
Security issues on ArtChain - edent
https://shkspr.mobi/blog/2018/11/security-issues-on-artchain/
======
thanatos_dem
From a bit of searching, it looks like the individual responding to the
disclosure emails is a patent attorney, claiming to specialize in bitcoin
patents.

I’d be terrified to have him be my lawyer for anything, given his responses
here. Artinfo is clearly dead in the water at this point, and I can’t even
tell if he is the actual owner of it, or just a legal representative.

The security issues are terrible, but it’d really suck to have your company
torpedoed by your unhinged IP counsel.

------
MastroF
NSFW: Try to NOT visit the `artchain(dot)info` website on a work computer, it
redirects to Pornhub. (With Xss).

~~~
esotericn
Truly a work of art.

------
gitgud
It's sad when site owners don't respect reports of security bugs. Maybe they
don't care, or their trust was lost by being hacked previously...

Either way the user's suffer...

~~~
lvh
This is one reason 'tptacek any I are so militant on the "responsible
disclosure" issue. People who seem to believe the onus is on security
researchers to do whatever song and dance the person who are actually
responsible want. That's nonsense: if you find the bug you get to do whatever
you want with that information. (Including, I think, trade on it? But I'm not
a lawyer and that's not legal advice.)

~~~
pavel_lishin
> _the onus is on security researchers to do whatever song and dance the
> person who are actually responsible want_

It's not about bending to the will of an incompetent idiot; it's about
protecting vulnerable end users from the idiot in question.

~~~
lvh
Well, it's subtle, right? That presupposes they're an incompetent idiot, and
if they are, I agree: you should just publish a full disclosure.

A lot of projects/companies fortunately are not staffed by incompetent idiots.
I'm also not saying "never disclose to the company/project". It's what I do
100% of the time if it's worth disclosing and I don't have prior evidence that
they'll react poorly. I'm saying researchers have no moral obligation to do
anything.

~~~
pavel_lishin
> _I 'm saying researchers have no moral obligation to do anything._

I don't think I agree with you, but I understand your point of view, and don't
think I can really argue from any sort of objective reasoning.

~~~
lvh
Well, I'm happy to walk you through it if you're game. Let's say the company
is an incompetent idiot: that also means they're unlikely to respond well to a
well-written vuln report. So what protects the general public the most? The
bad guys can find vulns too, and you have no idea if you're the first to find
a vulnerability, and we're presupposing the company won't handle it well. The
_best outcome_ for the general public is full, immediate, public disclosure in
that case!

There are other arguments here, like the fact that random people putting bugs
in websites are not entitled to a researcher's time.

~~~
baby
It's a spectrum, and unfortunately a lot of security researcher just assume
that developers at companies are always the bad guys.

~~~
lvh
Do you have any evidence of that claim?

Also, even if it’s true, why does the company get to command the researcher’s
time?

Finally, as a company, you get to mitigate this by having a serious disclosure
policy. It helps if you don’t look like the bad guys.

~~~
baby
> Do you have any evidence of that claim?

I'm not going to link to specific github issues but I've seen enough people
dropping "vulnerabilities" and yelling at the developers. (I'm pretty sure you
know what I'm talking about.) This often gets the developers worked out and
gives security people a bad rap. It's a lose-lose situation imo. People need
to learn empathy and stop blaming developers.

Of course there are companies that need to be shamed, and that will repeatedly
act shady, but too many people use this to excuse their behavior in general.

------
viach
Looks like the ArtChain site owner is a marketing genius. Get to the HN front
page with a blockchain project? Bravo.

~~~
gcb0
I know this is irony, but making the joke obvious to the few that might take
it seriously: it's not so good to have that visibility when the cause is the
author cursing security researchers away because they are trying to delay a
couple days your fraudulent CPO by asking you to patch blatantly obvious and
basic security holes.

~~~
viach
Sadly, this is almost a joke - it seems like any kind of visibility works.
Most of people just don't care about the context, they just remember the brand
name.

------
mentat
He still hasn't fixed the XSS name entry, it pops if you go to the site.
Amazing.

~~~
urda
No kidding, just going to [REDACTED] and boom there it is.

With how nasty this guy has been, it's like he's _asking_ for a bad actor to
really cause trouble.

I'd be so happy to have anyone file a report like the author did, exposing
possible flaws in a platform I operate.

~~~
wlesieutre
Word of warning for anyone clicking that, it currently redirects to Pornhub.

~~~
urda
YIKES.

I pulled the link, anyone curious can figure out how to reach artchain dot
info on their own time.

~~~
wlesieutre
Thankfully SonicWall caught it here, but hopefully nobody's looking at what
sites I tried to visit :P

------
jonnydubowsky
From the looks of it, this site hasn't done much in the way of actual
business. A handful of transactions 180 days ago, probably the original pieces
being loaded up, and then crickets.
[https://etherscan.io/address/0xc40cf3abc0166847c16f1f60f3fdf...](https://etherscan.io/address/0xc40cf3abc0166847c16f1f60f3fdf7b952b0cb41)
Monograph is a fantastic blockchain art registry, made by Chris Tse, the
founder of Cardstack. There are several others that actually demonstrate some
of the more novel aspects of this particular use case.
[https://monegraph.com](https://monegraph.com)

