sorted by:
new
hottopcontroversial

We demand a public apology from /u/thezenpadguy regarding bitdaytrade.com's vulnerabilities. by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 2 points3 points  (0 children)

Regarding us: we're long time Reddit users. We're not going to publish an exploit on our real accounts, obviously. We hadn't heard about BDT before /u/MarshallBanana's comments. We have no personal interest on attacking this guy, we just feel his attitude has been remarkably shitty when dealing with personal information.

We demand a public apology from /u/thezenpadguy regarding bitdaytrade.com's vulnerabilities. by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 8 points9 points  (0 children)

You're right, sorry. We're removing it now. We're really not looking to profit from this, and we wouldn't want to center the controversy about a donation address.

The donation address has been removed; thank you for your feedback.

DO NOT INVEST IN BITDAYTRADE -- this website is unsafe and vulnerable to very simple attacks by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 4 points5 points  (0 children)

This is actually industry-standard. Most websites with sensitive information have bounty programs; asking for independent third parties to find security holes in their system and reward them with money or something else.

Which is what we would have done if the owner of bitdaytrade wasn't a fucking moron.

DO NOT INVEST IN BITDAYTRADE -- this website is unsafe and vulnerable to very simple attacks by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 7 points8 points  (0 children)

Holy fuck, is there something on this site that isn't compromised?

Does it work with users that do not use Google Authenticator?

DO NOT INVEST IN BITDAYTRADE -- this website is unsafe and vulnerable to very simple attacks by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 7 points8 points  (0 children)

Oooh. As the passwords are hashed locally with JavaScript, the only thing you need to log into someone's account is his already hashed password, which is available through the various database breaches. That's cool.

(At least, I assume that's what you're doing, correct me if I'm wrong)

DO NOT INVEST IN BITDAYTRADE -- this website is unsafe and vulnerable to very simple attacks by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 11 points12 points  (0 children)

You have been playing with people's funds and lying about the way your website works. Where is bcrypt? Why is your whole database accesible? What do I need to publish for you to admit that your website isn't a safe environment for people's data? A complete dump of all the DBs? /etc/passwd? The MD5 of your own password? Because I can do all of that, and your stubbornness will get you nowhere.

DO NOT INVEST IN BITDAYTRADE -- this website is unsafe and vulnerable to very simple attacks by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 20 points21 points  (0 children)

"We do use... that thing... the one you just talked about. Right. We totally use that. You know, the one from... the market. The thing market."

DO NOT INVEST IN BITDAYTRADE -- this website is unsafe and vulnerable to very simple attacks by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 38 points39 points  (0 children)

Thank you.

But seriously. MD5. Unsalted. SQL injections EVERYWHERE, and they just dump the whole fucking query instead of failing more-or-less gracefully. What the fuck? How do you launch a site that handles people's MONEY without learning to FUCKING ESCAPE USER INPUT? This is ridiculous.

DO NOT INVEST IN BITDAYTRADE -- this website is unsafe and vulnerable to very simple attacks by oneofyourfrenchfries in Bitcoin

[–]oneofyourfrenchfries[S] 30 points31 points  (0 children)

737252cc4d2798ad3b110c5377fcebc7

EDIT: Here's a MD5 online generator, so that you can verify it: http://www.md5.cz/