2022 updates rollup: vulnerabilities detected and fixed

Permalink Report to webmaster

Back in January, we started a coding spree that lasted about a month to fix a lot of vulnerabilities in many of our subsystems. In fact, we were being constantly probed for holes, and our security systems kept warning us. So we checked the logs, found the vectors and put fixes in place almost in real time.

Then everything went calm.

A few weeks ago, the Onix Dev Team pulled us in a talk with a Security Firm that pinged them, announcing vulnerabilities in some of their systems, and since we're related to Onix and we share the same roots, we went in and talked with this firm.

Meet WarX

We're really happy with the help provided by Dhina and Varma from WarX.

WarX is a company committed to delivering solutions that are efficient, customized, and cost-effective to customers across geographies. And they did a great job with their time and efforts on our systems.

They helped with penetration tests, pointing out vulnerabilities and showing us attack vectors we haven't considered before.

Here's a partial list of the things they helped us fixing:

  • Added setup checks to avoid throwing warnings when invoked after initial run on our core.
  • Added web helper function to detect script injections.
  • Added sanitization and attack checks on our accounts management scripts:
    • Added CSRF treatment methods to the accounts manager.
    • Account registration and edition.
    • Devices manager.
    • Admin tools.
    • 2FA toolbox.
    • Secured session cookies.
  • Added input sanitization checks on:
    • Geolocation databases
    • Facebook login
    • Forums (posts, ratings, comments, comment likes)
    • Mobile client
    • Support tickets

And many more.

Everything was managed in a way that didn't affect our users. We might have closed all open sessions a couple of times, but no actions were needed on users's behalf other than just logging in again.

So far, all detected vulnerabilities have been fixed. But that doesn't mean we'll get our guard down. We constantly monitor our security systems and react ASAP to block new attack vectors.

We'd like to thank all our users for keeping up with us,

And we deeply thanks the guys at WarX for doing a great job helping us improving our security.

2 users rated this post.
Vote now!
Cumulative results: 2 points • Rating: 1

Blockchain Financial has the next label sticked since 2 years ago:

Nakamoto: A guy/gal that accidentally got famous. Nobody knows him/her but we love him/her.
Sticked by mingo2020 2 years ago • Source: Free Army of Crypto NFTs for 25 lucky users • Reason: N/A

0 comments

You need to register an account if you want to leave comments on this or any other post!
Click here to register now!