VOTING POWER100.00%
DOWNVOTE POWER100.00%
RESOURCE CREDITS100.00%
REPUTATION PROGRESS25.49%
Net Worth
0.942USD
STEEM
0.000STEEM
SBD
1.818SBD
Effective Power
5.007SP
├── Own SP
1.193SP
└── Incoming DelegationsDeleg
+3.814SP
Detailed Balance
| STEEM | ||
| balance | 0.000STEEM | STEEM |
| market_balance | 0.000STEEM | STEEM |
| savings_balance | 0.000STEEM | STEEM |
| reward_steem_balance | 0.000STEEM | STEEM |
| STEEM POWER | ||
| Own SP | 1.193SP | SP |
| Delegated Out | 0.000SP | SP |
| Delegation In | 3.814SP | SP |
| Effective Power | 5.007SP | SP |
| Reward SP (pending) | 0.000SP | SP |
| SBD | ||
| sbd_balance | 1.818SBD | SBD |
| sbd_conversions | 0.000SBD | SBD |
| sbd_market_balance | 0.000SBD | SBD |
| savings_sbd_balance | 0.000SBD | SBD |
| reward_sbd_balance | 0.000SBD | SBD |
{
"balance": "0.000 STEEM",
"savings_balance": "0.000 STEEM",
"reward_steem_balance": "0.000 STEEM",
"vesting_shares": "1939.966191 VESTS",
"delegated_vesting_shares": "0.000000 VESTS",
"received_vesting_shares": "6203.693615 VESTS",
"sbd_balance": "1.818 SBD",
"savings_sbd_balance": "0.000 SBD",
"reward_sbd_balance": "0.000 SBD",
"conversions": []
}Account Info
| name | siddiki |
| id | 230860 |
| rank | 1,396,882 |
| reputation | 10673748748 |
| created | 2017-06-28T20:37:12 |
| recovery_account | steem |
| proxy | None |
| post_count | 5 |
| comment_count | 0 |
| lifetime_vote_count | 0 |
| witnesses_voted_for | 0 |
| last_post | 2018-02-16T13:25:39 |
| last_root_post | 2018-02-14T14:27:24 |
| last_vote_time | 2018-02-16T13:25:24 |
| proxied_vsf_votes | 0, 0, 0, 0 |
| can_vote | 1 |
| voting_power | 0 |
| delayed_votes | 0 |
| balance | 0.000 STEEM |
| savings_balance | 0.000 STEEM |
| sbd_balance | 1.818 SBD |
| savings_sbd_balance | 0.000 SBD |
| vesting_shares | 1939.966191 VESTS |
| delegated_vesting_shares | 0.000000 VESTS |
| received_vesting_shares | 6203.693615 VESTS |
| reward_vesting_balance | 0.000000 VESTS |
| vesting_balance | 0.000 STEEM |
| vesting_withdraw_rate | 0.000000 VESTS |
| next_vesting_withdrawal | 1969-12-31T23:59:59 |
| withdrawn | 0 |
| to_withdraw | 0 |
| withdraw_routes | 0 |
| savings_withdraw_requests | 0 |
| last_account_recovery | 1970-01-01T00:00:00 |
| reset_account | null |
| last_owner_update | 1970-01-01T00:00:00 |
| last_account_update | 2018-02-16T13:27:00 |
| mined | No |
| sbd_seconds | 0 |
| sbd_last_interest_payment | 1970-01-01T00:00:00 |
| savings_sbd_last_interest_payment | 1970-01-01T00:00:00 |
{
"id": 230860,
"name": "siddiki",
"owner": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM5yf2qfm8KQA7VqWqxqDbXvpPAgHUnSJGXes2zMbA7JdyuPboYJ",
1
]
]
},
"active": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM5KZ7PvqUqxYGUK3FB6kYimLXnZRqcMAi3LHYZu28a6dvCpzH2j",
1
]
]
},
"posting": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM6CnjBvxxnW1fkqdNfdM2nC2GxtTJqfwd3emBSp8JgNUinHNNJj",
1
]
]
},
"memo_key": "STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4",
"json_metadata": "{\"profile\":{\"name\":\"Tarek Siddiki\",\"profile_image\":\"https://profile-photos.hackerone-user-content.com/production/000/003/502/8db70136831733b6b09a58f011fcbef1caf16b70_xtralarge.jpg\",\"location\":\"Bangladesh\"}}",
"posting_json_metadata": "{\"profile\":{\"name\":\"Tarek Siddiki\",\"profile_image\":\"https://profile-photos.hackerone-user-content.com/production/000/003/502/8db70136831733b6b09a58f011fcbef1caf16b70_xtralarge.jpg\",\"location\":\"Bangladesh\"}}",
"proxy": "",
"last_owner_update": "1970-01-01T00:00:00",
"last_account_update": "2018-02-16T13:27:00",
"created": "2017-06-28T20:37:12",
"mined": false,
"recovery_account": "steem",
"last_account_recovery": "1970-01-01T00:00:00",
"reset_account": "null",
"comment_count": 0,
"lifetime_vote_count": 0,
"post_count": 5,
"can_vote": true,
"voting_manabar": {
"current_mana": "8143659806",
"last_update_time": 1779085851
},
"downvote_manabar": {
"current_mana": 2035914951,
"last_update_time": 1779085851
},
"voting_power": 0,
"balance": "0.000 STEEM",
"savings_balance": "0.000 STEEM",
"sbd_balance": "1.818 SBD",
"sbd_seconds": "0",
"sbd_seconds_last_update": "2019-03-10T10:59:36",
"sbd_last_interest_payment": "1970-01-01T00:00:00",
"savings_sbd_balance": "0.000 SBD",
"savings_sbd_seconds": "0",
"savings_sbd_seconds_last_update": "1970-01-01T00:00:00",
"savings_sbd_last_interest_payment": "1970-01-01T00:00:00",
"savings_withdraw_requests": 0,
"reward_sbd_balance": "0.000 SBD",
"reward_steem_balance": "0.000 STEEM",
"reward_vesting_balance": "0.000000 VESTS",
"reward_vesting_steem": "0.000 STEEM",
"vesting_shares": "1939.966191 VESTS",
"delegated_vesting_shares": "0.000000 VESTS",
"received_vesting_shares": "6203.693615 VESTS",
"vesting_withdraw_rate": "0.000000 VESTS",
"next_vesting_withdrawal": "1969-12-31T23:59:59",
"withdrawn": 0,
"to_withdraw": 0,
"withdraw_routes": 0,
"curation_rewards": 0,
"posting_rewards": 886,
"proxied_vsf_votes": [
0,
0,
0,
0
],
"witnesses_voted_for": 0,
"last_post": "2018-02-16T13:25:39",
"last_root_post": "2018-02-14T14:27:24",
"last_vote_time": "2018-02-16T13:25:24",
"post_bandwidth": 0,
"pending_claimed_accounts": 0,
"vesting_balance": "0.000 STEEM",
"reputation": "10673748748",
"transfer_history": [],
"market_history": [],
"post_history": [],
"vote_history": [],
"other_history": [],
"witness_votes": [],
"tags_usage": [],
"guest_bloggers": [],
"rank": 1396882
}Withdraw Routes
| Incoming | Outgoing |
|---|---|
Empty | Empty |
{
"incoming": [],
"outgoing": []
}From Date
To Date
2026/05/18 06:30:51
2026/05/18 06:30:51
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 6203.693615 VESTS |
| Transaction Info | Block #106150928/Trx 4307982acc9ae54d4eb139f131581203bea42163 |
View Raw JSON Data
{
"trx_id": "4307982acc9ae54d4eb139f131581203bea42163",
"block": 106150928,
"trx_in_block": 0,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2026-05-18T06:30:51",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "6203.693615 VESTS"
}
]
}2026/05/13 05:20:18
2026/05/13 05:20:18
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 3491.483210 VESTS |
| Transaction Info | Block #106006236/Trx d26519778e89b416bff2b8c42253ac75f27daca3 |
View Raw JSON Data
{
"trx_id": "d26519778e89b416bff2b8c42253ac75f27daca3",
"block": 106006236,
"trx_in_block": 3,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2026-05-13T05:20:18",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "3491.483210 VESTS"
}
]
}2026/04/26 05:42:15
2026/04/26 05:42:15
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 6216.209371 VESTS |
| Transaction Info | Block #105518406/Trx 786aee404d1ceb5c1142dd55d920d13c6d930dde |
View Raw JSON Data
{
"trx_id": "786aee404d1ceb5c1142dd55d920d13c6d930dde",
"block": 105518406,
"trx_in_block": 1,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2026-04-26T05:42:15",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "6216.209371 VESTS"
}
]
}2026/01/24 00:40:51
2026/01/24 00:40:51
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 3533.030029 VESTS |
| Transaction Info | Block #102872029/Trx 290a3785d8484f5d8b5408ca9e9a863b7c3c156a |
View Raw JSON Data
{
"trx_id": "290a3785d8484f5d8b5408ca9e9a863b7c3c156a",
"block": 102872029,
"trx_in_block": 5,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2026-01-24T00:40:51",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "3533.030029 VESTS"
}
]
}2024/12/17 19:50:48
2024/12/17 19:50:48
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 3697.249226 VESTS |
| Transaction Info | Block #91318243/Trx cd46dd3371cc764a4a536367382be7a32b01b46a |
View Raw JSON Data
{
"trx_id": "cd46dd3371cc764a4a536367382be7a32b01b46a",
"block": 91318243,
"trx_in_block": 0,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2024-12-17T19:50:48",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "3697.249226 VESTS"
}
]
}2023/11/14 11:31:45
2023/11/14 11:31:45
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 3866.382758 VESTS |
| Transaction Info | Block #79872386/Trx 2ca6d31070550e51943c287b747a2b8798cc2dbd |
View Raw JSON Data
{
"trx_id": "2ca6d31070550e51943c287b747a2b8798cc2dbd",
"block": 79872386,
"trx_in_block": 0,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2023-11-14T11:31:45",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "3866.382758 VESTS"
}
]
}2023/09/22 10:40:33
2023/09/22 10:40:33
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 6803.291544 VESTS |
| Transaction Info | Block #78363206/Trx c0843d045f7a89cafbb5753db7e23396d144a0b4 |
View Raw JSON Data
{
"trx_id": "c0843d045f7a89cafbb5753db7e23396d144a0b4",
"block": 78363206,
"trx_in_block": 4,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2023-09-22T10:40:33",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "6803.291544 VESTS"
}
]
}2022/11/03 18:05:30
2022/11/03 18:05:30
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 7025.342982 VESTS |
| Transaction Info | Block #69120891/Trx 2c19d128a77025a1df238af783baa640d2a455fa |
View Raw JSON Data
{
"trx_id": "2c19d128a77025a1df238af783baa640d2a455fa",
"block": 69120891,
"trx_in_block": 1,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2022-11-03T18:05:30",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "7025.342982 VESTS"
}
]
}2022/01/17 23:16:03
2022/01/17 23:16:03
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 7245.450583 VESTS |
| Transaction Info | Block #60824114/Trx 52fc898f80eac02541992511662a503b8840dd92 |
View Raw JSON Data
{
"trx_id": "52fc898f80eac02541992511662a503b8840dd92",
"block": 60824114,
"trx_in_block": 24,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2022-01-17T23:16:03",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "7245.450583 VESTS"
}
]
}2021/06/14 06:26:15
2021/06/14 06:26:15
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 7429.644871 VESTS |
| Transaction Info | Block #54614423/Trx 8c31c665b4364efc64b840b0b3ebd114136479dc |
View Raw JSON Data
{
"trx_id": "8c31c665b4364efc64b840b0b3ebd114136479dc",
"block": 54614423,
"trx_in_block": 0,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2021-06-14T06:26:15",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "7429.644871 VESTS"
}
]
}2020/12/11 16:38:03
2020/12/11 16:38:03
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 7617.066845 VESTS |
| Transaction Info | Block #49361675/Trx 4970ab90a5d24b8d3970e16aafba18045e5d800e |
View Raw JSON Data
{
"trx_id": "4970ab90a5d24b8d3970e16aafba18045e5d800e",
"block": 49361675,
"trx_in_block": 3,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2020-12-11T16:38:03",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "7617.066845 VESTS"
}
]
}2020/12/06 10:13:39
2020/12/06 10:13:39
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 1912.543513 VESTS |
| Transaction Info | Block #49213192/Trx 5f59ca5b620578b329410dcd979c4cd7b1810de8 |
View Raw JSON Data
{
"trx_id": "5f59ca5b620578b329410dcd979c4cd7b1810de8",
"block": 49213192,
"trx_in_block": 0,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2020-12-06T10:13:39",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "1912.543513 VESTS"
}
]
}2020/12/05 20:15:57
2020/12/05 20:15:57
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 7623.274699 VESTS |
| Transaction Info | Block #49196761/Trx c3835b6721c60f77ffd56b0f9bed4db1dfd8cdb0 |
View Raw JSON Data
{
"trx_id": "c3835b6721c60f77ffd56b0f9bed4db1dfd8cdb0",
"block": 49196761,
"trx_in_block": 5,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2020-12-05T20:15:57",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "7623.274699 VESTS"
}
]
}2020/11/03 03:02:57
2020/11/03 03:02:57
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 1920.017158 VESTS |
| Transaction Info | Block #48271235/Trx ec33fea13b5c344970f80110886248a08a2f367d |
View Raw JSON Data
{
"trx_id": "ec33fea13b5c344970f80110886248a08a2f367d",
"block": 48271235,
"trx_in_block": 10,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2020-11-03T03:02:57",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "1920.017158 VESTS"
}
]
}2020/05/09 11:17:00
2020/05/09 11:17:00
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 7826.080058 VESTS |
| Transaction Info | Block #43223528/Trx 9afe8516b8a6cf0c6bd8c26c6a1c04e2937558d1 |
View Raw JSON Data
{
"trx_id": "9afe8516b8a6cf0c6bd8c26c6a1c04e2937558d1",
"block": 43223528,
"trx_in_block": 24,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2020-05-09T11:17:00",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "7826.080058 VESTS"
}
]
}2020/05/08 15:42:57
2020/05/08 15:42:57
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 1953.311140 VESTS |
| Transaction Info | Block #43200602/Trx d07d64c62f67f550fb8e3d91ae0cd518afb0fdde |
View Raw JSON Data
{
"trx_id": "d07d64c62f67f550fb8e3d91ae0cd518afb0fdde",
"block": 43200602,
"trx_in_block": 6,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2020-05-08T15:42:57",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "1953.311140 VESTS"
}
]
}2020/02/07 16:18:00
2020/02/07 16:18:00
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 7874.640466 VESTS |
| Transaction Info | Block #40615331/Trx 72f47df9e328d1c3298a89dee1c777bc0802116d |
View Raw JSON Data
{
"trx_id": "72f47df9e328d1c3298a89dee1c777bc0802116d",
"block": 40615331,
"trx_in_block": 15,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2020-02-07T16:18:00",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "7874.640466 VESTS"
}
]
}2019/06/28 21:37:00
2019/06/28 21:37:00
| parent author | siddiki |
| parent permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| author | steemitboard |
| permlink | steemitboard-notify-siddiki-20190628t213659000z |
| title | |
| body | Congratulations @siddiki! You received a personal award! <table><tr><td>https://steemitimages.com/70x70/http://steemitboard.com/@siddiki/birthday2.png</td><td>Happy Birthday! - You are on the Steem blockchain for 2 years!</td></tr></table> <sub>_You can view [your badges on your Steem Board](https://steemitboard.com/@siddiki) and compare to others on the [Steem Ranking](https://steemitboard.com/ranking/index.php?name=siddiki)_</sub> ###### [Vote for @Steemitboard as a witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1) to get one more award and increased upvotes! |
| json metadata | {"image":["https://steemitboard.com/img/notify.png"]} |
| Transaction Info | Block #34205544/Trx 3361c809ec77c85f1060d8bd67133a391a0d4c33 |
View Raw JSON Data
{
"trx_id": "3361c809ec77c85f1060d8bd67133a391a0d4c33",
"block": 34205544,
"trx_in_block": 0,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2019-06-28T21:37:00",
"op": [
"comment",
{
"parent_author": "siddiki",
"parent_permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"author": "steemitboard",
"permlink": "steemitboard-notify-siddiki-20190628t213659000z",
"title": "",
"body": "Congratulations @siddiki! You received a personal award!\n\n<table><tr><td>https://steemitimages.com/70x70/http://steemitboard.com/@siddiki/birthday2.png</td><td>Happy Birthday! - You are on the Steem blockchain for 2 years!</td></tr></table>\n\n<sub>_You can view [your badges on your Steem Board](https://steemitboard.com/@siddiki) and compare to others on the [Steem Ranking](https://steemitboard.com/ranking/index.php?name=siddiki)_</sub>\n\n\n###### [Vote for @Steemitboard as a witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1) to get one more award and increased upvotes!",
"json_metadata": "{\"image\":[\"https://steemitboard.com/img/notify.png\"]}"
}
]
}2019/03/10 14:34:21
2019/03/10 14:34:21
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 8070.961808 VESTS |
| Transaction Info | Block #31033367/Trx aad11d8ab164118724bd313e8f9c6ec24b4fd62c |
View Raw JSON Data
{
"trx_id": "aad11d8ab164118724bd313e8f9c6ec24b4fd62c",
"block": 31033367,
"trx_in_block": 52,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2019-03-10T14:34:21",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "8070.961808 VESTS"
}
]
}siddikiclaimed reward balance: 1.818 SBD, 0.557 SP2019/03/10 10:59:36
siddikiclaimed reward balance: 1.818 SBD, 0.557 SP
2019/03/10 10:59:36
| account | siddiki |
| reward steem | 0.000 STEEM |
| reward sbd | 1.818 SBD |
| reward vests | 905.425438 VESTS |
| Transaction Info | Block #31029080/Trx 89a5acb4d9c663d663a36f8723e759b221d3be31 |
View Raw JSON Data
{
"trx_id": "89a5acb4d9c663d663a36f8723e759b221d3be31",
"block": 31029080,
"trx_in_block": 0,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2019-03-10T10:59:36",
"op": [
"claim_reward_balance",
{
"account": "siddiki",
"reward_steem": "0.000 STEEM",
"reward_sbd": "1.818 SBD",
"reward_vests": "905.425438 VESTS"
}
]
}2018/06/29 02:00:39
2018/06/29 02:00:39
| parent author | siddiki |
| parent permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| author | steemitboard |
| permlink | steemitboard-notify-siddiki-20180629t020041000z |
| title | |
| body | Congratulations @siddiki! You have received a personal award! [](http://steemitboard.com/@siddiki) 1 Year on Steemit <sub>_Click on the badge to view your Board of Honor._</sub> **Do not miss the [last post](https://steemit.com/steemitboard/@steemitboard/7mkfjh-steemitboard-world-cup-contest-results-of-day-14) from @steemitboard!** --- **Participate in the [SteemitBoard World Cup Contest](https://steemit.com/steemitboard/@steemitboard/steemitboard-world-cup-contest-collect-badges-and-win-free-sbd)!** Collect World Cup badges and win free SBD Support the Gold Sponsors of the contest: [@good-karma](https://v2.steemconnect.com/sign/account-witness-vote?witness=good-karma&approve=1) and [@lukestokes](https://v2.steemconnect.com/sign/account-witness-vote?witness=lukestokes.mhth&approve=1) --- > Do you like [SteemitBoard's project](https://steemit.com/@steemitboard)? Then **[Vote for its witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1)** and **get one more award**! |
| json metadata | {"image":["https://steemitboard.com/img/notify.png"]} |
| Transaction Info | Block #23733841/Trx 1bb37b6dda7b396fa98bcee25083c2f1170d91ba |
View Raw JSON Data
{
"trx_id": "1bb37b6dda7b396fa98bcee25083c2f1170d91ba",
"block": 23733841,
"trx_in_block": 55,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-06-29T02:00:39",
"op": [
"comment",
{
"parent_author": "siddiki",
"parent_permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"author": "steemitboard",
"permlink": "steemitboard-notify-siddiki-20180629t020041000z",
"title": "",
"body": "Congratulations @siddiki! You have received a personal award!\n\n[](http://steemitboard.com/@siddiki) 1 Year on Steemit\n<sub>_Click on the badge to view your Board of Honor._</sub>\n\n\n**Do not miss the [last post](https://steemit.com/steemitboard/@steemitboard/7mkfjh-steemitboard-world-cup-contest-results-of-day-14) from @steemitboard!**\n\n---\n**Participate in the [SteemitBoard World Cup Contest](https://steemit.com/steemitboard/@steemitboard/steemitboard-world-cup-contest-collect-badges-and-win-free-sbd)!**\nCollect World Cup badges and win free SBD\nSupport the Gold Sponsors of the contest: [@good-karma](https://v2.steemconnect.com/sign/account-witness-vote?witness=good-karma&approve=1) and [@lukestokes](https://v2.steemconnect.com/sign/account-witness-vote?witness=lukestokes.mhth&approve=1)\n\n---\n\n> Do you like [SteemitBoard's project](https://steemit.com/@steemitboard)? Then **[Vote for its witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1)** and **get one more award**!",
"json_metadata": "{\"image\":[\"https://steemitboard.com/img/notify.png\"]}"
}
]
}2018/05/24 21:15:42
2018/05/24 21:15:42
| parent author | siddiki |
| parent permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| author | bluecrab |
| permlink | re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180524t211533911z |
| title | |
| body | Since i joined steemit,this is the most captivating article. KYC is a no for me |
| json metadata | {"tags":["ico"],"app":"steemit/0.1"} |
| Transaction Info | Block #22721004/Trx 0a2845af8d555edfff427f8c617c53a72728588d |
View Raw JSON Data
{
"trx_id": "0a2845af8d555edfff427f8c617c53a72728588d",
"block": 22721004,
"trx_in_block": 8,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-05-24T21:15:42",
"op": [
"comment",
{
"parent_author": "siddiki",
"parent_permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"author": "bluecrab",
"permlink": "re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180524t211533911z",
"title": "",
"body": "Since i joined steemit,this is the most captivating article. KYC is a no for me",
"json_metadata": "{\"tags\":[\"ico\"],\"app\":\"steemit/0.1\"}"
}
]
}bluecrabupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/05/24 21:14:03
bluecrabupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/05/24 21:14:03
| voter | bluecrab |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #22720971/Trx 769c28b6e9cf10688d9c4eed12633b6bb4812c63 |
View Raw JSON Data
{
"trx_id": "769c28b6e9cf10688d9c4eed12633b6bb4812c63",
"block": 22720971,
"trx_in_block": 12,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-05-24T21:14:03",
"op": [
"vote",
{
"voter": "bluecrab",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}2018/05/20 14:26:54
2018/05/20 14:26:54
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 9137.671841 VESTS |
| Transaction Info | Block #22598020/Trx 8ef8e9caaee83e7906a27cd335baf8c4b7eca99e |
View Raw JSON Data
{
"trx_id": "8ef8e9caaee83e7906a27cd335baf8c4b7eca99e",
"block": 22598020,
"trx_in_block": 3,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-05-20T14:26:54",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "9137.671841 VESTS"
}
]
}2018/05/18 20:53:42
2018/05/18 20:53:42
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 29484.979172 VESTS |
| Transaction Info | Block #22548165/Trx 6fbfec01d30597758f4e9c7c2a9e6b1ea2aaa0a3 |
View Raw JSON Data
{
"trx_id": "6fbfec01d30597758f4e9c7c2a9e6b1ea2aaa0a3",
"block": 22548165,
"trx_in_block": 1,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-05-18T20:53:42",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "29484.979172 VESTS"
}
]
}theshahzadaupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/03/14 18:49:21
theshahzadaupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/03/14 18:49:21
| voter | theshahzada |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #20675599/Trx a95e295ebbac6a97775310ecb9998f88cfbcff04 |
View Raw JSON Data
{
"trx_id": "a95e295ebbac6a97775310ecb9998f88cfbcff04",
"block": 20675599,
"trx_in_block": 51,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-03-14T18:49:21",
"op": [
"vote",
{
"voter": "theshahzada",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}alienatealienupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/03/01 00:30:06
alienatealienupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/03/01 00:30:06
| voter | alienatealien |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #20279631/Trx 272ce116e7c59e9a96231f034479bc933fb9531a |
View Raw JSON Data
{
"trx_id": "272ce116e7c59e9a96231f034479bc933fb9531a",
"block": 20279631,
"trx_in_block": 20,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-03-01T00:30:06",
"op": [
"vote",
{
"voter": "alienatealien",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}siddikireceived 1.818 SBD, 0.557 SP author reward for @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/21 14:27:24
siddikireceived 1.818 SBD, 0.557 SP author reward for @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/21 14:27:24
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| sbd payout | 1.818 SBD |
| steem payout | 0.000 STEEM |
| vesting payout | 905.425438 VESTS |
| Transaction Info | Block #20066182/Virtual Operation #17 |
View Raw JSON Data
{
"trx_id": "0000000000000000000000000000000000000000",
"block": 20066182,
"trx_in_block": 4294967295,
"op_in_trx": 0,
"virtual_op": 17,
"timestamp": "2018-02-21T14:27:24",
"op": [
"author_reward",
{
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"sbd_payout": "1.818 SBD",
"steem_payout": "0.000 STEEM",
"vesting_payout": "905.425438 VESTS"
}
]
}siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/18 10:08:27
siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/18 10:08:27
| parent author | |
| parent permlink | ico |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| title | Horrors of ICO's: from a bug-bounty hunters perspective |
| body | A lot of people choose ICO's nowadays as a red-hot fundraising tool and where there is money, there lies the eyes of the hacker. Blockchain itself is secure, but the fundraising mechanism is sometimes way too vulnerable to compromise. We have seen a lot of reports on ICO security breach in last few months. A recent report of [Fortune](http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/) states, Hackers Have Stolen $400 Million From ICOs since 2015. The following table was enough to encourage me to dig more into ICO's. | Name | Stolen amount | Date | Description | |------------ |--------------- |------------- |------------------------------------------------------------------------------------------------------------------ | | Etherparty | Not Revealed | 01/Oct/2017 | Hacked into website and altered the donation address. | | Enigma | 0.471M USD | 20/Aug/2017 | Hacked into slack, website and email newsletter accounts and manipulated users to send funds to hackers wallet. | | Coindash | 7M USD | 17/Jul/2017 | Hacked into website and altered the donation address. | | Apex | 0.15M USD | 29/Jan/2018 | Hacked into website and altered the donation address. | | Seele | 2M USD | 5/Feb/2018 | Hackers compromised telegram admins account and lured users for a private presale. | | Veritaseum | 8.4M USD | 26/Jul/2017 | Unauthorized transaction from wallet. | From the above table, we can see that in most of the cases weak protection on DNS and Hosted server was the main reason for ICO hacking. There were some cases where there was backdoor on smart contract, but nowadays most of the companies copy solidity codes of other popular and secure ICO's. So the chances of smart contract hacking are negligible in this case. This is [Tarek Siddiki](twitter.com/tareksiddiki), a Bangladeshi security enthusiast. I worked with various bug bounty platforms and helped hundreds of companies to patch a lot of vulnerabilities in past few years. I continued my bug bounty approach in ICO's and in this blog I will talk about my experience with a few ICO's. In most of the case the company acted promptly and welcomed the approach, but there were few who really deserves to get sued because of their negligence on security.  ## Hacking into ICO's I have tested a lot of ICO's since November 2017 and I successfully exploited few of them. Here, I am going to share the story of those 5 ICO's, what did I find, how did I find, what was the impact, how I reported to them and what was their response etc. _I have decided to publish the names and details of the vulnerabilities of those ICO's who successfully completed their fundraising, the one with asterisk marks are those who have not yet launched their ICO's._ ### Story of Fundyourselfnow FYN was my first successful ICO hack. I was able to get the admin panel access during their ICO. I used blind XSS payloads in my KYC form. A few moments later an admin went to validate the submission and my payload triggered. I received an email with the canvas screenshot and cookie of the admin user. Those were enough to access the admin panel.  #### Reaction and Impact The team was very surprised with this kind of vulnerabilities within their system. They implemented a patch within an hour and later conducted a thorough security audit on their platform. No other vulnerabilities were discovered and there was no sign of any other breaches at that time. ### Story of Agrello Agrello suffered from the same vulnerability as FYN. Both portals were using CodeIgniter framework and XSS payloads were not filtered. I used a blind XSS payload in my KYC details. As soon as an admin tried to validate my details, the payload fired and I got the cookies and canvas screenshot.  #### Reaction and Impact Admin panel could be accessed by the attacker and details of all incoming transactions and all participating users could be monitored. Agrello rewarded a handsome amount of bounty for this disclosure and they were prompt to resolve the issue. ### Story of Zeepin I am a fan of NEO and it's ICO's. That's why I decided to look into Zeepin. Within first 5 min, I identified an error based SQL injection vulnerability on its KYC portal. I was able to enumerate the database and all its tables. The tables included KYC details, user details, bounty details etc. I tried to check whether I could dump database entries or not and successfully dumped the first two row of the `zeepin_upload` table as a PoC.  #### Impact It was possible to read all the database tables, which includes all participants personal information, email, password, deposit address, bounty details etc. #### Reaction I contacted one of their telegram admin to get a proper point of contact to disclose the vulnerability. That guy redirected me to another telegram admin and I disclosed the vulnerability to him. They were prompt to resolve the SQL injection cause normal users were having trouble because of my test! But when I discovered another XSS on the KYC application, the telegram admin said this:  You are collecting 60M USD+ NEO from peoples and keeping all their sensitive KYC documents unprotected. When I tried to help you, you were more passionate to grab peoples money rather than securing the process! The height of negligence surprised me. I have never encountered such thing in my entire life from a company where millions of dollars were at risk. Luckily there was no other hacker poking into this and they escaped. Later when I asked them about the permission to write this blog, they replied:  It's true we, the bounty hunters take bounties after disclosing security issues. But the way they handled the whole thing, made me bound to reject the offer. ### Story of ****** This one is so far my most favorite finding. The company neither launched its ICO, nor the KYC is open for public. So, apparently there was no interface where an outsider could poke the services. Fortunately, their demo application was hosted on the same server where the main business website was hosted. I found an interesting RCE in the file uploader on their demo application. ```php <?php $destination_path = getcwd().DIRECTORY_SEPARATOR."upload".DIRECTORY_SEPARATOR; $dataURL = $_POST["image"]; $imgID = $_POST["uid"]; $parts = explode(',', $dataURL); $data = $parts[1]; $data = base64_decode($data); $file = $destination_path . $imgID; $success = file_put_contents($file, $data); print $success ? $file : 1; ?> ``` You may wonder how did I get my hands on this piece of code! As I said, there was an RCE and I was able to read/write anything on the server. I was also able to read the `.my.cnf` file to gain access to the cPanel and DNS settings. #### Impact They are trying to raise ~25M USD for their product. As I had the access to their DNS and Filesystem, I could've changed the donation address, I could've intercepted the incoming and outgoing emails, I could've accessed thousand peoples KYC documents. #### Reaction The team respond very quickly and was pleased to take my help to identify all the potential threats (I tried my best). Now they are looking to make long-term partnerships with one bug bounty platform to continuously have hundreds of eye on their production application. ## How can this be remediated? We, the bug bounty hunters suffered from a managed platform for bug bounties on our earlier days. Later, services like HackerOne, Cobalt, Bugcrowd and Synack came into force and the scenario changed drastically. In blockchain arena, [Hacken](hacken.io) is offering a crowdsourced security audit of smart contracts and applications. These services can drastically change the poor scenario around blockchain-sphere. But above all, the companies need to be aware that they lack security. Overconfidence can be very harmful, blockchain is secure but implementation can go wrong. People are trusting countless ICO's and putting their sensitive documents for the sake of KYC. But there is no one to look after the security of those papers. If this situation doesn't change, the future of ICO's will be questioned and identity theft will see another new level! ### Courtesy I used xsshunter.com to test blind XSS. Thanks, Matthew Bryant for developing xsshunter! |
| json metadata | {"tags":["ico","blockchain","ethereum","neo","hacking"],"image":["https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png","https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png","https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png","https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg","https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png","https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png"],"links":["http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/","twitter.com/tareksiddiki","hacken.io"],"app":"steemit/0.1","format":"markdown"} |
| Transaction Info | Block #19974634/Trx c0765463521f72ddcf9b7fe5af18271863da1cbe |
View Raw JSON Data
{
"trx_id": "c0765463521f72ddcf9b7fe5af18271863da1cbe",
"block": 19974634,
"trx_in_block": 49,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-18T10:08:27",
"op": [
"comment",
{
"parent_author": "",
"parent_permlink": "ico",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"title": "Horrors of ICO's: from a bug-bounty hunters perspective",
"body": "A lot of people choose ICO's nowadays as a red-hot fundraising tool and where there is money, there lies the eyes of the hacker. Blockchain itself is secure, but the fundraising mechanism is sometimes way too vulnerable to compromise. We have seen a lot of reports on ICO security breach in last few months. A recent report of [Fortune](http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/) states, Hackers Have Stolen $400 Million From ICOs since 2015. The following table was enough to encourage me to dig more into ICO's.\n\n| Name \t| Stolen amount \t| Date \t| Description \t|\n|------------\t|---------------\t|-------------\t|------------------------------------------------------------------------------------------------------------------\t|\n| Etherparty \t| Not Revealed \t| 01/Oct/2017 \t| Hacked into website and altered the donation address. \t|\n| Enigma \t| 0.471M USD \t| 20/Aug/2017 \t| Hacked into slack, website and email newsletter accounts and manipulated users to send funds to hackers wallet. \t|\n| Coindash \t| 7M USD \t| 17/Jul/2017 \t| Hacked into website and altered the donation address. \t|\n| Apex \t| 0.15M USD \t| 29/Jan/2018 \t| Hacked into website and altered the donation address. \t|\n| Seele \t| 2M USD \t| 5/Feb/2018 \t| Hackers compromised telegram admins account and lured users for a private presale. \t|\n| Veritaseum \t| 8.4M USD \t| 26/Jul/2017 \t| Unauthorized transaction from wallet. \t|\n\n\nFrom the above table, we can see that in most of the cases weak protection on DNS and Hosted server was the main reason for ICO hacking. There were some cases where there was backdoor on smart contract, but nowadays most of the companies copy solidity codes of other popular and secure ICO's. So the chances of smart contract hacking are negligible in this case.\n\n\nThis is [Tarek Siddiki](twitter.com/tareksiddiki), a Bangladeshi security enthusiast. I worked with various bug bounty platforms and helped hundreds of companies to patch a lot of vulnerabilities in past few years. I continued my bug bounty approach in ICO's and in this blog I will talk about my experience with a few ICO's. In most of the case the company acted promptly and welcomed the approach, but there were few who really deserves to get sued because of their negligence on security.\n\n\n\n\n\n## Hacking into ICO's\nI have tested a lot of ICO's since November 2017 and I successfully exploited few of them. Here, I am going to share the story of those 5 ICO's, what did I find, how did I find, what was the impact, how I reported to them and what was their response etc. \n\n_I have decided to publish the names and details of the vulnerabilities of those ICO's who successfully completed their fundraising, the one with asterisk marks are those who have not yet launched their ICO's._\n\n\n ### Story of Fundyourselfnow\n\nFYN was my first successful ICO hack. I was able to get the admin panel access during their ICO. I used blind XSS payloads in my KYC form. A few moments later an admin went to validate the submission and my payload triggered. I received an email with the canvas screenshot and cookie of the admin user. Those were enough to access the admin panel.\n\n\n\n#### Reaction and Impact\nThe team was very surprised with this kind of vulnerabilities within their system. They implemented a patch within an hour and later conducted a thorough security audit on their platform. No other vulnerabilities were discovered and there was no sign of any other breaches at that time.\n\n ### Story of Agrello\nAgrello suffered from the same vulnerability as FYN. Both portals were using CodeIgniter framework and XSS payloads were not filtered. I used a blind XSS payload in my KYC details. As soon as an admin tried to validate my details, the payload fired and I got the cookies and canvas screenshot.\n\n\n\n#### Reaction and Impact\nAdmin panel could be accessed by the attacker and details of all incoming transactions and all participating users could be monitored. Agrello rewarded a handsome amount of bounty for this disclosure and they were prompt to resolve the issue.\n\n ### Story of Zeepin\nI am a fan of NEO and it's ICO's. That's why I decided to look into Zeepin. Within first 5 min, I identified an error based SQL injection vulnerability on its KYC portal. I was able to enumerate the database and all its tables. The tables included KYC details, user details, bounty details etc. I tried to check whether I could dump database entries or not and successfully dumped the first two row of the `zeepin_upload` table as a PoC.\n\n\n\n#### Impact\nIt was possible to read all the database tables, which includes all participants personal information, email, password, deposit address, bounty details etc.\n\n#### Reaction\nI contacted one of their telegram admin to get a proper point of contact to disclose the vulnerability. That guy redirected me to another telegram admin and I disclosed the vulnerability to him. They were prompt to resolve the SQL injection cause normal users were having trouble because of my test! But when I discovered another XSS on the KYC application, the telegram admin said this:\n\n\n\nYou are collecting 60M USD+ NEO from peoples and keeping all their sensitive KYC documents unprotected. When I tried to help you, you were more passionate to grab peoples money rather than securing the process! The height of negligence surprised me. I have never encountered such thing in my entire life from a company where millions of dollars were at risk. Luckily there was no other hacker poking into this and they escaped.\n\nLater when I asked them about the permission to write this blog, they replied:\n\n\n\nIt's true we, the bounty hunters take bounties after disclosing security issues. But the way they handled the whole thing, made me bound to reject the offer.\n\n\n ### Story of ******\nThis one is so far my most favorite finding. The company neither launched its ICO, nor the KYC is open for public. So, apparently there was no interface where an outsider could poke the services. Fortunately, their demo application was hosted on the same server where the main business website was hosted.\nI found an interesting RCE in the file uploader on their demo application. \n```php\n<?php\n $destination_path = getcwd().DIRECTORY_SEPARATOR.\"upload\".DIRECTORY_SEPARATOR;\n $dataURL = $_POST[\"image\"]; \n $imgID = $_POST[\"uid\"]; \n $parts = explode(',', $dataURL); \n $data = $parts[1]; \n $data = base64_decode($data); \n $file = $destination_path . $imgID;\n $success = file_put_contents($file, $data);\n print $success ? $file : 1;\n?>\n\n```\n\nYou may wonder how did I get my hands on this piece of code! As I said, there was an RCE and I was able to read/write anything on the server. I was also able to read the `.my.cnf` file to gain access to the cPanel and DNS settings.\n\n#### Impact\nThey are trying to raise ~25M USD for their product. As I had the access to their DNS and Filesystem, I could've changed the donation address, I could've intercepted the incoming and outgoing emails, I could've accessed thousand peoples KYC documents.\n\n#### Reaction\nThe team respond very quickly and was pleased to take my help to identify all the potential threats (I tried my best). Now they are looking to make long-term partnerships with one bug bounty platform to continuously have hundreds of eye on their production application.\n\n\n## How can this be remediated?\nWe, the bug bounty hunters suffered from a managed platform for bug bounties on our earlier days. Later, services like HackerOne, Cobalt, Bugcrowd and Synack came into force and the scenario changed drastically. In blockchain arena, [Hacken](hacken.io) is offering a crowdsourced security audit of smart contracts and applications. These services can drastically change the poor scenario around blockchain-sphere. But above all, the companies need to be aware that they lack security. Overconfidence can be very harmful, blockchain is secure but implementation can go wrong. People are trusting countless ICO's and putting their sensitive documents for the sake of KYC. But there is no one to look after the security of those papers. If this situation doesn't change, the future of ICO's will be questioned and identity theft will see another new level!\n\n### Courtesy\nI used xsshunter.com to test blind XSS. Thanks, Matthew Bryant for developing xsshunter!",
"json_metadata": "{\"tags\":[\"ico\",\"blockchain\",\"ethereum\",\"neo\",\"hacking\"],\"image\":[\"https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png\",\"https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png\",\"https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png\",\"https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg\",\"https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png\",\"https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png\"],\"links\":[\"http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/\",\"twitter.com/tareksiddiki\",\"hacken.io\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
}
]
}factfictionalupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/17 20:02:21
factfictionalupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/17 20:02:21
| voter | factfictional |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #19957713/Trx 1873e0e5def2426def1cdfe5ca4ffc56df81b03d |
View Raw JSON Data
{
"trx_id": "1873e0e5def2426def1cdfe5ca4ffc56df81b03d",
"block": 19957713,
"trx_in_block": 36,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-17T20:02:21",
"op": [
"vote",
{
"voter": "factfictional",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}dhenzupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/17 19:22:39
dhenzupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/17 19:22:39
| voter | dhenz |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #19956919/Trx 256145e02a4a9a47a158a6c7f3096252e52f29b8 |
View Raw JSON Data
{
"trx_id": "256145e02a4a9a47a158a6c7f3096252e52f29b8",
"block": 19956919,
"trx_in_block": 34,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-17T19:22:39",
"op": [
"vote",
{
"voter": "dhenz",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}siddikiupdated their account properties2018/02/16 13:27:00
siddikiupdated their account properties
2018/02/16 13:27:00
| account | siddiki |
| memo key | STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4 |
| json metadata | {"profile":{"name":"Tarek Siddiki","profile_image":"https://profile-photos.hackerone-user-content.com/production/000/003/502/8db70136831733b6b09a58f011fcbef1caf16b70_xtralarge.jpg","location":"Bangladesh"}} |
| Transaction Info | Block #19921030/Trx e200b048d6ff99e74cdfbdfdd922d601e0d64896 |
View Raw JSON Data
{
"trx_id": "e200b048d6ff99e74cdfbdfdd922d601e0d64896",
"block": 19921030,
"trx_in_block": 85,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-16T13:27:00",
"op": [
"account_update",
{
"account": "siddiki",
"memo_key": "STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4",
"json_metadata": "{\"profile\":{\"name\":\"Tarek Siddiki\",\"profile_image\":\"https://profile-photos.hackerone-user-content.com/production/000/003/502/8db70136831733b6b09a58f011fcbef1caf16b70_xtralarge.jpg\",\"location\":\"Bangladesh\"}}"
}
]
}2018/02/16 13:25:39
2018/02/16 13:25:39
| parent author | rbshadow |
| parent permlink | re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z |
| author | siddiki |
| permlink | re-rbshadow-re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180216t132539658z |
| title | |
| body | welcome brother. |
| json metadata | {"tags":["ico"],"app":"steemit/0.1"} |
| Transaction Info | Block #19921003/Trx 0c4a7b439c7f640dc2700040287660788551f09c |
View Raw JSON Data
{
"trx_id": "0c4a7b439c7f640dc2700040287660788551f09c",
"block": 19921003,
"trx_in_block": 37,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-16T13:25:39",
"op": [
"comment",
{
"parent_author": "rbshadow",
"parent_permlink": "re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z",
"author": "siddiki",
"permlink": "re-rbshadow-re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180216t132539658z",
"title": "",
"body": "welcome brother.",
"json_metadata": "{\"tags\":[\"ico\"],\"app\":\"steemit/0.1\"}"
}
]
}2018/02/16 13:25:24
2018/02/16 13:25:24
| voter | siddiki |
| author | suddeath |
| permlink | re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180215t172848914z |
| weight | 10000 (100.00%) |
| Transaction Info | Block #19920998/Trx 95bd8d02792026faf7ce27167d2ac52d251f5710 |
View Raw JSON Data
{
"trx_id": "95bd8d02792026faf7ce27167d2ac52d251f5710",
"block": 19920998,
"trx_in_block": 7,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-16T13:25:24",
"op": [
"vote",
{
"voter": "siddiki",
"author": "suddeath",
"permlink": "re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180215t172848914z",
"weight": 10000
}
]
}2018/02/16 13:25:15
2018/02/16 13:25:15
| parent author | suddeath |
| parent permlink | re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180215t172848914z |
| author | siddiki |
| permlink | re-suddeath-re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180216t132516266z |
| title | |
| body | You are most welcome. |
| json metadata | {"tags":["ico"],"app":"steemit/0.1"} |
| Transaction Info | Block #19920995/Trx 66d70f8d5ea26a85a30fa1f16169d74181d49085 |
View Raw JSON Data
{
"trx_id": "66d70f8d5ea26a85a30fa1f16169d74181d49085",
"block": 19920995,
"trx_in_block": 55,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-16T13:25:15",
"op": [
"comment",
{
"parent_author": "suddeath",
"parent_permlink": "re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180215t172848914z",
"author": "siddiki",
"permlink": "re-suddeath-re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180216t132516266z",
"title": "",
"body": "You are most welcome.",
"json_metadata": "{\"tags\":[\"ico\"],\"app\":\"steemit/0.1\"}"
}
]
}siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/16 05:53:42
siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/16 05:53:42
| parent author | |
| parent permlink | ico |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| title | Horrors of ICO's: From a bug-bounty hunters perspective. |
| body | @@ -21,27 +21,25 @@ se ICO's now --a- +a days as a re @@ -110,16 +110,20 @@ eyes of +the hacker. @@ -1859,16 +1859,17 @@ ve table +, we can @@ -2027,24 +2027,25 @@ oor on smart + contract, bu @@ -2053,11 +2053,9 @@ now --a- +a days @@ -2155,16 +2155,17 @@ of smart + contract @@ -2173,18 +2173,19 @@ hacking -is +are negligi @@ -2311,24 +2311,25 @@ various bug + bounty platf @@ -2433,24 +2433,25 @@ inued my bug + bounty appro @@ -3460,17 +3460,19 @@ C form. -F +A f ew momen @@ -4026,27 +4026,26 @@ and there w -ere +as no sign of @@ -4164,16 +4164,17 @@ h portal +s were us @@ -4181,13 +4181,13 @@ ing -codei +CodeI gnit @@ -4250,19 +4250,19 @@ a blind -xss +XSS payload @@ -4826,16 +4826,17 @@ 's. That +' s why I @@ -4882,16 +4882,17 @@ st 5 min +, I ident @@ -5040,11 +5040,11 @@ ded -kyc +KYC det @@ -5190,16 +5190,20 @@ row of +the %60zeepin_ @@ -6166,17 +6166,16 @@ ssionate -d to grab @@ -6386,19 +6386,18 @@ there w -ere +as no othe @@ -6842,17 +6842,16 @@ ost favo -u rite fin @@ -6934,15 +6934,16 @@ So, -basical +apparent ly t @@ -7018,16 +7018,17 @@ tunately +, their d @@ -7899,18 +7899,18 @@ access +t o -n their D @@ -7941,24 +7941,25 @@ ld've change +d the donatio @@ -8043,16 +8043,18 @@ e access +ed thousan @@ -8245,17 +8245,17 @@ ake long - +- term par @@ -8272,24 +8272,25 @@ with one bug + bounty platf @@ -8403,24 +8403,25 @@ %0AWe, the bug + bounty hunte @@ -8463,16 +8463,17 @@ for bug + bounties @@ -8521,17 +8521,17 @@ e Hacker -o +O ne, Coba @@ -8656,19 +8656,19 @@ is -perform +offer ing +a crow @@ -8885,17 +8885,16 @@ ty. Over - confiden @@ -9310,16 +9310,17 @@ . Thanks +, Matthew |
| json metadata | {"tags":["ico","blockchain","ethereum","neo","hacking"],"image":["https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png","https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png","https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png","https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg","https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png","https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png"],"links":["http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/","twitter.com/tareksiddiki","hacken.io"],"app":"steemit/0.1","format":"markdown"} |
| Transaction Info | Block #19911971/Trx ab60d547a2322402e0dce2bcb949d53129d4db0f |
View Raw JSON Data
{
"trx_id": "ab60d547a2322402e0dce2bcb949d53129d4db0f",
"block": 19911971,
"trx_in_block": 63,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-16T05:53:42",
"op": [
"comment",
{
"parent_author": "",
"parent_permlink": "ico",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"title": "Horrors of ICO's: From a bug-bounty hunters perspective.",
"body": "@@ -21,27 +21,25 @@\n se ICO's now\n--a-\n+a\n days as a re\n@@ -110,16 +110,20 @@\n eyes of \n+the \n hacker. \n@@ -1859,16 +1859,17 @@\n ve table\n+,\n we can \n@@ -2027,24 +2027,25 @@\n oor on smart\n+ \n contract, bu\n@@ -2053,11 +2053,9 @@\n now\n--a-\n+a\n days\n@@ -2155,16 +2155,17 @@\n of smart\n+ \n contract\n@@ -2173,18 +2173,19 @@\n hacking \n-is\n+are\n negligi\n@@ -2311,24 +2311,25 @@\n various bug\n+ \n bounty platf\n@@ -2433,24 +2433,25 @@\n inued my bug\n+ \n bounty appro\n@@ -3460,17 +3460,19 @@\n C form. \n-F\n+A f\n ew momen\n@@ -4026,27 +4026,26 @@\n and there w\n-ere\n+as\n no sign of \n@@ -4164,16 +4164,17 @@\n h portal\n+s\n were us\n@@ -4181,13 +4181,13 @@\n ing \n-codei\n+CodeI\n gnit\n@@ -4250,19 +4250,19 @@\n a blind \n-xss\n+XSS\n payload\n@@ -4826,16 +4826,17 @@\n 's. That\n+'\n s why I \n@@ -4882,16 +4882,17 @@\n st 5 min\n+,\n I ident\n@@ -5040,11 +5040,11 @@\n ded \n-kyc\n+KYC\n det\n@@ -5190,16 +5190,20 @@\n row of \n+the \n %60zeepin_\n@@ -6166,17 +6166,16 @@\n ssionate\n-d\n to grab\n@@ -6386,19 +6386,18 @@\n there w\n-ere\n+as\n no othe\n@@ -6842,17 +6842,16 @@\n ost favo\n-u\n rite fin\n@@ -6934,15 +6934,16 @@\n So, \n-basical\n+apparent\n ly t\n@@ -7018,16 +7018,17 @@\n tunately\n+,\n their d\n@@ -7899,18 +7899,18 @@\n access \n+t\n o\n-n\n their D\n@@ -7941,24 +7941,25 @@\n ld've change\n+d\n the donatio\n@@ -8043,16 +8043,18 @@\n e access\n+ed\n thousan\n@@ -8245,17 +8245,17 @@\n ake long\n- \n+-\n term par\n@@ -8272,24 +8272,25 @@\n with one bug\n+ \n bounty platf\n@@ -8403,24 +8403,25 @@\n %0AWe, the bug\n+ \n bounty hunte\n@@ -8463,16 +8463,17 @@\n for bug\n+ \n bounties\n@@ -8521,17 +8521,17 @@\n e Hacker\n-o\n+O\n ne, Coba\n@@ -8656,19 +8656,19 @@\n is \n-perform\n+offer\n ing \n+a \n crow\n@@ -8885,17 +8885,16 @@\n ty. Over\n- \n confiden\n@@ -9310,16 +9310,17 @@\n . Thanks\n+,\n Matthew\n",
"json_metadata": "{\"tags\":[\"ico\",\"blockchain\",\"ethereum\",\"neo\",\"hacking\"],\"image\":[\"https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png\",\"https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png\",\"https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png\",\"https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg\",\"https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png\",\"https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png\"],\"links\":[\"http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/\",\"twitter.com/tareksiddiki\",\"hacken.io\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
}
]
}2018/02/15 17:28:51
2018/02/15 17:28:51
| parent author | siddiki |
| parent permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| author | suddeath |
| permlink | re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180215t172848914z |
| title | |
| body | Thanks for sharing! This is the reason all ICOs and exchanges should do audits and bug bounties, and Hacken is a great partner to do this. |
| json metadata | {"tags":["ico"],"app":"steemit/0.1"} |
| Transaction Info | Block #19897088/Trx 0a4c22409a30ef8422aed64e173e2e890957c9c0 |
View Raw JSON Data
{
"trx_id": "0a4c22409a30ef8422aed64e173e2e890957c9c0",
"block": 19897088,
"trx_in_block": 4,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-15T17:28:51",
"op": [
"comment",
{
"parent_author": "siddiki",
"parent_permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"author": "suddeath",
"permlink": "re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180215t172848914z",
"title": "",
"body": "Thanks for sharing! This is the reason all ICOs and exchanges should do audits and bug bounties, and Hacken is a great partner to do this.",
"json_metadata": "{\"tags\":[\"ico\"],\"app\":\"steemit/0.1\"}"
}
]
}suddeathupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/15 17:26:48
suddeathupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/15 17:26:48
| voter | suddeath |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #19897047/Trx 0129f91bd72ffe6ffd7df972b50660bf21f0dab9 |
View Raw JSON Data
{
"trx_id": "0129f91bd72ffe6ffd7df972b50660bf21f0dab9",
"block": 19897047,
"trx_in_block": 44,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-15T17:26:48",
"op": [
"vote",
{
"voter": "suddeath",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}ergorgupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/15 17:02:06
ergorgupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/15 17:02:06
| voter | ergorg |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #19896553/Trx c0157174e324b662cd126204e35ce168802d1a4a |
View Raw JSON Data
{
"trx_id": "c0157174e324b662cd126204e35ce168802d1a4a",
"block": 19896553,
"trx_in_block": 24,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-15T17:02:06",
"op": [
"vote",
{
"voter": "ergorg",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}siddikiremoved vote from (0.00%) @rbshadow / re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z2018/02/15 09:02:45
siddikiremoved vote from (0.00%) @rbshadow / re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z
2018/02/15 09:02:45
| voter | siddiki |
| author | rbshadow |
| permlink | re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z |
| weight | 0 (0.00%) |
| Transaction Info | Block #19886973/Trx 0fb5ad517bf4046655664b59482b6c4f68293b9e |
View Raw JSON Data
{
"trx_id": "0fb5ad517bf4046655664b59482b6c4f68293b9e",
"block": 19886973,
"trx_in_block": 44,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-15T09:02:45",
"op": [
"vote",
{
"voter": "siddiki",
"author": "rbshadow",
"permlink": "re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z",
"weight": 0
}
]
}2018/02/15 09:02:33
2018/02/15 09:02:33
| voter | siddiki |
| author | rbshadow |
| permlink | re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z |
| weight | 10000 (100.00%) |
| Transaction Info | Block #19886969/Trx 8e8764553083ccc3b63d7c6d210190e491ca59fd |
View Raw JSON Data
{
"trx_id": "8e8764553083ccc3b63d7c6d210190e491ca59fd",
"block": 19886969,
"trx_in_block": 0,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-15T09:02:33",
"op": [
"vote",
{
"voter": "siddiki",
"author": "rbshadow",
"permlink": "re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z",
"weight": 10000
}
]
}2018/02/14 19:10:03
2018/02/14 19:10:03
| parent author | siddiki |
| parent permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| author | rbshadow |
| permlink | re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z |
| title | |
| body | Thanks for sharing bhai. |
| json metadata | {"tags":["ico"],"app":"steemit/0.1"} |
| Transaction Info | Block #19870333/Trx f4868cdc973661c9168d77f3a138b76b00e08e3b |
View Raw JSON Data
{
"trx_id": "f4868cdc973661c9168d77f3a138b76b00e08e3b",
"block": 19870333,
"trx_in_block": 22,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T19:10:03",
"op": [
"comment",
{
"parent_author": "siddiki",
"parent_permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"author": "rbshadow",
"permlink": "re-siddiki-horrors-of-ico-s-from-a-bug-bounty-hunters-perspective-20180214t191002210z",
"title": "",
"body": "Thanks for sharing bhai.",
"json_metadata": "{\"tags\":[\"ico\"],\"app\":\"steemit/0.1\"}"
}
]
}siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/14 15:58:06
siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/14 15:58:06
| parent author | |
| parent permlink | ico |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| title | Horrors of ICO's: From a bug-bounty hunters perspective. |
| body | @@ -6779,80 +6779,8 @@ fer. - On a personal note, I donated 300 NEO on ZPT ICO and I regret that now! %0A%0A%0A |
| json metadata | {"tags":["ico","blockchain","ethereum","neo","hacking"],"image":["https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png","https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png","https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png","https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg","https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png","https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png"],"links":["http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/","twitter.com/tareksiddiki","hacken.io"],"app":"steemit/0.1","format":"markdown"} |
| Transaction Info | Block #19866501/Trx 79c3d3fbce6ea8d19d78486fd35000f394af0813 |
View Raw JSON Data
{
"trx_id": "79c3d3fbce6ea8d19d78486fd35000f394af0813",
"block": 19866501,
"trx_in_block": 9,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T15:58:06",
"op": [
"comment",
{
"parent_author": "",
"parent_permlink": "ico",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"title": "Horrors of ICO's: From a bug-bounty hunters perspective.",
"body": "@@ -6779,80 +6779,8 @@\n fer.\n- On a personal note, I donated 300 NEO on ZPT ICO and I regret that now!\n %0A%0A%0A \n",
"json_metadata": "{\"tags\":[\"ico\",\"blockchain\",\"ethereum\",\"neo\",\"hacking\"],\"image\":[\"https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png\",\"https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png\",\"https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png\",\"https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg\",\"https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png\",\"https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png\"],\"links\":[\"http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/\",\"twitter.com/tareksiddiki\",\"hacken.io\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
}
]
}siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/14 15:40:33
siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/14 15:40:33
| parent author | |
| parent permlink | ico |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| title | Horrors of ICO's: From a bug-bounty hunters perspective. |
| body | A lot of people choose ICO's now-a-days as a red-hot fundraising tool and where there is money, there lies the eyes of hacker. Blockchain itself is secure, but the fundraising mechanism is sometimes way too vulnerable to compromise. We have seen a lot of reports on ICO security breach in last few months. A recent report of [Fortune](http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/) states, Hackers Have Stolen $400 Million From ICOs since 2015. The following table was enough to encourage me to dig more into ICO's. | Name | Stolen amount | Date | Description | |------------ |--------------- |------------- |------------------------------------------------------------------------------------------------------------------ | | Etherparty | Not Revealed | 01/Oct/2017 | Hacked into website and altered the donation address. | | Enigma | 0.471M USD | 20/Aug/2017 | Hacked into slack, website and email newsletter accounts and manipulated users to send funds to hackers wallet. | | Coindash | 7M USD | 17/Jul/2017 | Hacked into website and altered the donation address. | | Apex | 0.15M USD | 29/Jan/2018 | Hacked into website and altered the donation address. | | Seele | 2M USD | 5/Feb/2018 | Hackers compromised telegram admins account and lured users for a private presale. | | Veritaseum | 8.4M USD | 26/Jul/2017 | Unauthorized transaction from wallet. | From the above table we can see that in most of the cases weak protection on DNS and Hosted server was the main reason for ICO hacking. There were some cases where there was backdoor on smartcontract, but now-a-days most of the companies copy solidity codes of other popular and secure ICO's. So the chances of smartcontract hacking is negligible in this case. This is [Tarek Siddiki](twitter.com/tareksiddiki), a Bangladeshi security enthusiast. I worked with various bugbounty platforms and helped hundreds of companies to patch a lot of vulnerabilities in past few years. I continued my bugbounty approach in ICO's and in this blog I will talk about my experience with a few ICO's. In most of the case the company acted promptly and welcomed the approach, but there were few who really deserves to get sued because of their negligence on security.  ## Hacking into ICO's I have tested a lot of ICO's since November 2017 and I successfully exploited few of them. Here, I am going to share the story of those 5 ICO's, what did I find, how did I find, what was the impact, how I reported to them and what was their response etc. _I have decided to publish the names and details of the vulnerabilities of those ICO's who successfully completed their fundraising, the one with asterisk marks are those who have not yet launched their ICO's._ ### Story of Fundyourselfnow FYN was my first successful ICO hack. I was able to get the admin panel access during their ICO. I used blind XSS payloads in my KYC form. Few moments later an admin went to validate the submission and my payload triggered. I received an email with the canvas screenshot and cookie of the admin user. Those were enough to access the admin panel.  #### Reaction and Impact The team was very surprised with this kind of vulnerabilities within their system. They implemented a patch within an hour and later conducted a thorough security audit on their platform. No other vulnerabilities were discovered and there were no sign of any other breaches at that time. ### Story of Agrello Agrello suffered from the same vulnerability as FYN. Both portal were using codeigniter framework and XSS payloads were not filtered. I used a blind xss payload in my KYC details. As soon as an admin tried to validate my details, the payload fired and I got the cookies and canvas screenshot.  #### Reaction and Impact Admin panel could be accessed by the attacker and details of all incoming transactions and all participating users could be monitored. Agrello rewarded a handsome amount of bounty for this disclosure and they were prompt to resolve the issue. ### Story of Zeepin I am a fan of NEO and it's ICO's. Thats why I decided to look into Zeepin. Within first 5 min I identified an error based SQL injection vulnerability on its KYC portal. I was able to enumerate the database and all its tables. The tables included kyc details, user details, bounty details etc. I tried to check whether I could dump database entries or not and successfully dumped the first two row of `zeepin_upload` table as a PoC.  #### Impact It was possible to read all the database tables, which includes all participants personal information, email, password, deposit address, bounty details etc. #### Reaction I contacted one of their telegram admin to get a proper point of contact to disclose the vulnerability. That guy redirected me to another telegram admin and I disclosed the vulnerability to him. They were prompt to resolve the SQL injection cause normal users were having trouble because of my test! But when I discovered another XSS on the KYC application, the telegram admin said this:  You are collecting 60M USD+ NEO from peoples and keeping all their sensitive KYC documents unprotected. When I tried to help you, you were more passionated to grab peoples money rather than securing the process! The height of negligence surprised me. I have never encountered such thing in my entire life from a company where millions of dollars were at risk. Luckily there were no other hacker poking into this and they escaped. Later when I asked them about the permission to write this blog, they replied:  It's true we, the bounty hunters take bounties after disclosing security issues. But the way they handled the whole thing, made me bound to reject the offer. On a personal note, I donated 300 NEO on ZPT ICO and I regret that now! ### Story of ****** This one is so far my most favourite finding. The company neither launched its ICO, nor the KYC is open for public. So, basically there was no interface where an outsider could poke the services. Fortunately their demo application was hosted on the same server where the main business website was hosted. I found an interesting RCE in the file uploader on their demo application. ```php <?php $destination_path = getcwd().DIRECTORY_SEPARATOR."upload".DIRECTORY_SEPARATOR; $dataURL = $_POST["image"]; $imgID = $_POST["uid"]; $parts = explode(',', $dataURL); $data = $parts[1]; $data = base64_decode($data); $file = $destination_path . $imgID; $success = file_put_contents($file, $data); print $success ? $file : 1; ?> ``` You may wonder how did I get my hands on this piece of code! As I said, there was an RCE and I was able to read/write anything on the server. I was also able to read the `.my.cnf` file to gain access to the cPanel and DNS settings. #### Impact They are trying to raise ~25M USD for their product. As I had the access on their DNS and Filesystem, I could've change the donation address, I could've intercepted the incoming and outgoing emails, I could've access thousand peoples KYC documents. #### Reaction The team respond very quickly and was pleased to take my help to identify all the potential threats (I tried my best). Now they are looking to make long term partnerships with one bugbounty platform to continuously have hundreds of eye on their production application. ## How can this be remediated? We, the bugbounty hunters suffered from a managed platform for bugbounties on our earlier days. Later, services like Hackerone, Cobalt, Bugcrowd and Synack came into force and the scenario changed drastically. In blockchain arena, [Hacken](hacken.io) is performing crowdsourced security audit of smart contracts and applications. These services can drastically change the poor scenario around blockchain-sphere. But above all, the companies need to be aware that they lack security. Over confidence can be very harmful, blockchain is secure but implementation can go wrong. People are trusting countless ICO's and putting their sensitive documents for the sake of KYC. But there is no one to look after the security of those papers. If this situation doesn't change, the future of ICO's will be questioned and identity theft will see another new level! ### Courtesy I used xsshunter.com to test blind XSS. Thanks Matthew Bryant for developing xsshunter! |
| json metadata | {"tags":["blockchain","ico","ethereum","neo","hacking"],"image":["https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png","https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png","https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png","https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg","https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png","https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png"],"links":["http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/","twitter.com/tareksiddiki","hacken.io"],"app":"steemit/0.1","format":"markdown"} |
| Transaction Info | Block #19866151/Trx 7d806b9e87a1708fefe31c0e4ac1c85c292e2fe8 |
View Raw JSON Data
{
"trx_id": "7d806b9e87a1708fefe31c0e4ac1c85c292e2fe8",
"block": 19866151,
"trx_in_block": 58,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T15:40:33",
"op": [
"comment",
{
"parent_author": "",
"parent_permlink": "ico",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"title": "Horrors of ICO's: From a bug-bounty hunters perspective.",
"body": "A lot of people choose ICO's now-a-days as a red-hot fundraising tool and where there is money, there lies the eyes of hacker. Blockchain itself is secure, but the fundraising mechanism is sometimes way too vulnerable to compromise. We have seen a lot of reports on ICO security breach in last few months. A recent report of [Fortune](http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/) states, Hackers Have Stolen $400 Million From ICOs since 2015. The following table was enough to encourage me to dig more into ICO's.\n\n| Name \t| Stolen amount \t| Date \t| Description \t|\n|------------\t|---------------\t|-------------\t|------------------------------------------------------------------------------------------------------------------\t|\n| Etherparty \t| Not Revealed \t| 01/Oct/2017 \t| Hacked into website and altered the donation address. \t|\n| Enigma \t| 0.471M USD \t| 20/Aug/2017 \t| Hacked into slack, website and email newsletter accounts and manipulated users to send funds to hackers wallet. \t|\n| Coindash \t| 7M USD \t| 17/Jul/2017 \t| Hacked into website and altered the donation address. \t|\n| Apex \t| 0.15M USD \t| 29/Jan/2018 \t| Hacked into website and altered the donation address. \t|\n| Seele \t| 2M USD \t| 5/Feb/2018 \t| Hackers compromised telegram admins account and lured users for a private presale. \t|\n| Veritaseum \t| 8.4M USD \t| 26/Jul/2017 \t| Unauthorized transaction from wallet. \t|\n\n\nFrom the above table we can see that in most of the cases weak protection on DNS and Hosted server was the main reason for ICO hacking. There were some cases where there was backdoor on smartcontract, but now-a-days most of the companies copy solidity codes of other popular and secure ICO's. So the chances of smartcontract hacking is negligible in this case.\n\n\nThis is [Tarek Siddiki](twitter.com/tareksiddiki), a Bangladeshi security enthusiast. I worked with various bugbounty platforms and helped hundreds of companies to patch a lot of vulnerabilities in past few years. I continued my bugbounty approach in ICO's and in this blog I will talk about my experience with a few ICO's. In most of the case the company acted promptly and welcomed the approach, but there were few who really deserves to get sued because of their negligence on security.\n\n\n\n\n\n## Hacking into ICO's\nI have tested a lot of ICO's since November 2017 and I successfully exploited few of them. Here, I am going to share the story of those 5 ICO's, what did I find, how did I find, what was the impact, how I reported to them and what was their response etc. \n\n_I have decided to publish the names and details of the vulnerabilities of those ICO's who successfully completed their fundraising, the one with asterisk marks are those who have not yet launched their ICO's._\n\n\n ### Story of Fundyourselfnow\n\nFYN was my first successful ICO hack. I was able to get the admin panel access during their ICO. I used blind XSS payloads in my KYC form. Few moments later an admin went to validate the submission and my payload triggered. I received an email with the canvas screenshot and cookie of the admin user. Those were enough to access the admin panel.\n\n\n\n#### Reaction and Impact\nThe team was very surprised with this kind of vulnerabilities within their system. They implemented a patch within an hour and later conducted a thorough security audit on their platform. No other vulnerabilities were discovered and there were no sign of any other breaches at that time.\n\n ### Story of Agrello\nAgrello suffered from the same vulnerability as FYN. Both portal were using codeigniter framework and XSS payloads were not filtered. I used a blind xss payload in my KYC details. As soon as an admin tried to validate my details, the payload fired and I got the cookies and canvas screenshot.\n\n\n\n#### Reaction and Impact\nAdmin panel could be accessed by the attacker and details of all incoming transactions and all participating users could be monitored. Agrello rewarded a handsome amount of bounty for this disclosure and they were prompt to resolve the issue.\n\n ### Story of Zeepin\nI am a fan of NEO and it's ICO's. Thats why I decided to look into Zeepin. Within first 5 min I identified an error based SQL injection vulnerability on its KYC portal. I was able to enumerate the database and all its tables. The tables included kyc details, user details, bounty details etc. I tried to check whether I could dump database entries or not and successfully dumped the first two row of `zeepin_upload` table as a PoC.\n\n\n\n#### Impact\nIt was possible to read all the database tables, which includes all participants personal information, email, password, deposit address, bounty details etc.\n\n#### Reaction\nI contacted one of their telegram admin to get a proper point of contact to disclose the vulnerability. That guy redirected me to another telegram admin and I disclosed the vulnerability to him. They were prompt to resolve the SQL injection cause normal users were having trouble because of my test! But when I discovered another XSS on the KYC application, the telegram admin said this:\n\n\n\nYou are collecting 60M USD+ NEO from peoples and keeping all their sensitive KYC documents unprotected. When I tried to help you, you were more passionated to grab peoples money rather than securing the process! The height of negligence surprised me. I have never encountered such thing in my entire life from a company where millions of dollars were at risk. Luckily there were no other hacker poking into this and they escaped.\n\nLater when I asked them about the permission to write this blog, they replied:\n\n\n\nIt's true we, the bounty hunters take bounties after disclosing security issues. But the way they handled the whole thing, made me bound to reject the offer. On a personal note, I donated 300 NEO on ZPT ICO and I regret that now!\n\n\n ### Story of ******\nThis one is so far my most favourite finding. The company neither launched its ICO, nor the KYC is open for public. So, basically there was no interface where an outsider could poke the services. Fortunately their demo application was hosted on the same server where the main business website was hosted.\nI found an interesting RCE in the file uploader on their demo application. \n```php\n<?php\n $destination_path = getcwd().DIRECTORY_SEPARATOR.\"upload\".DIRECTORY_SEPARATOR;\n $dataURL = $_POST[\"image\"]; \n $imgID = $_POST[\"uid\"]; \n $parts = explode(',', $dataURL); \n $data = $parts[1]; \n $data = base64_decode($data); \n $file = $destination_path . $imgID;\n $success = file_put_contents($file, $data);\n print $success ? $file : 1;\n?>\n\n```\n\nYou may wonder how did I get my hands on this piece of code! As I said, there was an RCE and I was able to read/write anything on the server. I was also able to read the `.my.cnf` file to gain access to the cPanel and DNS settings.\n\n#### Impact\nThey are trying to raise ~25M USD for their product. As I had the access on their DNS and Filesystem, I could've change the donation address, I could've intercepted the incoming and outgoing emails, I could've access thousand peoples KYC documents.\n\n#### Reaction\nThe team respond very quickly and was pleased to take my help to identify all the potential threats (I tried my best). Now they are looking to make long term partnerships with one bugbounty platform to continuously have hundreds of eye on their production application.\n\n\n## How can this be remediated?\nWe, the bugbounty hunters suffered from a managed platform for bugbounties on our earlier days. Later, services like Hackerone, Cobalt, Bugcrowd and Synack came into force and the scenario changed drastically. In blockchain arena, [Hacken](hacken.io) is performing crowdsourced security audit of smart contracts and applications. These services can drastically change the poor scenario around blockchain-sphere. But above all, the companies need to be aware that they lack security. Over confidence can be very harmful, blockchain is secure but implementation can go wrong. People are trusting countless ICO's and putting their sensitive documents for the sake of KYC. But there is no one to look after the security of those papers. If this situation doesn't change, the future of ICO's will be questioned and identity theft will see another new level!\n\n### Courtesy\nI used xsshunter.com to test blind XSS. Thanks Matthew Bryant for developing xsshunter!",
"json_metadata": "{\"tags\":[\"blockchain\",\"ico\",\"ethereum\",\"neo\",\"hacking\"],\"image\":[\"https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png\",\"https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png\",\"https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png\",\"https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg\",\"https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png\",\"https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png\"],\"links\":[\"http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/\",\"twitter.com/tareksiddiki\",\"hacken.io\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
}
]
}siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/14 14:41:24
siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/14 14:41:24
| parent author | |
| parent permlink | ico |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| title | Horrors of ICO's: From a bug-bounty hunters perspective. |
| body | @@ -4515,16 +4515,151 @@ Impact%0A +Admin panel could be accessed by the attacker and details of all incoming transactions and all participating users could be monitored. Agrello |
| json metadata | {"tags":["ico","ethereum","neo","hacking","blockchain"],"image":["https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png","https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png","https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png","https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg","https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png","https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png"],"links":["http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/","twitter.com/tareksiddiki","hacken.io"],"app":"steemit/0.1","format":"markdown"} |
| Transaction Info | Block #19864970/Trx 6a841d03f89f47defefe9c14a46037e916230a02 |
View Raw JSON Data
{
"trx_id": "6a841d03f89f47defefe9c14a46037e916230a02",
"block": 19864970,
"trx_in_block": 5,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T14:41:24",
"op": [
"comment",
{
"parent_author": "",
"parent_permlink": "ico",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"title": "Horrors of ICO's: From a bug-bounty hunters perspective.",
"body": "@@ -4515,16 +4515,151 @@\n Impact%0A\n+Admin panel could be accessed by the attacker and details of all incoming transactions and all participating users could be monitored. \n Agrello \n",
"json_metadata": "{\"tags\":[\"ico\",\"ethereum\",\"neo\",\"hacking\",\"blockchain\"],\"image\":[\"https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png\",\"https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png\",\"https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png\",\"https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg\",\"https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png\",\"https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png\"],\"links\":[\"http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/\",\"twitter.com/tareksiddiki\",\"hacken.io\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
}
]
}hackenupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/14 14:32:45
hackenupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/14 14:32:45
| voter | hacken |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #19864798/Trx ac024cb6bc6d415379c7635184b7e4f195420d5d |
View Raw JSON Data
{
"trx_id": "ac024cb6bc6d415379c7635184b7e4f195420d5d",
"block": 19864798,
"trx_in_block": 49,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T14:32:45",
"op": [
"vote",
{
"voter": "hacken",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}siddikiupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/14 14:27:24
siddikiupvoted (100.00%) @siddiki / horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/14 14:27:24
| voter | siddiki |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| weight | 10000 (100.00%) |
| Transaction Info | Block #19864691/Trx 04b7c5f3b8a972273573aa343a8807acf38b19d6 |
View Raw JSON Data
{
"trx_id": "04b7c5f3b8a972273573aa343a8807acf38b19d6",
"block": 19864691,
"trx_in_block": 45,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T14:27:24",
"op": [
"vote",
{
"voter": "siddiki",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"weight": 10000
}
]
}siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective2018/02/14 14:27:24
siddikipublished a new post: horrors-of-ico-s-from-a-bug-bounty-hunters-perspective
2018/02/14 14:27:24
| parent author | |
| parent permlink | ico |
| author | siddiki |
| permlink | horrors-of-ico-s-from-a-bug-bounty-hunters-perspective |
| title | Horrors of ICO's: From a bug-bounty hunters perspective. |
| body | A lot of people choose ICO's now-a-days as a red-hot fundraising tool and where there is money, there lies the eyes of hacker. Blockchain itself is secure, but the fundraising mechanism is sometimes way too vulnerable to compromise. We have seen a lot of reports on ICO security breach in last few months. A recent report of [Fortune](http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/) states, Hackers Have Stolen $400 Million From ICOs since 2015. The following table was enough to encourage me to dig more into ICO's. | Name | Stolen amount | Date | Description | |------------ |--------------- |------------- |------------------------------------------------------------------------------------------------------------------ | | Etherparty | Not Revealed | 01/Oct/2017 | Hacked into website and altered the donation address. | | Enigma | 0.471M USD | 20/Aug/2017 | Hacked into slack, website and email newsletter accounts and manipulated users to send funds to hackers wallet. | | Coindash | 7M USD | 17/Jul/2017 | Hacked into website and altered the donation address. | | Apex | 0.15M USD | 29/Jan/2018 | Hacked into website and altered the donation address. | | Seele | 2M USD | 5/Feb/2018 | Hackers compromised telegram admins account and lured users for a private presale. | | Veritaseum | 8.4M USD | 26/Jul/2017 | Unauthorized transaction from wallet. | From the above table we can see that in most of the cases weak protection on DNS and Hosted server was the main reason for ICO hacking. There were some cases where there was backdoor on smartcontract, but now-a-days most of the companies copy solidity codes of other popular and secure ICO's. So the chances of smartcontract hacking is negligible in this case. This is [Tarek Siddiki](twitter.com/tareksiddiki), a Bangladeshi security enthusiast. I worked with various bugbounty platforms and helped hundreds of companies to patch a lot of vulnerabilities in past few years. I continued my bugbounty approach in ICO's and in this blog I will talk about my experience with a few ICO's. In most of the case the company acted promptly and welcomed the approach, but there were few who really deserves to get sued because of their negligence on security.  ## Hacking into ICO's I have tested a lot of ICO's since November 2017 and I successfully exploited few of them. Here, I am going to share the story of those 5 ICO's, what did I find, how did I find, what was the impact, how I reported to them and what was their response etc. _I have decided to publish the names and details of the vulnerabilities of those ICO's who successfully completed their fundraising, the one with asterisk marks are those who have not yet launched their ICO's._ ### Story of Fundyourselfnow FYN was my first successful ICO hack. I was able to get the admin panel access during their ICO. I used blind XSS payloads in my KYC form. Few moments later an admin went to validate the submission and my payload triggered. I received an email with the canvas screenshot and cookie of the admin user. Those were enough to access the admin panel.  #### Reaction and Impact The team was very surprised with this kind of vulnerabilities within their system. They implemented a patch within an hour and later conducted a thorough security audit on their platform. No other vulnerabilities were discovered and there were no sign of any other breaches at that time. ### Story of Agrello Agrello suffered from the same vulnerability as FYN. Both portal were using codeigniter framework and XSS payloads were not filtered. I used a blind xss payload in my KYC details. As soon as an admin tried to validate my details, the payload fired and I got the cookies and canvas screenshot.  #### Reaction and Impact Agrello rewarded a handsome amount of bounty for this disclosure and they were prompt to resolve the issue. ### Story of Zeepin I am a fan of NEO and it's ICO's. Thats why I decided to look into Zeepin. Within first 5 min I identified an error based SQL injection vulnerability on its KYC portal. I was able to enumerate the database and all its tables. The tables included kyc details, user details, bounty details etc. I tried to check whether I could dump database entries or not and successfully dumped the first two row of `zeepin_upload` table as a PoC.  #### Impact It was possible to read all the database tables, which includes all participants personal information, email, password, deposit address, bounty details etc. #### Reaction I contacted one of their telegram admin to get a proper point of contact to disclose the vulnerability. That guy redirected me to another telegram admin and I disclosed the vulnerability to him. They were prompt to resolve the SQL injection cause normal users were having trouble because of my test! But when I discovered another XSS on the KYC application, the telegram admin said this:  You are collecting 60M USD+ NEO from peoples and keeping all their sensitive KYC documents unprotected. When I tried to help you, you were more passionated to grab peoples money rather than securing the process! The height of negligence surprised me. I have never encountered such thing in my entire life from a company where millions of dollars were at risk. Luckily there were no other hacker poking into this and they escaped. Later when I asked them about the permission to write this blog, they replied:  It's true we, the bounty hunters take bounties after disclosing security issues. But the way they handled the whole thing, made me bound to reject the offer. On a personal note, I donated 300 NEO on ZPT ICO and I regret that now! ### Story of ****** This one is so far my most favourite finding. The company neither launched its ICO, nor the KYC is open for public. So, basically there was no interface where an outsider could poke the services. Fortunately their demo application was hosted on the same server where the main business website was hosted. I found an interesting RCE in the file uploader on their demo application. ```php <?php $destination_path = getcwd().DIRECTORY_SEPARATOR."upload".DIRECTORY_SEPARATOR; $dataURL = $_POST["image"]; $imgID = $_POST["uid"]; $parts = explode(',', $dataURL); $data = $parts[1]; $data = base64_decode($data); $file = $destination_path . $imgID; $success = file_put_contents($file, $data); print $success ? $file : 1; ?> ``` You may wonder how did I get my hands on this piece of code! As I said, there was an RCE and I was able to read/write anything on the server. I was also able to read the `.my.cnf` file to gain access to the cPanel and DNS settings. #### Impact They are trying to raise ~25M USD for their product. As I had the access on their DNS and Filesystem, I could've change the donation address, I could've intercepted the incoming and outgoing emails, I could've access thousand peoples KYC documents. #### Reaction The team respond very quickly and was pleased to take my help to identify all the potential threats (I tried my best). Now they are looking to make long term partnerships with one bugbounty platform to continuously have hundreds of eye on their production application. ## How can this be remediated? We, the bugbounty hunters suffered from a managed platform for bugbounties on our earlier days. Later, services like Hackerone, Cobalt, Bugcrowd and Synack came into force and the scenario changed drastically. In blockchain arena, [Hacken](hacken.io) is performing crowdsourced security audit of smart contracts and applications. These services can drastically change the poor scenario around blockchain-sphere. But above all, the companies need to be aware that they lack security. Over confidence can be very harmful, blockchain is secure but implementation can go wrong. People are trusting countless ICO's and putting their sensitive documents for the sake of KYC. But there is no one to look after the security of those papers. If this situation doesn't change, the future of ICO's will be questioned and identity theft will see another new level! ### Courtesy I used xsshunter.com to test blind XSS. Thanks Matthew Bryant for developing xsshunter! |
| json metadata | {"tags":["ico","ethereum","neo","hacking","blockchain"],"image":["https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png","https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png","https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png","https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg","https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png","https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png"],"links":["http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/","twitter.com/tareksiddiki","hacken.io"],"app":"steemit/0.1","format":"markdown"} |
| Transaction Info | Block #19864691/Trx 04b7c5f3b8a972273573aa343a8807acf38b19d6 |
View Raw JSON Data
{
"trx_id": "04b7c5f3b8a972273573aa343a8807acf38b19d6",
"block": 19864691,
"trx_in_block": 45,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T14:27:24",
"op": [
"comment",
{
"parent_author": "",
"parent_permlink": "ico",
"author": "siddiki",
"permlink": "horrors-of-ico-s-from-a-bug-bounty-hunters-perspective",
"title": "Horrors of ICO's: From a bug-bounty hunters perspective.",
"body": "A lot of people choose ICO's now-a-days as a red-hot fundraising tool and where there is money, there lies the eyes of hacker. Blockchain itself is secure, but the fundraising mechanism is sometimes way too vulnerable to compromise. We have seen a lot of reports on ICO security breach in last few months. A recent report of [Fortune](http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/) states, Hackers Have Stolen $400 Million From ICOs since 2015. The following table was enough to encourage me to dig more into ICO's.\n\n| Name \t| Stolen amount \t| Date \t| Description \t|\n|------------\t|---------------\t|-------------\t|------------------------------------------------------------------------------------------------------------------\t|\n| Etherparty \t| Not Revealed \t| 01/Oct/2017 \t| Hacked into website and altered the donation address. \t|\n| Enigma \t| 0.471M USD \t| 20/Aug/2017 \t| Hacked into slack, website and email newsletter accounts and manipulated users to send funds to hackers wallet. \t|\n| Coindash \t| 7M USD \t| 17/Jul/2017 \t| Hacked into website and altered the donation address. \t|\n| Apex \t| 0.15M USD \t| 29/Jan/2018 \t| Hacked into website and altered the donation address. \t|\n| Seele \t| 2M USD \t| 5/Feb/2018 \t| Hackers compromised telegram admins account and lured users for a private presale. \t|\n| Veritaseum \t| 8.4M USD \t| 26/Jul/2017 \t| Unauthorized transaction from wallet. \t|\n\n\nFrom the above table we can see that in most of the cases weak protection on DNS and Hosted server was the main reason for ICO hacking. There were some cases where there was backdoor on smartcontract, but now-a-days most of the companies copy solidity codes of other popular and secure ICO's. So the chances of smartcontract hacking is negligible in this case.\n\n\nThis is [Tarek Siddiki](twitter.com/tareksiddiki), a Bangladeshi security enthusiast. I worked with various bugbounty platforms and helped hundreds of companies to patch a lot of vulnerabilities in past few years. I continued my bugbounty approach in ICO's and in this blog I will talk about my experience with a few ICO's. In most of the case the company acted promptly and welcomed the approach, but there were few who really deserves to get sued because of their negligence on security.\n\n\n\n\n\n## Hacking into ICO's\nI have tested a lot of ICO's since November 2017 and I successfully exploited few of them. Here, I am going to share the story of those 5 ICO's, what did I find, how did I find, what was the impact, how I reported to them and what was their response etc. \n\n_I have decided to publish the names and details of the vulnerabilities of those ICO's who successfully completed their fundraising, the one with asterisk marks are those who have not yet launched their ICO's._\n\n\n ### Story of Fundyourselfnow\n\nFYN was my first successful ICO hack. I was able to get the admin panel access during their ICO. I used blind XSS payloads in my KYC form. Few moments later an admin went to validate the submission and my payload triggered. I received an email with the canvas screenshot and cookie of the admin user. Those were enough to access the admin panel.\n\n\n\n#### Reaction and Impact\nThe team was very surprised with this kind of vulnerabilities within their system. They implemented a patch within an hour and later conducted a thorough security audit on their platform. No other vulnerabilities were discovered and there were no sign of any other breaches at that time.\n\n ### Story of Agrello\nAgrello suffered from the same vulnerability as FYN. Both portal were using codeigniter framework and XSS payloads were not filtered. I used a blind xss payload in my KYC details. As soon as an admin tried to validate my details, the payload fired and I got the cookies and canvas screenshot.\n\n\n\n#### Reaction and Impact\nAgrello rewarded a handsome amount of bounty for this disclosure and they were prompt to resolve the issue.\n\n ### Story of Zeepin\nI am a fan of NEO and it's ICO's. Thats why I decided to look into Zeepin. Within first 5 min I identified an error based SQL injection vulnerability on its KYC portal. I was able to enumerate the database and all its tables. The tables included kyc details, user details, bounty details etc. I tried to check whether I could dump database entries or not and successfully dumped the first two row of `zeepin_upload` table as a PoC.\n\n\n\n#### Impact\nIt was possible to read all the database tables, which includes all participants personal information, email, password, deposit address, bounty details etc.\n\n#### Reaction\nI contacted one of their telegram admin to get a proper point of contact to disclose the vulnerability. That guy redirected me to another telegram admin and I disclosed the vulnerability to him. They were prompt to resolve the SQL injection cause normal users were having trouble because of my test! But when I discovered another XSS on the KYC application, the telegram admin said this:\n\n\n\nYou are collecting 60M USD+ NEO from peoples and keeping all their sensitive KYC documents unprotected. When I tried to help you, you were more passionated to grab peoples money rather than securing the process! The height of negligence surprised me. I have never encountered such thing in my entire life from a company where millions of dollars were at risk. Luckily there were no other hacker poking into this and they escaped.\n\nLater when I asked them about the permission to write this blog, they replied:\n\n\n\nIt's true we, the bounty hunters take bounties after disclosing security issues. But the way they handled the whole thing, made me bound to reject the offer. On a personal note, I donated 300 NEO on ZPT ICO and I regret that now!\n\n\n ### Story of ******\nThis one is so far my most favourite finding. The company neither launched its ICO, nor the KYC is open for public. So, basically there was no interface where an outsider could poke the services. Fortunately their demo application was hosted on the same server where the main business website was hosted.\nI found an interesting RCE in the file uploader on their demo application. \n```php\n<?php\n $destination_path = getcwd().DIRECTORY_SEPARATOR.\"upload\".DIRECTORY_SEPARATOR;\n $dataURL = $_POST[\"image\"]; \n $imgID = $_POST[\"uid\"]; \n $parts = explode(',', $dataURL); \n $data = $parts[1]; \n $data = base64_decode($data); \n $file = $destination_path . $imgID;\n $success = file_put_contents($file, $data);\n print $success ? $file : 1;\n?>\n\n```\n\nYou may wonder how did I get my hands on this piece of code! As I said, there was an RCE and I was able to read/write anything on the server. I was also able to read the `.my.cnf` file to gain access to the cPanel and DNS settings.\n\n#### Impact\nThey are trying to raise ~25M USD for their product. As I had the access on their DNS and Filesystem, I could've change the donation address, I could've intercepted the incoming and outgoing emails, I could've access thousand peoples KYC documents.\n\n#### Reaction\nThe team respond very quickly and was pleased to take my help to identify all the potential threats (I tried my best). Now they are looking to make long term partnerships with one bugbounty platform to continuously have hundreds of eye on their production application.\n\n\n## How can this be remediated?\nWe, the bugbounty hunters suffered from a managed platform for bugbounties on our earlier days. Later, services like Hackerone, Cobalt, Bugcrowd and Synack came into force and the scenario changed drastically. In blockchain arena, [Hacken](hacken.io) is performing crowdsourced security audit of smart contracts and applications. These services can drastically change the poor scenario around blockchain-sphere. But above all, the companies need to be aware that they lack security. Over confidence can be very harmful, blockchain is secure but implementation can go wrong. People are trusting countless ICO's and putting their sensitive documents for the sake of KYC. But there is no one to look after the security of those papers. If this situation doesn't change, the future of ICO's will be questioned and identity theft will see another new level!\n\n### Courtesy\nI used xsshunter.com to test blind XSS. Thanks Matthew Bryant for developing xsshunter!",
"json_metadata": "{\"tags\":[\"ico\",\"ethereum\",\"neo\",\"hacking\",\"blockchain\"],\"image\":[\"https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png\",\"https://steemitimages.com/DQmWeJuXV6qttk3aNPNn76hicP8WaHzUSrmAy2w7DjMhWuT/FYN.png\",\"https://steemitimages.com/DQmNRSmYoQEgfvcq7cQQ329wGF4w8h7BDUqRLf5aKXLCu8A/agrello.png\",\"https://steemitimages.com/DQmeQ57mMaANJ7vi2Qk7yEmQ879dBNyXg2wjwPorRKKjQTA/zpt.jpg\",\"https://steemitimages.com/DQmWnwt6JKiqbfKn3angm1iWTX37cKaYZvWDgCoYPzdBwRh/zpt_response_1.png\",\"https://steemitimages.com/DQmc5BtzWVVJ6dsoBxqiU5iMCAQs2W3BCqp6dQ6RubpkbjZ/zpt_reward.png\"],\"links\":[\"http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/\",\"twitter.com/tareksiddiki\",\"hacken.io\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
}
]
}siddikideleted a comment or post2018/02/14 11:38:09
siddikideleted a comment or post
2018/02/14 11:38:09
| author | siddiki |
| permlink | hacking-into-ico-s |
| Transaction Info | Block #19861309/Trx f50238f09ec5a732c39aa14cfb8baad6a3e1460c |
View Raw JSON Data
{
"trx_id": "f50238f09ec5a732c39aa14cfb8baad6a3e1460c",
"block": 19861309,
"trx_in_block": 11,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T11:38:09",
"op": [
"delete_comment",
{
"author": "siddiki",
"permlink": "hacking-into-ico-s"
}
]
}siddikipublished a new post: hacking-into-ico-s2018/02/14 11:36:33
siddikipublished a new post: hacking-into-ico-s
2018/02/14 11:36:33
| parent author | |
| parent permlink | ico |
| author | siddiki |
| permlink | hacking-into-ico-s |
| title | Hacking into ICO's |
| body | A lot of people choose ICO's now-a-days as a red-hot fundraising tool and where there is money, there lies the eyes of hacker. Blockchain itself is secure, but the fundraising mechanism is sometimes way too vulnerable to compromise. We have seen a lot of reports on ICO security breach in last few months. A recent report of [Fortune](http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/) states, Hackers Have Stolen $400 Million From ICOs since 2015. | Name | Stolen amount | Date | Description | |------------ |--------------- |------------- |------------------------------------------------------------------------------------------------------------------ | | Etherparty | Not Revealed | 01/Oct/2017 | Hacked into website and altered the donation address. | | Enigma | 0.471M USD | 20/Aug/2017 | Hacked into slack, website and email newsletter accounts and manipulated users to send funds to hackers wallet. | | Coindash | 7M USD | 17/Jul/2017 | Hacked into website and altered the donation address. | | Apex | 0.15M USD | 29/Jan/2018 | Hacked into website and altered the donation address. | | Seele | 2M USD | 5/Feb/2018 | Hackers compromised telegram admins account and lured users for a private presale. | | Veritaseum | 8.4M USD | 26/Jul/2017 | Unauthorized transaction from wallet. | This is Tarek Siddiki, a Bangladeshi security enthusiast. I worked with various bugbounty platforms and helped hundreds of companies to patch a lot of vulnerabilities in past few years. I continued my bugbounty approach in ICO's and in this blog I will talk about my experience with a few ICO's. In most of the case the company acted promptly and welcomed the approach, but there were few who really deserves to get sued because of their negligence on security.  - Background - Hacking into ICO's and their responses - Story of Fundyourselfnow - Story of Agrello - Story of Bitclave - Story of Zeepin - Story of Peeratlas - Story of Thrive - Hacken and HackenProof - Conclusion |
| json metadata | {"tags":["ico","hacking","zeepin","ethereum","neo"],"image":["https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png"],"links":["http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/"],"app":"steemit/0.1","format":"markdown"} |
| Transaction Info | Block #19861277/Trx 97448bf2553a4f39b260af008b54b4bf340b6be8 |
View Raw JSON Data
{
"trx_id": "97448bf2553a4f39b260af008b54b4bf340b6be8",
"block": 19861277,
"trx_in_block": 29,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-14T11:36:33",
"op": [
"comment",
{
"parent_author": "",
"parent_permlink": "ico",
"author": "siddiki",
"permlink": "hacking-into-ico-s",
"title": "Hacking into ICO's",
"body": "A lot of people choose ICO's now-a-days as a red-hot fundraising tool and where there is money, there lies the eyes of hacker. Blockchain itself is secure, but the fundraising mechanism is sometimes way too vulnerable to compromise. We have seen a lot of reports on ICO security breach in last few months. A recent report of [Fortune](http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/) states, Hackers Have Stolen $400 Million From ICOs since 2015.\n\n| Name \t| Stolen amount \t| Date \t| Description \t|\n|------------\t|---------------\t|-------------\t|------------------------------------------------------------------------------------------------------------------\t|\n| Etherparty \t| Not Revealed \t| 01/Oct/2017 \t| Hacked into website and altered the donation address. \t|\n| Enigma \t| 0.471M USD \t| 20/Aug/2017 \t| Hacked into slack, website and email newsletter accounts and manipulated users to send funds to hackers wallet. \t|\n| Coindash \t| 7M USD \t| 17/Jul/2017 \t| Hacked into website and altered the donation address. \t|\n| Apex \t| 0.15M USD \t| 29/Jan/2018 \t| Hacked into website and altered the donation address. \t|\n| Seele \t| 2M USD \t| 5/Feb/2018 \t| Hackers compromised telegram admins account and lured users for a private presale. \t|\n| Veritaseum \t| 8.4M USD \t| 26/Jul/2017 \t| Unauthorized transaction from wallet. \t|\n\nThis is Tarek Siddiki, a Bangladeshi security enthusiast. I worked with various bugbounty platforms and helped hundreds of companies to patch a lot of vulnerabilities in past few years. I continued my bugbounty approach in ICO's and in this blog I will talk about my experience with a few ICO's. In most of the case the company acted promptly and welcomed the approach, but there were few who really deserves to get sued because of their negligence on security.\n\n\n\n\n- Background\n- Hacking into ICO's and their responses\n - Story of Fundyourselfnow\n - Story of Agrello\n - Story of Bitclave\n - Story of Zeepin\n - Story of Peeratlas\n - Story of Thrive\n- Hacken and HackenProof\n- Conclusion",
"json_metadata": "{\"tags\":[\"ico\",\"hacking\",\"zeepin\",\"ethereum\",\"neo\"],\"image\":[\"https://steemitimages.com/DQmYNy4RArdzrpzbcMtoW3WwJwyz6qEPve67VV6U6KVwXch/greed.png\"],\"links\":[\"http://fortune.com/2018/01/22/ico-2018-coin-bitcoin-hack/\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
}
]
}siddikiupdated their account properties2018/02/05 18:36:57
siddikiupdated their account properties
2018/02/05 18:36:57
| account | siddiki |
| memo key | STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4 |
| json metadata | {"profile":{"name":"Tarek Siddiki"}} |
| Transaction Info | Block #19610882/Trx c681ab3c50333b3258ae0694c0504dc3b569fc74 |
View Raw JSON Data
{
"trx_id": "c681ab3c50333b3258ae0694c0504dc3b569fc74",
"block": 19610882,
"trx_in_block": 11,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-02-05T18:36:57",
"op": [
"account_update",
{
"account": "siddiki",
"memo_key": "STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4",
"json_metadata": "{\"profile\":{\"name\":\"Tarek Siddiki\"}}"
}
]
}2018/01/09 07:13:06
2018/01/09 07:13:06
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 29690.612798 VESTS |
| Transaction Info | Block #18820258/Trx de637732086ff34f94e8445e6404a698fa628151 |
View Raw JSON Data
{
"trx_id": "de637732086ff34f94e8445e6404a698fa628151",
"block": 18820258,
"trx_in_block": 1,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-01-09T07:13:06",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "29690.612798 VESTS"
}
]
}2018/01/09 06:39:27
2018/01/09 06:39:27
| parent author | siddiki |
| parent permlink | re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z |
| author | brettdenaro |
| permlink | re-siddiki-re-eludelalune-my-bitclave-review-the-next-big-hype-20180109t063929180z |
| title | |
| body | The white paper explains all of that! The process is very similar to Steem... |
| json metadata | {"tags":["cryptocurrency"],"app":"steemit/0.1"} |
| Transaction Info | Block #18819588/Trx a2d32cd11ab5b27499746ecd1152bc3f267c3f69 |
View Raw JSON Data
{
"trx_id": "a2d32cd11ab5b27499746ecd1152bc3f267c3f69",
"block": 18819588,
"trx_in_block": 36,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2018-01-09T06:39:27",
"op": [
"comment",
{
"parent_author": "siddiki",
"parent_permlink": "re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z",
"author": "brettdenaro",
"permlink": "re-siddiki-re-eludelalune-my-bitclave-review-the-next-big-hype-20180109t063929180z",
"title": "",
"body": "The white paper explains all of that! The process is very similar to Steem...",
"json_metadata": "{\"tags\":[\"cryptocurrency\"],\"app\":\"steemit/0.1\"}"
}
]
}siddikiremoved vote from (0.00%) @siddiki / re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z2017/08/05 12:08:24
siddikiremoved vote from (0.00%) @siddiki / re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z
2017/08/05 12:08:24
| voter | siddiki |
| author | siddiki |
| permlink | re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z |
| weight | 0 (0.00%) |
| Transaction Info | Block #14308227/Trx 01fbbd2a4a53c09cbe709033617f4ccf47095779 |
View Raw JSON Data
{
"trx_id": "01fbbd2a4a53c09cbe709033617f4ccf47095779",
"block": 14308227,
"trx_in_block": 31,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2017-08-05T12:08:24",
"op": [
"vote",
{
"voter": "siddiki",
"author": "siddiki",
"permlink": "re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z",
"weight": 0
}
]
}2017/08/05 12:08:09
2017/08/05 12:08:09
| voter | siddiki |
| author | siddiki |
| permlink | re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z |
| weight | 10000 (100.00%) |
| Transaction Info | Block #14308222/Trx f8aebca1508ca7ee6f3a675b9445beb5ec03cf0e |
View Raw JSON Data
{
"trx_id": "f8aebca1508ca7ee6f3a675b9445beb5ec03cf0e",
"block": 14308222,
"trx_in_block": 7,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2017-08-05T12:08:09",
"op": [
"vote",
{
"voter": "siddiki",
"author": "siddiki",
"permlink": "re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z",
"weight": 10000
}
]
}2017/08/05 11:35:21
2017/08/05 11:35:21
| parent author | eludelalune |
| parent permlink | my-bitclave-review-the-next-big-hype |
| author | siddiki |
| permlink | re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z |
| title | |
| body | Bitclave wants to remove the middleman from the advertisement industry. But how? Being a middleman itself? If not, how the company will profit? What is the revenue model of Bitclave? |
| json metadata | {"tags":["cryptocurrency"],"app":"steemit/0.1"} |
| Transaction Info | Block #14307566/Trx 44a8e9d839aae641693f537bc544ed6884564797 |
View Raw JSON Data
{
"trx_id": "44a8e9d839aae641693f537bc544ed6884564797",
"block": 14307566,
"trx_in_block": 14,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2017-08-05T11:35:21",
"op": [
"comment",
{
"parent_author": "eludelalune",
"parent_permlink": "my-bitclave-review-the-next-big-hype",
"author": "siddiki",
"permlink": "re-eludelalune-my-bitclave-review-the-next-big-hype-20170805t113521096z",
"title": "",
"body": "Bitclave wants to remove the middleman from the advertisement industry. But how? Being a middleman itself? If not, how the company will profit? What is the revenue model of Bitclave?",
"json_metadata": "{\"tags\":[\"cryptocurrency\"],\"app\":\"steemit/0.1\"}"
}
]
}2017/08/04 05:16:03
2017/08/04 05:16:03
| delegator | steem |
| delegatee | siddiki |
| vesting shares | 29941.459247 VESTS |
| Transaction Info | Block #14271401/Trx 4b905985ab22ccd90ae16830684928a5e3daeecf |
View Raw JSON Data
{
"trx_id": "4b905985ab22ccd90ae16830684928a5e3daeecf",
"block": 14271401,
"trx_in_block": 8,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2017-08-04T05:16:03",
"op": [
"delegate_vesting_shares",
{
"delegator": "steem",
"delegatee": "siddiki",
"vesting_shares": "29941.459247 VESTS"
}
]
}2017/06/28 20:37:12
2017/06/28 20:37:12
| fee | 0.500 STEEM |
| delegation | 57000.000000 VESTS |
| creator | steem |
| new account name | siddiki |
| owner | {"weight_threshold":1,"account_auths":[],"key_auths":[["STM5yf2qfm8KQA7VqWqxqDbXvpPAgHUnSJGXes2zMbA7JdyuPboYJ",1]]} |
| active | {"weight_threshold":1,"account_auths":[],"key_auths":[["STM5KZ7PvqUqxYGUK3FB6kYimLXnZRqcMAi3LHYZu28a6dvCpzH2j",1]]} |
| posting | {"weight_threshold":1,"account_auths":[],"key_auths":[["STM6CnjBvxxnW1fkqdNfdM2nC2GxtTJqfwd3emBSp8JgNUinHNNJj",1]]} |
| memo key | STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4 |
| json metadata | |
| extensions | [] |
| Transaction Info | Block #13225503/Trx 082eaf75603f7055db3423b31cdfe4f3d6aa63d9 |
View Raw JSON Data
{
"trx_id": "082eaf75603f7055db3423b31cdfe4f3d6aa63d9",
"block": 13225503,
"trx_in_block": 12,
"op_in_trx": 0,
"virtual_op": 0,
"timestamp": "2017-06-28T20:37:12",
"op": [
"account_create_with_delegation",
{
"fee": "0.500 STEEM",
"delegation": "57000.000000 VESTS",
"creator": "steem",
"new_account_name": "siddiki",
"owner": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM5yf2qfm8KQA7VqWqxqDbXvpPAgHUnSJGXes2zMbA7JdyuPboYJ",
1
]
]
},
"active": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM5KZ7PvqUqxYGUK3FB6kYimLXnZRqcMAi3LHYZu28a6dvCpzH2j",
1
]
]
},
"posting": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM6CnjBvxxnW1fkqdNfdM2nC2GxtTJqfwd3emBSp8JgNUinHNNJj",
1
]
]
},
"memo_key": "STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4",
"json_metadata": "",
"extensions": []
}
]
}Manabar
Voting Power100.00%
Downvote Power100.00%
Resource Credits100.00%
Reputation Progress25.49%
{
"voting_manabar": {
"current_mana": "8143659806",
"last_update_time": 1779085851
},
"downvote_manabar": {
"current_mana": 2035914951,
"last_update_time": 1779085851
},
"rc_account": {
"account": "siddiki",
"rc_manabar": {
"current_mana": "10164408779",
"last_update_time": 1779085851
},
"max_rc_creation_adjustment": {
"amount": "2020748973",
"precision": 6,
"nai": "@@000000037"
},
"max_rc": "10164408779"
}
}Account Metadata
| POSTING JSON METADATA | |
| profile | {"name":"Tarek Siddiki","profile_image":"https://profile-photos.hackerone-user-content.com/production/000/003/502/8db70136831733b6b09a58f011fcbef1caf16b70_xtralarge.jpg","location":"Bangladesh"} |
| JSON METADATA | |
| profile | {"name":"Tarek Siddiki","profile_image":"https://profile-photos.hackerone-user-content.com/production/000/003/502/8db70136831733b6b09a58f011fcbef1caf16b70_xtralarge.jpg","location":"Bangladesh"} |
{
"posting_json_metadata": {
"profile": {
"name": "Tarek Siddiki",
"profile_image": "https://profile-photos.hackerone-user-content.com/production/000/003/502/8db70136831733b6b09a58f011fcbef1caf16b70_xtralarge.jpg",
"location": "Bangladesh"
}
},
"json_metadata": {
"profile": {
"name": "Tarek Siddiki",
"profile_image": "https://profile-photos.hackerone-user-content.com/production/000/003/502/8db70136831733b6b09a58f011fcbef1caf16b70_xtralarge.jpg",
"location": "Bangladesh"
}
}
}Auth Keys
Owner
Single Signature
Public Keys
STM5yf2qfm8KQA7VqWqxqDbXvpPAgHUnSJGXes2zMbA7JdyuPboYJ1/1
Active
Single Signature
Public Keys
STM5KZ7PvqUqxYGUK3FB6kYimLXnZRqcMAi3LHYZu28a6dvCpzH2j1/1
Posting
Single Signature
Public Keys
STM6CnjBvxxnW1fkqdNfdM2nC2GxtTJqfwd3emBSp8JgNUinHNNJj1/1
Memo
STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4
{
"owner": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM5yf2qfm8KQA7VqWqxqDbXvpPAgHUnSJGXes2zMbA7JdyuPboYJ",
1
]
]
},
"active": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM5KZ7PvqUqxYGUK3FB6kYimLXnZRqcMAi3LHYZu28a6dvCpzH2j",
1
]
]
},
"posting": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM6CnjBvxxnW1fkqdNfdM2nC2GxtTJqfwd3emBSp8JgNUinHNNJj",
1
]
]
},
"memo": "STM87WvR8FWvyCN1xqyCTvg672FQKfUmE9HxDivsGK9DXrS5cf3q4"
}Witness Votes
0 / 30
No active witness votes.
[]