Published on: 2011-06-19T22:36:27+00:00
In a conversation on June 19, 2011, Gavin Andresen and Doug Huff discussed the disclosure of vulnerabilities in ClearCoin. Gavin emphasized his commitment to addressing private disclosures seriously and acknowledged that the CSRF vulnerability in ClearCoin had been fixed thanks to Doug's report. However, Doug then proceeded to report multiple CSRF vulnerabilities in http://clearcoin.appspot.com, noting their severity due to the site being hosted on appspot and utilizing Google account authentication. This left users susceptible to attacks as long as they remained logged into their Google accounts. It is worth mentioning that Gavin's personal website, clearcoin.com, was linked in his signature during this conversation.The reported CSRF vulnerability in ClearCoin, which occurred in June 2011, was promptly addressed after Doug Huff brought it to Gavin Andresen's attention. These CSRF vulnerabilities were particularly dangerous as ClearCoin utilized Google account authentication and was hosted on appspot. As a result, users who remained logged into their Google accounts were at risk of falling victim to CSRF attacks. The seriousness of the issue prompted immediate action to rectify the vulnerabilities.However, instead of privately disclosing the discovered CSRF vulnerabilities, the author decided to make them public. These vulnerabilities were found in http://clearcoin.appspot.com and posed a significant threat to users due to the site's utilization of appspot and Google account authentication. To demonstrate the impact of these vulnerabilities, the author conducted tests involving changing refund addresses and releasing funds. Additionally, proof-of-concept (POC) code was provided, which could be accessed on any browser. Notably, Gavin Anderson, the lead bitcoin maintainer, is responsible for running and maintaining the site mentioned.
Updated on: 2023-08-01T02:00:51.363085+00:00