Tim1996 Posted May 7, 2020 #1 Posted May 7, 2020 Hi! I had earlier sent the full report with code and explanation on how the open parameters on forum.stake.com is leaking the csrfKey. There are basically 6 open parameters on forum.stake.com which are visible from client-side, which should not be. I found a cashout flaw which is bad for the reputation of stake sports betting system, though I was unsuccessful in withdrawing the amount yet it let me cashout in the application for some high amount of time. I have tested the case with cloudbet and Sportbet and I can confirm that in both of the gambling platforms this cashout problem does not exist. I have sent a detailed solution to email bugs.stake.com but haven't heard from them for 5 days. Pinged steven on stake discord channel and haven't heard from him. Talked the support and showed him the vulnerability live but he says to post on forum. The video: https://www.youtube.com/watch?v=86p_BzaJKU4&feature=youtu.be Thank You My earlier speculation regarding leaked parameters on forum.stake.com , i dis reported them to the team but have got no response from them.
narwy Posted May 7, 2020 #2 Posted May 7, 2020 This isn't a security issue, this is how most SPA work, using a signed signature, e.g JWT to pass to a request to be validated and signed.
.png.8937ea41ad7fa7510c03c16b49835a8f.png)
Featured Comment
Archived
This topic is now archived and is closed to further replies.