Hacker Sells 2FA bypass flaw in Poloniex exchange after 2 months wait

The sold vulnerability facilitates Bypassing 2FA on Poloniex – The hacker sold the flaw after they waited for Poloniex’s reply for 2 months.

The security researcher who bypassed the two-factor authentication on Poloniex, a digital asset exchange service based in the United States, states that he has sold the vulnerability now after giving the company 60 days’ time to fix the issue.

The researcher used the Reddit handle Poloniex2FASucks and issued this statement: “I sold the exploit, and will be donating 20% to OSS, and 75% to a charity, and keeping the remaining 5% for myself.”

He further revealed the reason behind selling the vulnerability in his Reddit post: “I did this because more than one person informed me that not only would they refuse to payout a bounty, even a symbolic one, but they’d also threaten to sue me for having abused the exploit to create my proof of concept.”

Regarding the vulnerability, the researcher stated that he was able to withdraw cryptocurrencies from a Poloniex account without having to access the two-factor device, which is used by account holders on Poloniex.

Through this device, account holders can login into their accounts and also confirm the withdrawal of crypto currency. According to the post, the researcher got the password of the Poloniex account from a leaked database and used it to withdraw digital currency.

“Since their support takes over 60 days to respond to my tickets, I’m guessing they have no interest in fixing it, and that it is intentional. Having done previous bug-bounties, the 60 days since the date the bug was reported or, in this case, attempted to be reported, are now over, and I have no qualms about publicly disclosing it,” Poloniex2FASucks wrote.

On the other hand, Poloniex claims that the company offers optimal security and “advanced trading features” to its customers and keeps a majority of deposits in air-gapped cold storage to prevent infiltration by cyber criminals. The company maintains that only that much deposits are stored online that could “facilitate active trading” to curb risks and exposure.

However, the researcher stated that the security measures at Poloniex were pretty outdated since opening authentication pages on the website was a piece of cake for him. All that was needed to confirm the outgoing transaction was “simply opening the email on a client that crawls links.”

He believes that the company has no intention or interest in fixing the flaw probably that’s why there hasn’t been any response to his tickets in over 60 days period.

If you are interested in reading more about the issue follow these two (1 & 2) Reddit posts.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.