Sparkster leaks customer KYC details. First coin to Zero?

Today’s video was going to be about stop hunting, but sometimes a story comes along that is so epic and amazing it has to take priority. I’m not even going to make you wait till the intro to tell you.

If you put money into Sparkster, you’ve wasted your investment.

There’s been a lot of hype about this project with some high profile people endorsing it, advising for it and shilling it at every opportunity. Ian Ballina, my favourite ICO guru, is involved in this one too. It’s almost like anytime I have something bad to say about a project Ballina’s name pops up.

Yes I know it sounds like I’m about to FUD all over this project, but it’s not without reason. This weekend an anonymous source sent me some documents and evidence that puts Sparksters’ ability to deliver anything worthwhile into question while also raising serious security concerns with regards to their platform and business practices.

Is Sparkster able to deliver on its promises of 10 million transactions per second? Can they even deliver on their promise of drag and drop DAPP development? Did anyone else notice that their logo is a puzzle that doesn’t even fit together anyway? Is your data safe with Sparkster? Is Sparkster the Microsoft paint of Blockchain and do I have an unhealthy obsession with Ian Ballina? Maybe. To find out let’s take a look.

Sparkster is, in theory, a great project, how could you not like the idea of an ecosystem that uses drag-and-drop programming where people can develop decentralised applications easily without spending a hundred thousand on development? The only problem, of course, is that you will be limited by your own ability and the drag and drop elements available to you. When you spend a hundred thousand on a Solidity programmer or someone along those lines you are paying for the expertise, and you ultimately have more control over the application you build. Of course, that’s not a reason to hate on Sparkster.

There is a market for this kind of product, but that market isn’t serious companies, it’s school kids. The first thing that struck me about the demo was just how basic it all looked. This was essentially a Scratch clone. It doesn’t look like a serious professional app. Scratch for those who don’t know is an educational tool used in schools. There’s nothing wrong with that if this was a tool aimed at that market I would be on board, but it isn’t these guys are marketing it as a serious solution.

So serious in fact that it’s been reported that they have been looking to charge various blockchain projects a 2 million dollar fee and then 100 thousand dollars per month to provide drag and drop programming options tailored to that particular blockchain.

This letter reads like a very cliched sales pitch and just smacks of a lack of professionalism. Of course, as this message shows they are having some trouble getting companies on board as they’ve kindly been offering to waive the fees for potential partners. It’s even been suggested that Sparkster is actually built off of the Open Source MIT App inventor platform and the visual and operational elements between the two are very similar. In a set of tweets, Sparkster made a non-denial denial as to why the two applications look so alike. If its based on the MIT open source code and they aren’t breaching the MIT’s licensing technically they aren’t doing anything wrong but charging millions of dollars to integrate partners to a platform they only half built seems a bit brazen.

In fact, Sparkster started as an earlier project called Symfony, and when that project literally attracted zero attention, it was relaunched later as Sparkster.

My real concern, however, comes from the companies serious security vulnerabilities. While this may sound technical stick with me as it does become clear, I was provided with the following screenshots that show users authentication data was being stored on local storage. This meant that our mysterious would be hacker was able to find the “key-uid-value” object stored in local storage and to make things worse that”key-uid-value” was in plain text and was found alongside a password.

By utilizing a XSS vulnerability within the leader-board page, the would be hacker could then get access to anyone’s “key-uid-Value” by making a query to an attacker’s own server.

As the image below shows, he/she was able to get an XSS vulnerability to fire. In this case, it was only a popup box that declares the words ‘hacked’ but it shows the vulnerability in all its glory. This could have been used for nefarious purposes. Had anyone else found it they could have exploited it and would have all of the admin login details?

Also, all clients credentials could be compromised if this bug was present on a user page, and with the Know Your Customer info being stored on local storage as well, this data could be accessed. Those KYC details were encoded using base64, but decoding them I’ve been told wouldn’t be a difficult task. That means that if you are a Sparkster investor, hackers have had potential access to all of your personal information, your passport, email addresses, contact info, passwords and while this really was the worse vulnerability it wasn’t the only one.

The would-be hacker was also able to upgrade his/her account to that of an admin and partner and was able to access every single one of any clients uploads. Everything, documents they shared, email addresses used, twitter handles — anything that was uploaded by the client he/she was able to access.

If you are a Sparkster partner, I would recommend following this leak you demand that the Sparkster team fix it. Then check what password you used, change it and make sure you haven’t used the password elsewhere because all of that information was left in the open thanks to this exploit. This is really a shocking lack of security and if the Sparkster team can’t get that right with the $30million the raised what hope is there for their actual application?

Even if the security vulnerabilities didn’t exist it is still a questionable project. There are no professional examples available to show what the program can do in skilled hands. The cell idea isn’t really a blockchain it’s more like localised databases, and even in the AMA with Ian Ballina, the Sparkster team couldn’t get the multiple cells to work properly for ages or at the very least weren’t prepared for the AMA, and either one isn’t good really.

The tokens are all still basically locked up with the CEO of Sparkster not looking to add their token to an exchange anytime soon. This is probably why it’s been reported that Spark tokens, which were bought for 15 cents are now, being sold for 5 cents and less in OTC (over the counter) trades and even then no-one is interested in buying them.

So am I spreading FUD? Yeah, I guess so, but it’s well deserved and completely justified. What Sparkster have built here looks like a cheaply made toy, my main concern isn’t even that its a toy it’s that its one that skipped all the safety requirements.

What do you guys think? Am I being hard on Sparkster? Shouldn’t we expect basic security protocols and testing to be done on a platform especially one with a 5 million dollars budget? Is it ironic that Ballina’s 100x community can’t dump their tokens on the market this time around? Do you think this is a toy or are you convinced this has a place in Blockchains future? If so let us know in the comments below. We really like to hear your thoughts on the stories we run so, please get involved.

To keep up with the latest crypto news like, subscribe and don’t forget to hit that notification bell.

If you want to keep the conversation going, join us at our Telegram group and follow us on Youtube and Twitter.

https://t.me/cryptopiggroup

https://www.youtube.com/cryptopig?sub_confirmation=1

https://twitter.com/cryptopigmedia

Disclaimer: Cryptopig content is written by a team of blockchain passionate people. We are not registered as investment advisors. Don’t take the information in this post as investment advice and make sure you do your own research before investing. Cryptocurrencies are a very risky investment, never invest more money than you can afford to lose.