*The thread was originally posted on Bitcointalk. I recommend following the Bitcointalk thread for the most up-to-date news (unless Roger is still invested at Blockchain and cares to chime in): https://bitcointalk.org/index.php?topic=5193539.msg52781465#msg52781465 *
I signed up for an account on Blockchain.com's new "military-grade" exchange called "The Pit".
I noticed right off the bat that I was able to get their exchange to show my 2fa backup codes without prompting me for my 2fa code. (I only needed to enter my password)
I emailed Blockchain.com's support and reported the problem. Blockchain.com's support told me to open a "HackerOne" bug bounty report if I wanted to get paid.... I figured, "Why not? I could use the money to test their site further / link my bank account with a wire!" (I should have fucking known better and just been OK without getting compensated, but I was worried Blockchain.com's customer support person wouldn't forward on the problem if I didn't open a HackerOne ticket and I didn't want some poor Blockchain.com customer to get pwned because of Blockchain's critically flawed security design.)
(you can see I'm sketched out about this "HackerOne" stuff from the start)
I created the issue on HackerOne:
HackerOne staff responded:
Yikes!!!!!!! But OK... if that's how you want to have your website, go for it... I guess...
HOWEVER, today I checked Blockchain.com's website and low n behold:
(users are now prompted for 2fa after the password screen) 10/16/2019
*I'm falling asleep on my keyboard, I will finish thread on Bitcoin.com tomorrow. This story gets much worse believe it or not. Please read the Bitcointalk: https://bitcointalk.org/index.php?topic=5193539.msg52781465#msg52781465 *