1 of 21

Steiner (FreeBitcoins.com CEO) �vs �Blockchain.com dba “The Pit”

https://bitcointalk.org/index.php?topic=5193539.msg52781465#msg52781465Project: 2FA DUMP

By: Steven Steiner For: ******** (removed and approved for public release)�Anyone is allowed to use anything from this for anything.

2 of 21

Definitions

2fa = Two Factor Authentication, this is a code that generates every 30 seconds on a secondary device (such as a cell phone) that is prompted to the user after they enter their first password. ��Backup code = A backup code is a way that a user can recover their 2fa without actually having access to their 2fa. Such as if you broke your cell phone and needed to install the 2fa on a new phone. You would use this code.��BayAreaCoins = One of my online aliases. Steven Steiner, CEO of FreeBitcoins.com��Bug Bounty = This is a payment paid to a “White Hat Hacker” that disclosed a bug in their system and didn’t exploit it. ��Dump = Information (usually private) being posted. ��White hat hacker = Someone that isn’t exploiting a flaw and approaches the company in good faith the company will follow the terms set forth in their bug bounty program.

3 of 21

Summary Page 1 (The Testing)

I created an account on Blockchain.com’s new exchange “The Pit” October 2019 while living in Arkansas using my old San Francisco address. The Pit was not accepting Arkansas clients, but my old address did work for their verification process and I was approved to their “Gold Program” $200k crypto withdraws and $100k fiat withdraws per week! They advertise “Military Grade security”.��Prior to making a deposit I decided to test the system for security flaws. I noticed that they offered a 2fa backup dump button and I decided to see how it worked.��I noticed that when using this dump button that I was never prompted for my 2fa in order to get the secret to turn the 2fa off!! This basically renders the 2fa worthless if the attacker is already logged into the account on a password manager.

4 of 21

Summary Page 2 (The White Hat)

I knew this was a major security flaw because I had literally just built 2fa with my small team for FreeBitcoins.com exchange and that was a direct discussion of ours and why it put our users at serious and potentially deadly risk (just shoot the person and take their computer… who is going to know for a day or two.)��I contacted Blockchain.com’s customer support, they informed me that they did have a bug bounty system and if I wanted to participate that I would need to register and submit my findings on a website called “HackerOne.com”. ��I went a head and told the Blockchain.com support what the problem was and they again told me to submit the finding on HackerOne.com. I decided to go ahead and do so because their HackerOne page said they would pay +$2,000 for security flaws that could result in customers losing funds and this very much meets that criteria.

5 of 21

Summary Page 3 (French Military Grade Security)

I open my bug bounty on HackerOne officially laying out the problem and screenshots. HackerOnes staff responded to me that same day and said that the “button worked as intended because how else would someone replace their 2fa code if they lost their phone?” (omg, the correct answer is that you back your stuff up BEFORE you lose it!!) They then say that this is how Google does their 2fa backup as well, but this is false, Google prompts the user for their 2fa before displaying their backup codes, but they do have a checkbox to bypass the secondary 2fa… however, something with “military grade security” should be authenticating users on major security transactions every time!!!!!��I thought this was really weird, but I just kind of shrugged it off and told them yikes!

6 of 21

Page 4 (The Blockchain.com Fixes It and Shaft Me)

The two days later I decided to log into my The Pit account and browse a little more.��I clicked on the 2fa backup dump button…. To my suprise the button now prompted me for my 2fa!!! These bastards made my fix! (thank god because it was SUPER dangerous.)��I then reached out to Blockchain.com and let them know what was going on with HackerOne. ��HackerOne then reopened my case and said it was an “improvement” that was “pipelined to be fixed… this isn’t true because it was already fixed!!! They told me they still didn’t consider it a bug, but they were going to give me $50 for my “efforts”... all I needed to do was fill out a form that included my social security and all types of crazy personal information for my $50 bounty.��Blockchain’s staff then told me that the bug was actually previously know about prior to my report and was scheduled to be fix…?! LOL… um… so they knew about this major security flaw while they continued to advertise their exchange as military grade? ��It was all just super sketchy and I feel like I should do something.

7 of 21

Example of the flaw

Imagine you are visiting New York City and you want to go down to the coffee shop to trade some Bitcoin and relax. However, you know you don’t want to withdraw (requires 2fa in order to prevent computer theft), so you decide to leave your 2fa phone at your apartment… that way even if someone steals your bag on the subway and has access to your account, they can’t really do anything dangerous. Besides perhaps trade it, but that all happens on a central computer system, blockchain stuff is like cash… when it is sent, it’s gone forever.��Anyways, it happens, someone steals your computer while your drinking your coffee. The attacker can use your logged in password manager to dump your 2fa backup code, turn your 2fa off, turn their own 2fa code on (thus locking you out) and then proceed to withdraw the loot in Bitcoin $200,000 a week. ��It puts customers in an EXTREMELY dangerous position and is NOT military grade security or at least hopefully not our American military's security!

8 of 21

Oct 15th HackerOne vs Oct 18th Blockchain

9 of 21

Resolution

It felt like just someone giving me the run around to cover up some stupid mistake a whole team made.��Their bug bounty terms say $2,000 or more for a bug that results in customer funds being lost. I firmly believe this security flaw meets this criteria. Their highest bug bounty is $6,000 for some airdrop stuff.��I’m open to ideas about settlements, but $50 is clearly not acceptable! lol��This is a big international company and I’m absolutely not wrong. I’m sure they will settle. I’m not upset enough to be super hard headed about this, but I am obviously confident enough to approach you + I hate to see honest White Hat Hackers be mistreated by companies.��The following picture slides are in chronological order:�

10 of 21

11 of 21

12 of 21

13 of 21

14 of 21

15 of 21

16 of 21

17 of 21

18 of 21

Bitcoin code contributor / security guru.

19 of 21

Finally, They claim they knew about it and planned to fix it… but at the same time they were running marketing that they boasted they had “military grade security”!

20 of 21

6-23-2020 Update

Hackerone contacted me and said that they were not going to pay the $50 award for me “trying” any more… boohoo… Keep in mind they wanted my social security and all types of private personal information in order to release the $50 payment.��

21 of 21

Blockchain.com claims they knew the issue existed prior to my report, but allowed the issue to be on their website.