BL3P

BTC/EUR
select market

BTC / EUR 3.133,23
LTC / EUR 26,90
Last price (BTC)
 3.133,23
24h volume
 56.03
1h4h24h7d30d3m12mall
Javascript is required to use BL3P. Please turn it on or add an exception
Your browser version is outdated. We have decided to spend our time on making Bl3p better, instead of wasting it on compatibility for ancient browsers. Please install Chrome frame if you wish to continue on your current browser, or consider installing Firefox or Chrome.

Reporting security issues

If you discover a problem or a vulnerability in our systems, we would appreciate it if you share this information with us (as soon as possible). Security errors will be rewarded with a sum of bitcoins or a mention on the " wall of fame ". The height of the reward depends on the impact of the error but can be up to a maximum of 5 BTC. You can count on a reward if you're the first one who alerts a security issue and if this results in a change in the code or configuration. Some examples of security errors include:

Eligible security problems
For example:
  • Cross Site Scripting (XSS)
  • SQL-injection
  • Encryption issues
Issues not to report

Some security errors are not eligible for a reward because they have a low impact on security. The following type of security errors are some examples. Please don't mention such flaws unless a combination of errors can lead to a security issue with a greater impact.

  • General error messages regarding application or server errors.
  • HTTP 404 and other non HTTP 200 error codes
  • Accessibility of public files and folders (like robots.txt)
  • CSRF-issues on parts of the site that are available to anonymous visitors
  • CSRF-issues without (critical) consequences for users
  • Trace HTTP functions that may be active
  • SSL attacks like BEAST, BREACH, Renegotiation
  • SSL Forward secrecy unused
  • Anti-MIME-Sniffing header X-Content-Type-functions
  • Missing HTTP security headers
  • Presence of HTTPS Mixed Content Scripts / errors
Rules

In addition, we apply the following rules:

  • Don't apply any damage during your investigation
  • Don't use social engineering techniques to gain access to our systems
  • Don't publish company or customer data
  • Don't share gained access with others in case you successfully penetrated the system
  • Don't make any changes in the system
  • Don't copy more information than your investigation requires
  • Don't use brute-force techniques
  • Don’t use techniques that can influence the availability of our services

Security Issues can be emailed to: security@bl3p.eu. Encrypt your message with the PGP key below(0xB745A874). Please clearly describe the problem that you found and the steps to take to reproduce it. Add attachments like screenshots or data dumps to clarify the issue if possible. After receiving the notice, we will send an acknowledgment as soon as possible. We need some time to study and assess the report. After a maximum of three working days you will receive a first substantive response.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFMPAtABCAC/s4AADhiD8czlo9X8WgJTfOzqxCK4BZCiIT1kqQ2z0lL48KNJ
e+d1+GJGhVatbGDmwNpMtqmLtOL6yFRbEnEaYub4ZpRrUlCyjNFLIAAHvI/vvg8J
RMfFyW1G/9z5bC3ZgoR4kVx2685h7ZCpbmowWgbPA7VeznSCB+OrI8o3TDYpqNY6
GyGMVEHysQYfHA5ezfeeS5k/zlNChj2/Gb2Irzqr9cr7ODtHurY983IcDI2zQID4
2ZYDLhxFAj3dyTWazE+qvYtoQQMiKtNtkpAEjOfPGG6PH5s6KuhpDWY91aoIUeRJ
bnk2bewf+FN92fLtMIqVcVbVB0+rJDNEj1SXABEBAAG0Jk5pZWxzIHZhbiBHcm9u
aW5nZW4gPG5pZWxzQGJpdG9uaWMubmw+iQE+BBMBAgAoBQJTDwLQAhsjBQkJZgGA
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD7PFeot0WodFlmB/9tDt72x7Az
Ii8iXF6b5d6rc8NmMwR8QEYdHnI9s9MiK8/V4ZwAlHjCYGv0IXY1oChVR3fVw4EL
Ptazi0a6hyN5roABPDlqjM1evrpLalRG+4yHY8Zj0LrIp0btiAZo3BD0Vf0Pew37
xNqybZ4mgJdoQYOo/77LK2vMbLhqmAwXk4EFwF+qsg6d+6svnb+HIyn0YXhDXpzx
jTtZgYFwXQHnsaDi3Z+8qbZwYa5KusKBDG4/r8Yu1sYbaDwQhgBzg90GSkdsqKHx
YoHODeDT/vvpawBhJ4RQAA72SHqzB7u7arjy2lJh9krdaqM8OKMEhFntlce7Au5O
5mLX1P4keQBcuQENBFMPAtABCACsuH3BKHSrSgGAgLVw28anp3iabU5NymNkR8F6
8hSXWm5iEwUdxSxIyJo/QOLUtKM5UH7d35QHhw9Kbn2XK/jAAgwqRJMF+QTIgc1n
CRmLrCeYohT1WjZNElgkc/Bj9R8OLD7T4O1P04wZEQjQiDKeg2Dvwj4YmEYik9o/
Rd2PNSR7ysm/e8jfcQLn1OYy+d8otdaCenvmi/upKnmm+PjBm1gM/JG614Jd3jio
WJTnNAWZXGziAGqfFTSpJfNm0YKbUfaP+UvU0prs+tFjOHQHUOkV0ToXh6DtuS6N
IgNf6jRAXF691sE8KF7jgXEE70tYDsMFPG0UdDzktzNwTksvABEBAAGJASUEGAEC
AA8FAlMPAtACGwwFCQlmAYAACgkQ+zxXqLdFqHTMOggAi8FAr0glhyCnZSbCWCjZ
aakN+d88IvpR4JdWvgKZMNXO3w+YkQs4RKX+p5zszkeQsZhtfT8R/hOrcmeX409p
foUay0yadfhyT7Cdo5864cq9B+3+UMNsTG09g+/obSbOi+bMhmRHt7heszu90iTo
L6vVZjenyR3Vy7o17DESsFk4FknxHGyYxH7aK7NasV7P2xegQhj1jTZv8uFLQM/E
sgMBJby9ljnT6opfVXdbFc9xRP5Ezgmz1U+mQs78ISCd1vmF/6POcxQ0jmoH/qPb
6afwcldGLAZQLm0t+yxWaRbN0LdX1MQjeriETGOgDh8p2XkRp/o9lEQfLvEo17xg
lw==
=Ym7G
-----END PGP PUBLIC KEY BLOCK-----

Hall of fame

We thank the bug-hunters listed below for their efforts to make BL3P more secure. They have also received a bounty.

ReporterIssueNotes
Hamid Ashraf @hamihax After changing account email, old password reset link stays valid The link expires autamatically after one hour
Harsha Vardhan Redirect after CSRF error could take user back to attacker
Old password reset links stays valid after reset Link is only available to user, timeout after 1 hour
Logging out did not clear browser cache
CSRF token at security not checked correctly If a user had security TFA disabled, an attacker could trick the user into disabling login TFA as well
Upload of malicious image files could overload verification server
James A. Old sessions remain valid after password change
Sahil S. XSS vulnerability in verification system A bug in the localization system could in some cases display unfiltered user input
Insecure session cookie Sessions are IP-locked
Elyesa (Matthew) in der Maur TOTP code could be reused in other session Only for same user
Confirmation link not locked to changed setting
Logout on BL3P did not instantly end session on verification server
Clickjacking defense in BVS not functioning for partial content
Possible name exposure via account restore
Email spam possible with email change confirmation links
XSS in some cases possible via email
Could change account email to existing value
Server side validation of withdrawal bank account broken
Mandeep Jadon Consecutive confirmation link requests did not invalidate former requests
Confirmation links were unjustly reported as being IP-locked.
Krishna Manoj Vandavasi Input validation in verification system insufficient Could lead to higher spam rating for mails from bl3p.eu when entering malicious URLS
Jay K PatelAccount email was not validated properly on change
Ahmad Shuja Some weak passwords were not denied
Jochem Kuijpers Configuration entries shown in JSON output