First Stablecoin Trading Pair Goes Live on Binance DEX

Seattle-based venture-capital backed blockchain startup Stably, the issuer of USDSB, the first stablecoin to be launched on Binance Chain, has announced that a trading pair for USDSB is going live on Binance DEX today (June 24).

Seattle-based Stably was co-founded by Kory Hoang (Chief Executive Officer), a former Private Equity Data Analyst for PitchBook, David Zhang (Chief Technology Officer, who used to be a Software Development Engineer at Amazon, Amiya Diwan (Chief Product Officer), also a former Software Development Engineer at Amazon, and Bryan Guy (Chief Legal Officer), who is a licensed attorney.

Stably announced on 1 November 2018 the early access launch of its pegged and fully dollar-collateralized stablecoin, StableUSD (USDS), which had first been launched on the Ethereum mainnet on 16 August 2018. Stably said at the time that the fiat reserves were held in FDIC-insured escrow accounts managed by custodian Prime Trust, and that a leading accounting firm, Cohen & Co., would be conducting weekly attestations for these fiat reserves. 

Then, on 1 February 2019, USDS got listed on Binance’s centralized exchange (Binance.com), and two trading pairs for it—BNB/USDS and BTC/USDS—went live on 5 February 2018.

Later that month, trading pairs to support trading USDS against four other stablecoins—USDT, USDC, PAX, and TUSD—became available on Binance.com.

On March 18, Stably said that USD had received support from Binance’s over-the-counter (OTC) desk. Kory Hoang, the Stably CEO, had this to say at the time:

“Partnering with Binance OTC allows us to provide even more liquidity to trading shops who want to move large amounts between major cryptocurrencies and USDS.”

In a blog post published on June 3, Stably announced it was going to issue StableUSD on Binance Chain, and that USDSB, a BEP-2 token, would become the first stablecoin on Binance Chain. Mahraan Qadir, Director of Product Management at Stably, went on to say:

Building on Binance Chain provides many benefits for stablecoin users, such as improved security, ease of use, and speed of transaction. This makes USDSB one of the fastest major stablecoins on the market, with one-second block confirmation time and the ability to process several thousands of transactions per second.”

He also said:

Expanding onto Binance Chain will also allow the Stably team to eventually submit a proposal to list USDSB on Binance DEX, an initiative that we are planning to achieve in the coming weeks. If it is approved by the validators and gets listed, USDSB will become the first stablecoin to launch on Binance DEX…”

Well, now, three weeks later, we find out via another blog post by Qadir that USDSB has indeed been listed on Binance DEX and that trading pair BNB/USDSB is going live today on Binance DEX (expected to happen aat 10:00 UTC). Furthermore, he says that Stably is “planning to list USDSB with additional assets on Binance DEX very soon.”

Also, according to Qadir, today, two trading pairs for USDSB are being launched on Binance.com: USDSB/USDT and USDSB/USDS.

Featured Image Courtesy of Binance

Researchers Uncover Threat of ‘Unusual’ Virtual Machine Crypto Mining

What can I do to prevent this in the future?

If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.

If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.

This Ethereum Lottery Perfectly Explains How Facebook’s Big Corporate Backers Will Profit from Crypto

To understand how early investors in Facebook’s new Libra blockchain will make money over time, it helps to dig into a new lottery going live on ethereum mainnet Monday.

It’s a lossless lottery called PoolTogether and tickets are now on sale. Its similarity to Libra is not a completely one-to-one relationship, but the key insight of both is the same: Earning interest on your own money is good, but it’s better to also earn interest on other people’s money.

So first let’s explain this new ethereum game before circling back to Libra.

On PoolTogether, each ticket sells for 20 DAI (the stablecoin generated by the MakerDAO protocol, which aims to keep a stable price at $1.00 each). Each pool sells as many tickets as it can, and all the DAI gets put into the ethereum-based money market protocol, Compound. There, all the ticket money collects interest over the life at the pool and at the end, one ticket earns all the interest off everyone’s ticket price.

But everyone else gets the money they paid for their tickets back, too – ergo, no losers.

Gamified savings

“What excites me is that I think it can actually move the needle on economic health for a lot of people,” PoolTogether’s creator, Leighton Cusack, told CoinDesk.

People get excited about lotteries. They don’t excited about savings accounts. This is a way of nudging them in the right direction.

The idea of putting the concept on ethereum was first discussed in a popular post on the MakerDAO subreddit in late March, and the project has been made possible thanks in part to a $25,000 grant from MakerDAO, the company.

“We think it’s good for the ecosystem,” MakerDAO’s Richard Brown, who runs community development for the decentralized finance firm, said of the project. “One of the things that interested me the most about this is it has the capacity to take a behavior that was essentially a tax on the poor and it allows it to become a tool for social good.”

In other words, lots of low-income people gamble despite dismal chances of ever benefiting. Personal finance site Bankrate has found that people are less likely to buy lottery tickets as household income increases. PoolTogether takes the attractiveness of gaming and combines it with the healthy behavior of delayed gratification.

The strategy isn’t without precedent. Walmart has actually been running a gaming mechanic to encourage people to save money on their cash cards. People have locked up over $2 billion since 2017.

With no risk of losing money, people start saving money rather than spending everything they have. With the returns on a typical savings account currently at 0.9 percent, it’s not even irrational for a new saver to participate in a program like this. The opportunity cost is quite low.

PoolTogether’s approach

At first, there will only be one pool on the site. It will be open for tickets for three days and then the winner will be announced after earning 15 days worth of interest, on July 11. PoolTogether will shave off 10 percent of the interest earned for its business model and the rest goes to the winner. It’s all defined in a smart contract recently audited by Quantstamp.

MakerDAO’s Brown believes the model could become a frictionless way for large groups of people with disposable funds to support good causes.

For example, someone could create a decentralized autonomous organization where all the interest on a pool goes to a wallet controlled by a non-profit of the winner’s choice (rather than into their personal account). He called it a new kind of “primitive” for decentralized finance, saying:

“It’s pretty low-friction. It’s pretty low-risk. It’s low-stress, because no one is coming out of this thing broke.”

PoolTogether’s Cusack foresees the project starting off just big enough. He wants the first winner to basically double their money off the winning 20 DAI ticket. That’s going to take getting a pool together of 100,000 DAI, Cusack said, which is a big goal but they already have several commitments to prime the pump with 1,000 DAI each.

So what about Libra?

Libra is also designed so that a select few capture the interest earned on money tucked away by the vast many.

As CoinDesk previously reported, there are two tokens that make Libra work. Most of the attention has been on the Libra coin, the stablecoin backed by some as-yet-unnamed basket of bonds and currencies. To get that basket started, though, Facebook came up with the idea for the “Libra investment token” (LIT).

Like PoolTogether, the whole point of LIT is to earn interest off other people’s deposits.

To make sense of why this is so powerful, think of a very simple example. Imagine one LIT sold for $10 million. Invested in a basket of boring, safe investments, Canaccord Genuity has projected the reserve should earn about 0.25 percent. So $25,000 in a year on $10 million. That’s not nothing, but it’s a lousy return for a tech investor.

But imagine 100,000 people decided they wanted to use Libra coin, and all of them bought $100 worth each. Now that holder of the one LIT will earn $50,000 in a year, because the reserve was doubled with other people’s money, but only the LIT earns the interest.

Now, this is a global project, so obviously Libra’s backers want to get in a lot more than 100,000 people. Even if a billion dollars in LIT tokens are sold, with companies like Visa, Uber and PayPal involved, there’s no way they aren’t targeting many, many billions in the reserve. With each additional billion, the returns multiply to LIT holders.

Canaccord Genuity estimates that if Libra coin gets a market cap equal to bitcoin’s, $162 billion, then $324 million could be paid back to all LIT holders each year, after subtracting operational expenses for the Libra Association.

Let’s assume no organization holds more than one LIT and the Libra Association hits its 100 founding partners as planned: that’s a $3.24 million annual return on each partner’s $10 million investment. It’s not a one-time return either. They keep getting it as long as the Libra coin keeps running.

So 10 years after it matches bitcoin’s market cap, a LIT holder would have earned $32.4 million without losing any of their principal, a better than 300 percent gain. And that’s assuming the reserve didn’t grow at all as the decade passed.

On PoolTogether, everybody is betting that they can win the interest off of everyone else’s tickets. A crypto newbie could buy one ticket for 20 DAI and get all the interest earned off a whale who bought 1,000 tickets.

On the Libra protocol, it works the same way, except the same whales always win.

It remains to be seen if Libra will get to that point or if it will even get off the ground, but PoolTogether is starting now for anyone who wants a shot at robbing a whale. The person who created the product that will host the first pools, Compound’s Robert Leshner, told CoinDesk that he’ll definitely be buying some tickets in the first round.

Said Leshner:

“We love watching the world experiment with new products and new ideas built on top of Compound no matter what they do. I’m excited.”

Lottery ticket image via Shutterstock

连线V神 说出你膜拜的以太坊应用Top 3 | Fun Twitter

Fun Twitter 

每日最新大咖观点,看我就够了!

2019/06/24 期

本期作者:三月既望

01

你心中以太坊上最好的三个应用是哪些?

以太坊创始人V神发推询问:你心目中,最能代表以太坊是什么的1~3个应用有哪些?

ethhub_io创始人Anthony Sassano评论道:

开放的信贷系统—以MarkerDao为代表(加上DAi这个去中心化的稳定币)

去中心化交易所—比如Uniswap、0x协议,点对点去中心化交易所(kyber network、airwap)

新的社会协作的模式—比如去中心化自治组织(DAOs)

V神随后评论道有没有和财务不相关的应用(比如:ENS、身份系统、ethsites)是你喜欢的。

(译者注:ENS是以太坊域名系统,旨在让人方便记忆/访问以太坊区块链地址;ethsites是一系列可以查询以太坊区块链javascript代码,并解释如何使用代码从区块链中读取网站的技术,据说灵感来自BSV的Metanet)

Anthony回复称:如果非要让我选一款最有潜力对全球产生积极影响的非金融应用,我认为是去中心化身份系统。

ENS本身非常强大(我们需要将它和其他东西整合在一起。)

有位略带调侃的粉丝Marcel则回复到,他心中最具代表性的三个应用分别是:ICO(首次代币发行)、CryptoKitties(加密猫)和DAO事件。

你心中的Top 3有哪些,不妨在留言区给我们分享分享?

02

Coinbase CEO谈隐私币

Coinbase联合创始人、CEO Brian Armstrong:一个可拓展、充分去中心,默认支持隐私交易(隐私币)的区块链,将会是游戏规则的改变者。

我认为就像互联网一样,开始时是HTTP,现在都是HTTPS,加密货币能够并且应该朝着相同的方向演进。就像消息传递一样,端到端加密从边缘开始,现在是默认的。

你不会将你的信用卡放在没有HTTPS锁定图标的网站上,但我们每次刷卡时都这样做。我们的交易数据最终存在100个数据库中,等待被破坏。每个人都拥有金融隐私将是一个更好/更自由的世界。

默认加密对策(项目)扩展起来有点困难,但我认为这是可能的。有些人正在研究它。

我希望有很多(Brain在推文中分享了一篇名为“一个全新的Zcash区块链正在建设中,旨在为100亿人提供服务的文章”。)

我们现在处于加密思想爆发的寒武纪阶段,这里有10多个伟大的团队在建设下一代区块链。希望在某个时候,行业开始整合这其中的一到两个区块链,以便我们能够真正扩展全球解决方案。

眼镜蛇Cobra对此评论道:这样做的项目只有基于Mimblewimble协议的硬币,如Grin和Beam(尽管两者都有缺陷);Grin有糟糕的经济模型,Beam有一些治理问题。响应门罗币(Monero)的人没有意识到一旦交易量巨大,它具有糟糕的可扩展性。

译者注:MimbleWimble 是一个专注于可替代性、可扩展性和隐私性的区块链协议,Grin和Beam是MimbleWimble协议的实践者,两者在哈希算法、治理机制、编程语言上有所不同。)

03

散户投资者错失恐惧症(FOMO)还未开始

福布斯评论员Joseph Young:

谷歌趋势是一个很好的散户指标,2019年的对比特币的兴趣数据指标比不上2017年。

如果100分计的话,2017年是100分,2019年六月是12分。

散户投资者的错失恐惧症(FOMO)还没有开始,甚至可能没有感受到FOMO。

早先,Medx协议的创始人James Todaro也分享过类似观点:

大多数的散户投资者对2019年比特币涨幅是不感兴趣的。

他们只记得2万美元的峰值。

在比特币超过2万美金之前,大多数散户认为比特币在走向归零。

2015-2017年牛市中的错失恐惧症是直到2017年4月才开始的,因为当时比特币价格突破了前高1270美金。

根据你的切身体会,你觉得FOMO开始了么?欢迎在留言区告诉我们~

LTC沿三角上边线震荡上行 或将还有冲高的机会

从LTC/BTC 4小时走势能看出,近期币价一直处于下滑趋势并连续阴跌至目前0.0125BTC附近,目前已破位上方关键支撑线0.0127BTC,那么下一强支撑位在0.0111BTC附近,4小时MACD快慢线有缓和趋势,RSI再次进入超卖区间,短期币价有向上回抽前期支撑的需求,再看近期LTC/USD 4小时走势,前期LTC一直处于上升楔形三角区间内一路震荡上行,并在6月10号放量突破三角上边线,这几天币价一直沿三角上边线缓步上行,期间多次回踩并未出现破位,量能再次处于缩量态势,上涨动能不足持续性受限,短期仍将延续弱势震荡走势,中期看在8月初即将产量减半的利好刺激下币价还有上涨的预期,后续LTC沿上边线反复震荡洗盘后,可能还有上冲的机会,短期支撑130美元,阻力145美元,中期160美元。

XpdYEr6nN6KzRHjLSNwMjjUdob54vztJN5PQ0Ngt.pngwqgvkf1mrRoQiho7JqZ4FIO9FWrO1LBPMzdQkvI5.png

声明:本文系金色财经原创稿件,版权属金色财经所有,未经授权不得转载,已经协议授权的媒体下载使用时须注明”稿件来源:金色财经”,违者将依法追究责任。

提示:投资有风险,入市须谨慎。本资讯不作为投资理财建议。

区块链诈骗手法之假币骗局揭秘

近期随着市场上各大交易所平台币相关业务的开展,出现了各种租借平台币的业务涉及到量化、投票、抵押等环节。任何有人的地方骗子都无孔不入,近期慢雾区块链威胁情报收到不少骗局反馈,出于对区块链安全的责任和义务慢雾安全团队决定站出来公开披露当下最流行的区块链诈骗骗局,让更少的人上当受骗,让骗子无处遁形。

 

事件开始:

假官方人员和假官方 Telegram 群出现并拉你入群,群内伪造虚假的交易事件如:借贷、抵押、量化、投资等业务。所有的一切都为了让你信以为真,并且收益还很高。

 

事件发展:

假的官方人员和你私聊,各种套路和利益诱惑让你动心,然后和骗子开始交易。

 

最终:

你转账给骗子真正的 BTC 或 ETH 或 USDT ,骗子给你假的 HT 或 BNB 或 EOS 等平台币。

下面我们将披露一个涉及到的 Telegram 账号和群的具体骗局,以及假 HT Token 合约地址和骗子交易记录。

 

假 TG 群:

https://etherscan.io/token/0xd577bd98e1bd4e33ce20d172ca79f217658f07d8

火币官方也曾发文提示诈骗风险:

imToken 官方也曾发文解散 Telegram 群:

(1)任何主动加你告诉你利润非常高的项目让你进行投资,请谨慎理性对待。

(2)任何数字钱包内数字货币转账,到账的 Token 可能存在是相同的名称但并非真实的数字资产。

(3)假 BTC、ETH、EOS 、OKB、HT、BNB Token 诈骗案例均出现过,请提高自己对数字钱包的使用知识,如果实在是无法确认真假可以将数字钱包内的资产充值到交易所看能否充值成功,假数字资产充值到交易所不会到账。

(4)任何挂着交易所或者钱包 Logo 头像的人员并不一定就是真实官方人员,请找准官方社群联系。

 

作者:慢雾安全团队

来源:慢雾科技

Twitter 精选:连线V神,说出你膜拜的以太坊应用Top 3

以太坊创始人V神发推询问:你心目中,最能代表以太坊是什么的1~3个应用有哪些?

ethhub_io创始人Anthony Sassano评论道:

开放的信贷系统—以MarkerDao为代表(加上DAi这个去中心化的稳定币)

去中心化交易所—比如Uniswap、0x协议,点对点去中心化交易所(kyber network、airwap)

新的社会协作的模式—比如去中心化自治组织(DAOs)

V神随后评论道:有没有和财务不相关的应用(比如:ENS、身份系统、ethsites)是你喜欢的。

(译者注:ENS是以太坊域名系统,旨在让人方便记忆/访问以太坊区块链地址;ethsites是一系列可以查询以太坊区块链javascript代码,并解释如何使用代码从区块链中读取网站的技术,据说灵感来自BSV的Metanet)

Anthony回复称:如果非要让我选一款最有潜力对全球产生积极影响的非金融应用,我认为是去中心化身份系统。

ENS本身非常强大(我们需要将它和其他东西整合在一起。)

有位略带调侃的粉丝Marcel则回复到,他心中最具代表性的三个应用分别是:ICO(首次代币发行)、CryptoKitties(加密猫)和DAO事件。

Coinbase联合创始人、CEO Brian Armstrong:一个可拓展、充分去中心,默认支持隐私交易(隐私币)的区块链,将会是游戏规则的改变者。

我认为就像互联网一样,开始时是HTTP,现在都是HTTPS,加密货币能够并且应该朝着相同的方向演进。就像消息传递一样,端到端加密从边缘开始,现在是默认的。

你不会将你的信用卡放在没有HTTPS锁定图标的网站上,但我们每次刷卡时都这样做。我们的交易数据最终存在100个数据库中,等待被破坏。每个人都拥有金融隐私将是一个更好/更自由的世界。

默认加密对策(项目)扩展起来有点困难,但我认为这是可能的。有些人正在研究它。

我希望有很多(Brain在推文中分享了一篇名为“一个全新的Zcash区块链正在建设中,旨在为100亿人提供服务的文章”。)

我们现在处于加密思想爆发的寒武纪阶段,这里有10多个伟大的团队在建设下一代区块链。希望在某个时候,行业开始整合这其中的一到两个区块链,以便我们能够真正扩展全球解决方案。

眼镜蛇Cobra对此评论道:这样做的项目只有基于Mimblewimble协议的硬币,如Grin和Beam(尽管两者都有缺陷);Grin有糟糕的经济模型,Beam有一些治理问题。响应门罗币(Monero)的人没有意识到一旦交易量巨大,它具有糟糕的可扩展性。

(译者注:MimbleWimble 是一个专注于可替代性、可扩展性和隐私性的区块链协议,Grin和Beam是MimbleWimble协议的实践者,两者在哈希算法、治理机制、编程语言上有所不同。)

福布斯评论员Joseph Young:

谷歌趋势是一个很好的散户指标,2019年的对比特币的兴趣数据指标比不上2017年。

如果100分计的话,2017年是100分,2019年六月是12分。

散户投资者的错失恐惧症(FOMO)还没有开始,甚至可能没有感受到FOMO。

早先,Medx协议的创始人James Todaro也分享过类似观点:

大多数的散户投资者对2019年比特币涨幅是不感兴趣的。

他们只记得2万美元的峰值。

在比特币超过2万美金之前,大多数散户认为比特币在走向归零。

2015-2017年牛市中的错失恐惧症是直到2017年4月才开始的,因为当时比特币价格突破了前高1270美金。

根据你的切身体会,你觉得FOMO开始了么?欢迎在留言区告诉我们~

—— End ——

每日翻推特,看大咖观点,为你带来最新鲜有趣的观点。

来源:公众号野花说

区块链安全 | 黑客是如何通过手机盗走你的加密资产的?

基于web页面验证码机制漏洞的检测


在区块链行业内,每个用户或多或少都在部分网站上注册过一些帐号(交易所、区块链社区),当这些帐号涉及到金钱或者利益的时候,帐号的安全就是一个非常值得重视的问题,因此帐号的安全是各个厂商所非常关注的一个点。但是依然会存在一些厂商在身份验证这一块上存在着漏洞,并不是厂商不注重这个问题,只是在代码层的验证过程中的逻辑出现了一些差异,往往这些逻辑漏洞利用起来比较容易。

0x00不可靠的前端校验


在现实环境中,会有许多的网站他们没有严格进行身份校验,他们往往是通过依靠帐号密码发送后回传的状态码来判断用户身份是否正确,这就暴露出了很大的漏洞,这种漏洞利用起来就相当的容易,往往只需要一个安全界的神器BURP就可以完成身份验证的绕过,在登录的时候输入正确的账户以及随意的密码,将报文拦截下来,然后选择burp里面的拦截返回包的功能,捕捉返回的状态码

将返回包中的状态码修改为正常登录的状态码,当然这里的状态码不一定都是0和1这种,各种状态码都有可能存在,那么我们怎么样判断正确的状态码是什么呢?

这里我们就需要自己手动注册一个用户,然后进行正常登录,并且抓取返回的状态码,当你发现发回的报文中,仅仅只存在状态码,并没有其他set-cookie或者tocken等信息的时候,那么这个登录界面就有极大的可能性存在这种漏洞。这是比较致命的一种漏洞,那么你可能就会有其他的问题了,即使他存在了这种漏洞,但是我们不太可能拥有其他大量的帐号,这个漏洞的危害不就没什么用了码?这就是我接下来要说的问题。

0x01遍历手机号


现在大多数的网站都存在着手机号注册的这一个功能,一般来说同一个手机号只能注册一个帐号,所以手机号也是能作为帐号,这就是能利用的一个点,当手机号能成为帐号的时候,那么之前所存在的疑问就解决了一半,既然知道手机是可以用来登录的帐号,那么如何来获得这些手机号呢?这个问题其实是一个非常好的问题,对于手机号来说,一共有11位数,要想胡乱的猜测一个手机号是否在这个平台上注册过,一次性猜中的概率是微乎其微,但是有的网站的忘记密码这一功能就存在利用的方法(不过这种漏洞厂商大多数是忽略的),但是我认为他的危害性还是有的。在我们忘记密码的时候输入手机号码,发送手机验证码的时候,部分网站都会先查询这个手机号是否在这个网站上注册过,要是没有则会提示号码不存在,存在则发送短信。那么可以使用这一个逻辑来进行用户手机号遍历。顺带提一下手机号码可以使用手机号码字典生成器来生成,然后用来遍历。

如图所示,用户不存在则是另外的信息。我们只需根据length长度来辨别,也可以自己写py脚本来遍历保存注册用户。这一个点可以获取到大量的用户手机号。

0x02可爆破的手机验证码


前面介绍了前端校验绕过的方法以及用户手机号获取的方式,接下来来讲解一下手机验证码的问题。我放一张思维导图来供大家参考

手机验证码存在的位置可能有三个点:登录、注册、密码找回这三个点。其中注册这个点的危害相对较小,除非找到一个可以批量注册帐号的点(褥羊毛)。

那么危害较大的就剩下登录和密码找回了,实际这两个点的原理是一样的,只不过利用的环境有所不同。

目前登录时候使用手机验证码登录的网站数量不是占很大的百分比,本文就以找回密码这块来说明。

我们在测试之前首先要进行判断的时候他的手机短信验证码的长度、时效以及页面是否存在有比较难的图片验证码,也就是难以用python的库直接识别的图片验证码(识别率低于50%)。这是我们首先要注意的,其次提交一次表单,抓包来看看,是否存在有前端加密,或者sign等。我以手机验证码长度为4位和6位来分类。

第一类:4位手机验证码

当我们发现手机验证码长度为4位的时候,时效为5分钟左右,并且没有什么复杂前端加密或者sign和复杂的图片验证码的时候,那么恭喜你,你可能找到了一个可以爆破出验证码的点,这种漏洞虽然是爆破,但是他利用所花费的时间确实非常低的,通常可以在很短的时间内重置或者登录一个手机号。这对厂商来说就是一个高危漏洞,相信他会给你不错的报酬。

上面的这种属于较为简单的漏洞,笔者在前段时间测试的时候发现了带有sign标记的4位验证码,这种的爆破的难度就有所提升了,他的sign是根据当前的时间戳以及手机号验证码等信息进行加密后生成的,要想去破解这个加密算法,是不太现实的。于是笔者就使用了一种骚思路,可能各位安全界的大佬们也用过,那就是python的selenium库来模拟浏览器自动化点击测试,但是这个就需要自己去根据网站的实际情况以及窗口位置来编写脚本。关于selenium的提供一个学习链接

第二类:6位手机验证码

通常来说6位的验证码,30分钟的时效是一个挺安全的设计,因为在30分钟内想跑完100W条数据的难度还是挺大,并且网站通常会根据发包速率来进行限制,一旦你的发包速率突破设定,你将会被403,也就是你的IP会被封禁一段时间,有这些设置的验证码是安全的,但是如果说时效在1小时甚至更长,并且不限制IP的发包速率了话,那么利用也是可以利用的,只不过利用的成本过高,所以基本不考虑。因此在导图中写到基本不不去考虑。

0x03现实环境下的漏洞案例思路以及分析


接下来给大家带来一个真实的漏洞案例,也是我本人所挖掘到的一个高危漏洞,该漏洞是一个区块链社区所存在的任意登录漏洞

在登陆界面,由于图片验证码长期有效,所以猜测可以爆破。

通过两次提交发现图片验证码在一定时间内是不会发生变化的,尽管已经经过了一次校验。因为查看js发现验证码是由手机验证码经过sha256后从第六位开始取4位收到的验证码,测试时候输入的验证码为1602

证明了这个加密算法,于是利用脚本生成了0000-9999的加密后的字典用来爆破。在爆破过程中发现,验证码的时效1分钟左右,并不足以完成爆破。于是就换了另外一种思路,既然通过爆破是没有办法完成验证码的限制,则想到了程序员在编写代码的时候他会不会犯一种错误,猜想他是否会将过期后的验证码重置为一串特定的字符。既然有了这种猜想,那么就肯定需要来进行一波验证,首先根据他的加密算法发现他的是sha256,也就是每一位验证码数据只会在0-f之间生成,于是生成了一个0000-ffff的字典,来进行了一波爆破,就如猜想的一样,爆破出一个意外的数值,当然并不是在第一次爆破过程中发现的,第一次可能是一个意外,于是我便借用了别人的手机进行了几次尝试后,发现这个数值是固定的,那么这个漏洞就证明成立的了。

这样就挖掘出了一个任意登录帐号的漏洞,刚好这个网站又存在如之前所说的手机号遍历的问题,于是结合这两个点所产生的结果就是可以登录任意用户。

分析:综合了这些问题,我有几点对厂商的建议:

1.     在对用户进行身份验证的时候不要把信息校验放在前端

2.    手机验证码长度在6位以上

3.    在进行发送短信校验码的时候不要在返回包中返回验证码的具体信息(很多程序员为了调试程序的时候经常爱干这件事)

4.    在没有获取验证码的时候不要设置默认验证码数值

5.    在用户注册页面的验证码要对手机进行绑定,不要出现一个验证码可供多个手机使用的情况(可能引发任意帐号注册)

注:本篇文章严禁用以非法用途

 

来源:DVPNET

Will Bitcoin Take a Breather or Blast Through Resistance Again?

This weekend has been nothing short of monumental for Bitcoin. Over the past two days the king of crypto has surged almost 15 percent to its highest price for 15 months. The big question now is will it carry on brushing resistance aside or is a pullback imminent?

Over the past 24 hours Bitcoin reached the giddy heights of $11,250, its highest price since March 2018. Market dominance is close to 60 percent as the altcoins remain frozen over, many still down over 80 percent from their peaks. Daily volume topped out at $30 billion as BTC market capitalization touched $200 billion, but has the wave of FOMO crashed onto the shore?

Bitcoin Breather Beginning?

As in previous pumps, traders and analysts have been scouring the charts looking for resistance zones where Bitcoin may possibly halt its epic run. $10k was a huge psychological barrier that was blown away within a couple of hours when BTC surged to $10,900 on Saturday.

The next key resistance level is around $12k where BTC touched on its way down in early 2018. Trader ‘CryptoFibonacci’ has looked at the long term chart to ascertain if and where Bitcoin may take a breather.

“Price is getting to an area where one would suggest we take a breather. But, BTC has a mind of its own, so we shall see. If you have profits, I would suggest taking some off the table the closer we get to 11,500-11.800 area, IMO.”

Other long term technical indicators are all indicating bullish momentum for Bitcoin so a correction would not be a bad thing. Economist, Alex Krüger, notes that trends are all one way at the moment;

“”The trend is your friend”. Returns and sharpe ratios for $BTC longs taken above the various moving averages are significantly superior than for longs taken below the moving averages. This is particularly relevant for trending assets such as bitcoin.”

The CME futures chart is starting to show some ominous gaps which is an indication that the current bull run could be running out of steam. CryptoFib added;

“They are open now and we have yet another gap. Not surprised based on the weekend move.  But, look how far price is outside of the upper Bollinger Band. That is No go for new longs for me. Time to take a few off the table, IMO.”

Analysts have been wrong in the past when they predicted 30 percent pullbacks at $6k, $8k and again at $10k. Now that Bitcoin has breached $11k the correction calls are getting stronger so it has to take a breather sooner or later.

Image from Shutterstock