8/1/2019:
- Orderbook price discrepancies.
- Forgot password does not work with some accounts, displays exception error.
- The interface language changes randomly when you refresh the page or open a new tab.
- Security: Full Path Disclosure showing on error pages.
- Security: Password reset link leaking hash to external domains.
- Security: Application Vulnerable to MiTM Attack/SSLStrip Attack (Hacking HTTPS)
- The trade screen Market and Stop-Loss quick percentage buttons are not working in the buy section.
- Incorrect stats calculation on wallet page.
- Affiliate receiving 0 commission when their sign up trades.
- LastPrice is not displaying for some assets in wallet and other pages.
- Users can place empty orders.
- Master Pin pad occasionally shows the same digits.
- Security: Password & Master Pin hashes can be seen in a request.
- Trade Interface has styling problems in the Edge web browser.
- Some accounts cannot login after email verification, they receive exception error.
- Completed orders "Status" says "Pending".
- Ghosted Orders - Orders will appear to be at the same prices in each order book, but the orders do not complete because one or both of the orders do not actually exist.
8/2/2019 - 8/5/2019:
- Trading view chart settings window is cut off.
- Some settings do not work and must be removed.
- Trigger notifications deleting themselves without conditions being met.
- Market tab quick percent buttons change the Price: field. This should always remain with text "Market Price".
- Security: Password forgot does not have a password reset threshold set which means a user/attacker can request the password reset link multiple times within a short time-frame and can flood the victims email. Recommended to allow this functionality after every 5 minutes for that specific email to protect the flood or use a captcha.
- Security: Signup functionality is lacking Captcha which allows an attacker to submit the form multiple times.
- Security: User can set a password of 100+ characters. An attacker can use any length password to exploit this and DDOS service.
- Security: After a password reset link is requested and a user's password is then changed, existing sessions are not logged out automatically.
- Security: Email Links are sent insecurely at times as without a protocol attached which makes URL default to http://, they must ALWAYS have https attached.
- Security: Application is using vulnerable JavaScript library v3.3.1 This version of jQuery has known vulnerabilities associated with it.
- Transactions Page: If specific dates are set for transaction history, even if transactions exist for those dates, nothing displays.
- USDC pages not displaying USD values.
- Setting trigger notifications is failing some times on price. May be due to decimal positions.
- Security: 2FA excepts expired code from application.
- On logout server session is not deleted properly. If a hacker steals users cookies from their computer, and user changes their password and logs all devices out, the attacker could still access their account using the cookies loaded into their browser.
- If user changes their password or email, make all active forgot password links expire.
- Forgot password saying "Email field required".
8/6/2019 - 8/8/2019:
- Device lock out, not locking account on location change under certain circumstances.
- Deleting a device causes log out for user, even if the device is not the one being used in the active session.
- Master Pin / 2FA not displaying correctly on certain pages
- Not all available coin assets are displaying in Wallet quick access drop down
- Security: Disable Weak Ciphers
- Quick percent buttons in BUY area are inserting incorrect amount.
- Birthday and phone fields in Edit Personal Information are missing proper validation.
- Security: Change email can be changed to any email without confirmation.
- Trigger notifications not sending emails.
- Market orders are not working
- LastPrice in Wallet quick access and Watchlist & Markets is incorrect.
8/9/2019 - 8/14/2019:
- Password change in settings area does not send an email notifying user.
- Security: Register page is revealing if email exists in the database or not.
- My 24hour Order History on Trade page is displaying trades over 24 hours.
- After locking an account by entering too many wrong passwords, reset password throws exception error.
- Account does not lock after too many incorrect Master Pin attempts.
- Question marks missing tooltip info.
- Freeze your account for x date allows you to select the same day, it should only allow a minimum of the next day.
- Security: Clickjacking, missing header.
8/15/2019 - 8/19/2019:
- Security: Can delete all other people's API keys.
- Security: Master pin can be read under special circumstances.