or the request is dropped.
CEX appears to already be using a web framework that includes CSRF tokens,
as the HTTP requests include a parameter called "_csrf" but it is currently
empty and has no effect on requests. CEX needs to enforce CSRF protections
in order to mitigate this vulnerability. More information about CSRF
attacks is available through
OWASP<https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)>
.

Please let me know if there is any additional information that I can
provide to help you in remediating this issue.

Thanks,
Michael

 

Date: Tue, 22 Oct 2013 12:23:01 +0300
From: Jeffrey Smith
To: Michael
Subject: Re: White Hat Bug Bounty Program

Hey Michael,
Thank you for your email. We will investigate this vulnerability as well
as negotiate about a bonus for your work.

Will get back to you ASAP.

--
Yours Truly,
Jeffrey Smith
CEX.IO

 

Date: Mon, 4 Nov 2013 21:02:41 -0500
Subject: Re: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith

Hi Jeffrey,
I see that CEX has remediated the CSRF vulnerability that I reported. When
can I expect CEX to pay the bounty for reporting this issue?

Thanks,
Michael

 

Date: Sat, 9 Nov 2013 13:16:30 -0500
Subject: Re: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith
Cc: webmaster@cex.io

Hi Jeffrey,
It has now been almost 3 weeks since I reported the CEX's CSRF
vulnerability to you. I have not received payment, and you are not
responding to emails. I'm becoming concerned that you may not honor our
agreement.

Please respond with details of when I can expect payment for reporting
CEX's security vulnerability.

Thanks,
Michael

 

Subject: Re: White Hat Bug Bounty Program
Date: Mon, 11 Nov 2013 14:07:48 +0200
From: Jeffrey Smith
To: Michael

Hey Michael,
Thank you for your email. I apologise for the delay in our
communication, as we were busy with processing all feature requests.

I talked to the upper management about the vulnerability you have found.

Their response was that they were aware of this vulnerability, but it
was not in our priority list.

However it is now, and I've negotiated a bounty in the amount: 0.2BTC.

Please tell me if its ok with you and I will transfer funds to your
account.

Yours Truly,
Jeffrey Smith

 

Date: Mon, 11 Nov 2013 09:03:29 -0500
Subject: Re: White Hat Bug Bounty Program
From: Michael
To: Jeffrey Smith

Hi Jeffrey,
That's a very low bounty, but since we never negotiated a price, I'll take
what you offer. At that rate, it is not worth my time to report other
vulnerabilities to CEX. For comparison, take a look at Coinbase's rates
(keeping in mind that at the time of publication, 1 BTC was ~$100 USD).

Please send payment to 1NcLF2FVewJmeuNsRc5vxmNc9ysXN9xyr4

Please also pass along my feedback to your upper management:

   - Many customers will not be comfortable trusting their money to a
   company that knowingly exposes them to serious security vulnerabilities
   - Security researchers will not be interested in responsibly disclosing
   vulnerabilities to CEX if the company pays very low bounties and fails to
   communicate with researchers in a timely fashion.

Thanks,
Michael

 

Date: Mon, 11 Nov 2013 16:26:55 +0200
Subject: Re: White Hat Bug Bounty Program
From: Jeffrey Smith
To: Michael

Hey Michael,
Thank you, I will forward your message to the upper management.
I will also leave your contacts in case they need you.


Yours Truly,
Jeffrey Smith

2 thoughts on “Correspondence with CEX.io

  1. Pingback: Reporting a Vulnerability to CEX.io | Scattered Thoughts by Mike

  2. Pingback: Correspondence with CEX.io (10.2013) » CryptoCoinsNews

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s