Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Wallet software
Re: Online Wallet: Sendbit
by
cryptoworld99
on 09/05/2020, 12:45:45 UTC
Quote from: bob123 on Today at 11:58:54 AM

Edit:

Additionally the provider of the web wallet, doesn't have a clue what they are talking about in the "security" section:

Quote from: https://www.sendbit.io/page/our_security
Application

We use SQL injection filters to prevent CSRF attacks and XSS attacks [...]
This doesn't make sense at all.


And additionally, instead of hashing the password client-side and transmitting the hash to the server, they are transmitting the password in plain text.
POST Request upon registering:
Code:
user_name=815ff46a-d01a-4582-ace7-9357a066c32d&email=test1%40test.com&password=test1234%21&password_repeat=test1234%21&register=REGISTER


Summary: Don't use that wallet! Even if it is build without malicious intend, already simple steps like not transmitting passwords in plain text aren't implemented.
This wallet is either a scam or unsecure.

Even if you ignore the fact that they have access to your private keys (which you shouldn't ignore), it is extremely unsafe to use that wallet.



I don't see what the problem is here  Huh
Code:
user_name=815ff46a-d01a-4582-ace7-9357a066c32d&email=test1%40test.com&password=test1234%21&password_repeat=test1234%21&register=REGISTER

From what I see "test1%40test.com"  % has stopped the @ symbol this does not mean a wallet is insecure they have their own means of password hashing I've checked out the website and they claim "We hash passwords stored in the database with bcrypt with a cost factor of 12. We check all accounts for strong passwords on account creation. Wallet credentials are kept separate from the database and code base."

from my knowledge cost factor, 12 encryption is the best possible encryption but the admin should step up and answer us to clarify us I have emailed them with a link to this topic.


Quote from: https://www.sendbit.io/page/our_security
Application

We use SQL injection filters to prevent CSRF attacks and XSS attacks [...]
This doesn't make sense at all.

What doesn't make sense about this? It makes total sense to me... are you a developer because you lack serious knowledge about the backend programming of a website.

I am a top PHP, c++ Dev you can see my merits and how I've been helping other bitcointalk members regarding bitcoin core issues... let's not jump into conclusions I will do more in-depth research into sendbit wallet and will update accordingly.