Back in January, we started a coding spree that lasted about a month to fix a lot of vulnerabilities in many of our subsystems. In fact, we were being constantly probed for holes, and our security systems kept warning us. So we checked the logs, found the vectors and put fixes in place almost in real time.
Then everything went calm.
A few weeks ago, the Onix Dev Team pulled us in a talk with a Security Firm that pinged them, announcing vulnerabilities in some of their systems, and since we're related to Onix and we share the same roots, we went in and talked with this firm.
We're really happy with the help provided by Dhina and Varma from WarX.
WarX is a company committed to delivering solutions that are efficient, customized, and cost-effective to customers across geographies. And they did a great job with their time and efforts on our systems.
They helped with penetration tests, pointing out vulnerabilities and showing us attack vectors we haven't considered before.
Here's a partial list of the things they helped us fixing:
- Added setup checks to avoid throwing warnings when invoked after initial run on our core.
- Added web helper function to detect script injections.
- Added sanitization and attack checks on our accounts management scripts:
- Added CSRF treatment methods to the accounts manager.
- Account registration and edition.
- Devices manager.
- Admin tools.
- 2FA toolbox.
- Secured session cookies.
- Added input sanitization checks on:
- Geolocation databases
- Facebook login
- Forums (posts, ratings, comments, comment likes)
- Mobile client
- Support tickets
And many more.
Everything was managed in a way that didn't affect our users. We might have closed all open sessions a couple of times, but no actions were needed on users's behalf other than just logging in again.
So far, all detected vulnerabilities have been fixed. But that doesn't mean we'll get our guard down. We constantly monitor our security systems and react ASAP to block new attack vectors.
We'd like to thank all our users for keeping up with us,
And we deeply thanks the guys at WarX for doing a great job helping us improving our security.
Do you know you can set a label to Blockchain Financial?
Blockchain Financial has a system that lets users stick labels to other users
as an alternative way to show their appreciation or discontent for
the contents of their posts or their attitude when commenting.
Do you want to be part of the elite? Become a valuable contributor!