itBit Exchange: No password length restriction denial of service

Hello , i am able to create a password with 1000000 words which fully leads to MySQL or server side Denial Of Service attack. You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource...

itBit Exchange: user-agent Content spoofing

Upon every unsuccessful login attempt an email is sent to the user containing the time of login attempt ,user-agent and ip .It is possible to modify the request using proxy tools and modify the user agent string to to a malicious link and the email being sent to notify the user will contain this...

itBit Exchange: secretKey for OTP , is getting leaked in response of a delete request !

hey guys this is almost same as 44864 i could reproduce the same by deleting an 2FA device id POC Request :- DELETE /api/user/devices/9ed975d4-34ba-4057-8e21-db47ef2ccee9 HTTP/1.1 Host: beta.itbit.com User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:36.0 Gecko/20100101 Firefox/36.0 Accept:...

itBit Exchange: confirmation bypass of 2FA devices while they are deleting

hey guys i just found an logical bug where i could bypass the confirmation of the 2FA devices , while deleting an 2FA security device , this is the request made POST /api/user/devices/checkcode HTTP/1.1 Host: beta.itbit.com User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:36.0 Gecko/20100101...

itBit Exchange: ITBit Vulnerable to SSLSTrip

www.itbit.com details: High Level, description It is possible for a malicious user to capture credential information of a www.itbit.com user with the use of SSLStrip. The scenario is that if a user is in a internet cafe and browses the internet while a malicious user intercepts his traffic, the w...

itBit Exchange: Leakage of sensitive wallet tokens to third party sites

Hello Itbit team This is Shahmeer and i am reporting a very critical issue in which the wallet tokens such as the one below are being leaked to third party websites https://beta.itbit.com/trading-history/402bd136-be8f-45e2-89ea-46e3283f8118 The above listed URL contains the wallet token that is...

itBit Exchange: Stored xss in bank name withdraw

Open https://beta.itbit.com/accounts 2. Add new Bank Account with payload in name field - Bank of New York'"asdF 3. Save this account and 4. Select it as a target to withdraw As you can see in screenshot at this time there is some problem with javascript code some filtration affected but we...

itBit Exchange: weird bug ! ( missing validation on new email verfication )

hey guys ! i have found an bug where your were not validating email verification codes properly ! steps to reproduce 1 lets assume you have [email protected] as email id 2 now change your email id to [email protected] via https://beta.itbit.com/profile 3 note down the codes of old email & new email lets assume old=1...

itBit Exchange: Email Length Verification

Hello ItBit Security Team! I am Simone, a sixteen years old Italian Security research, and I just want to share with you one of my finding on your website. NOTE:I reccomend you to read all this report with attwntion because it's a really particular vulnerability.. at first impact, this issue will...