Now everyone talks about bitcoin and crypto-currencies. My acquaintance with crypto-currencies occurred about 5 months ago, that’s when I started investing in bitcoin and ethereum, the rate at that time was $1900 for btc and $89 for eth. In order for you to understand what profit I got, I will say that today bitcoin costs $18 000, and eth $830 and continues to go into orbit along with the rest of the crypto-currencies. I thought that it would be great to see how safe the services are, where my savings are, whether I trade them or give them to trust management.

Back in the late spring, I bought access for $500 to insiders of one investment club. I bought more coins for my own, this is besides ether and bitcoin, and at the end of August I received a recommendation that one can give his bitcoins to traders at 15% per month, that was why I started my way from sites which were engaged in trust management (further in the article — TM).

The first company example1.com (they forbade disclosing the names associated with their websites) is very popular and is known for many investors. Before investing money there, I decided to check my account for vulnerabilities. Registered, but surprisingly — did not find anything, everywhere filtering, csrf tokens and so on. Then I registered another account, but instead of the name I entered js sniffer. For a long time nothing came to me, I already was reconciled to the fact that the project is doing well with security, there are no BLIND XSS and other things, but only until the logs came to me (source code, admin IP, local storage, etc.)

JS was executed when admin checked the page with data about the user http://admin.example1.com/user/default/index?page=75. Similar vulnerabilities are increasingly encountered on hackerone, an example here https://hackerone.com/reports/251224https://hackerone.com/reports/251224 .

Looking through the logs, I was upset because all the cookies with the httponly flag and could not get any, in the end - I would not be able to access the admin panel, but when I clicked the link http://admin.example1.com/user/default/index?page=75 , I saw that admin panel can be used without authorization,this is a gross developer error.

In total it was possible to view and change information about 2010 users (email, phone, links to the social network, bitcoin wallet address, login, balance, referrer). In the screenshot, one of the richest investors in my club, he has a large number of subscribers and I constantly follow his blog. He recommended all his subscribers to invest their money in this TM, of course on a referral link, but not more than 20% of the capital. After a short time, he managed to earn 20 bitcoins on this, which equals $ 227 000 for today. $360 000 for today.

image

The attacker without any training or experience could easily go to the admin panel and change the email addresses of all the investors to their own (or simply change wallets for withdrawal, so as not to cause unnecessary suspicion when the victim decides to withdraw money for the purse for some reason in deriving no displayed). Investors there are large enough, many of them have deposits >0.5btc. It is very strange that in the admin panel there are no passwords in the clear form, I have a feeling that the developers of this TM are capable of anything at all in terms of deteriorating the security of their service.

After discovering the vulnerability, I sent a report to the developers, they contacted the creator and fixed vulnerability. I was offered to charge the award on the account in their website, where I will receive % and in half a year I will be able to break into a breakeven, and in a year I will take the body itself. A month later, when I found a similar blind xss in their service and got another bounty for it, it became known that the developers of the TM were fired (and they did not seem to have paid money for their work at that time), other people began to develop it.

A little later, after the first recommendation came the second (example2.com). This is also a top, popular service of trust management, he has 20 000 alexarank World and 3 000 Russia.

Thoroughly checking everything - nothing found (even my favorite clickjacking :) ), except for two CSRF vulnerabilities in post requests. The first allowed to change the details for the withdrawal of funds, the user had just click on the link to the CSRF exploit. The second allowed to withdraw the user's money to the already changed details. Thus, if a user simply goes through the link, then he will lose all his money. How was the attack possible? An attacker could hire a specialist in social engineering, spam the participants of their chat in a telegram and get a good profit.

Immediately after the discovery, I wrote to the developers of the site, also asked friends from the club to write to the owner. The developers responded that allegedly due to the fact that the user needs to go to the link - the vulnerability is absolutely not dangerous. It looked funny. After that, I wrote a couple more letters with the evidence that the bug is still worth attention and it must be fixed immediately, but I was ignored.

A little later, there were quite predictable things for projects of this kind - user details began to change in mass, I learned about it from their developer, who wrote to me just a couple of days ago (as I understood from his words - the users themselves made the withdrawal and the funds began to disappear). It is terrible to imagine losses in the event that hackers involved a vulnerability in the withdrawal of funds. The developer asked again to send a report on the vulnerability, then google recaptcha was added to the form of change of details and confirmation by SMS (for sure).

After that, I decided to look for vulnerabilities on crypto-currency exchanges .

Poloniex I decided not to touch, they do not pay for the vulnerability and capital I do not keep there, it is because of their ignoring of security problems - the vulnerability bypass two-factor authentication was sold in a darknet, the link is https://twitter.com/misterch0c/status/897756404093726720:

https://twitter.com/misterch0c/status/897756404093726720
Earlier I had $ 6000 on my account, quite by accident I went to my account from vpn Moldova, as a result - my account was immediately blocked. I had to wait for a fortnight to unlock, after this case I brought out all my money from there. It's good that they just did not take them to themselves, as they did with many customers.

I decided to start with livecoin.net. The exchange proved to be well protected, found only low-impact SELF XSS vulnerability (it remained self, clickjacking on the site and csrf in the post request is not present). I was paid $ 200 by fiat fund.

Then I decided to go to okex.com. This exchange is very popular not only in China, but all over the world. Some functional is not fully translated into English, it is in Chinese, but it did not become a problem, the google translator extension helped me to quickly extract text and translate it without leaving the page. As in all other cases - I carefully checked security, including subdomains and directories. It turned out that https://www.okcoin.com/ (6000 alexa china), https://www.okcoin.cn/ (9000 worldwide, 2000 in China) have exactly the same design and functionality as okex. This means that if I find a vulnerability on one of their sites, then the rest will also be exposed to it. Later I looked in the user support (a little fantasy about how I load the shell into the ticket and it is running) and found a lot of vulnerabilities, I'll talk about them below:

1. Vulnerability iDOR https://www.okex.com/question/questionDetail.do?workOrderId=2550, allowed to view all 2500 okex tickets for that time, today the number has increased to 4898, and these are only tickets on one exchange. The ticket displays the full phone number, email, real name, text of the correspondence between the user and the support and the full path to the attachment.

image

As it turned out later, many users undergo the verification procedure in the support service in order to increase their withdrawal limit. It is necessary to attach the person with the passport, or simply a photo of the passport. Here are some of these photos (Data is hidden)

image
image
image
image

In addition to passports, there are also a lot of photos and screenshots from the device screens.

image

I proceeded to download all the tickets (used as evidence of the criticality of this problem). I used Burp Intruder, launched and put from 1 to 2549 to url /question/questionDetail.do?workOrderId=2550. Found that no information was downloaded. I decided to go back to the support and still intercept the requests, at that time I found out that the page loading is done via get https://www.okex.com/v2/support/cs/work-order/2550/replies. I threw this request into the intruder and downloaded all the tickets, now they could be freely sent to the developers of exchanges.

2. Stored XSS in api. Our js is not displayed in the ticket itself /question/questionDetail.do?workOrderId=2550, apparently, there was a filtering on forbidden characters. But in api /question/questionDetail.do?workOrderId=2550 everything worked fine, even js from third-party domains was loaded. If you combine 1 and 2 vulnerabilities, you could successfully steal a lot of money. The attack was supposed to proceed according to this scenario:

1) Парсим все email адреса.
2) На нашу страницу встраиваем js/html редирект на фишинговый сайт самой биржи(в данном случае, есть несколько бирж, и для каждой нужно будет сделать форму), Myetherwallet, blockchain.info и др.

Some attackers have come to the point that immediately after entering the login and password on poloniex.com / bittrex.com / blockchain.info, the victim is asked for her 2FA code every 15 seconds (to log in to the account, to withdraw funds), to respond to the 2FA input is necessary very quickly, because its validity expires after a short period of time. Thus, using unicode characters, replacing some letters, for example i on L (BlTTREX.com, POIONIEX.COm), registering the exchange on a different domain (for example, poloniex.com.ua), creating applications on android and advertising in search engines, criminals for the year could steal from users more than $80 million.

3) Send emails to email addresses that we have agreed in advance with the person versed in social engineering. Users should believe in the letter and follow the link, as it does not lead to a third-party site, but to the crypto currency exchange.

4) ??
5) We get data for the entry, now withdrawal the money.
PoC video

3. iDOR in adding a comment, we can add a message on behalf of the user who created the ticket.

Short Request:

POST /v2/support/cs/work-order/reply HTTP/1.1
Host: http://www.okcoin.com

workId=718&content=test_message

4. Stored XSS in the html file that was attached to the ticket, but on the domain bafangpublic.oss-cn-hangzhou.aliyuncs.com. The domain is no longer available and whois says that it belongs to Hangzhou Alibaba Advertising Co.,Ltd.

5. Disclosure information. I noticed that the developers of exchanges want to hide the user's phone number as much as possible while hacking the account. On the security page, the phone is displayed as 636819 ****, in cookies it is 6 * 6. But in the response of the api support service /v2/support/cs/work-order/2550/replies it completely displays, so it's no good.

I understand that all exchanges have one owner and there is no point in writing to everyone separately, so I sent a report to the chat and to the email of the okex exchange. Very quickly received a message from official account okex in twitter and and vulns have been fixed.

Then I started testing the example3.com exchange. The Exchange did not allow disclosing information about vulnerabilities, I quote:

Regarding posting on your blog, we would appreciate if you don’t do this at the moment. Our site is still not 100% secured and I fear it will open a door for malicious users.

Discovered XSS in the walet, , namely - in the affiliate program department, it turned out to make it from self XSS to stored XSS using csrf exploit, it was possible to steal cookies, since there was no httponly flag. I could now attach a video that I already recorded, but I can not - the name of the exchange is revealed there.

For this XSS in the support service I was offered $ 100, but almost at the same time on the sniffer came logs from their domain for employees.

image

In the logs there was only a cookie

AWSELB=2ЕB3B1851EC08CCFEEC18E2DB93AE1EF2A69A2A2F9D65DCC84AB785C7C7773319F1F769CCF35CA8F430D5785D5AE4AB2C48C46EE6BE8F33Cу293D40F3CCA9F92E38E62AA65
session cookie (most important) was missing, we can not get into the admin panel through the substitution of cookies. I carefully checked the report and found in the source code the administrator's login and password.

image
image

But when went to the login page, I saw it.

image

We can not get into the admin panel via username and password, you need to crack the google account and access the authenticator, or redirect to the phishing site directly from the admin area, steal its authenticator code and quickly enter it. The second option is quite realizable.

While writing a report about blind xss in the admin panel, I found:

1) CSRF vulnerability in changing details for withdrawal of partner funds, short request:

POST /affiliate_program HTTP/1.1
Host: www.example3.com
wallet=my_wallet&act=wallet
security token is not present, an exploit was written.

2) iDOR in order remove, vulnerable request https://example3.com/account?act=cancel&order=ID_of_order. The essence of the vulnerability is that if a user has already created an order and wants to transfer his bitcoins to the wallet of the exchange - we can cancel this action. At best, his order will simply retire from the system, at worst - he will transfer the bitcoins and lose his money. This vulnerability is mainly useful only for exchanges - competitors, not for hackers.

After I sent a new report in support, I was contacted by the chief security officer to discuss the vulnerabilities. He wanted to call me on Skype or on the phone, but at the moment my knowledge of English is at an average level, so we decided to limit ourselves to chat. For the vulnerability I was offered 0.1 btc ($ 1130):

After consulting with our finance and regarding our situation, we can pay you $1000. This is the highest amount we paid for a bug and is much higher than what we usually pay. It is to show our appreciation to you and the way you handled the situation.

I'm very grateful for the bounty. They are responsible for safety, it was very pleasant to communicate with their CTO.

In total, with the search for vulnerabilities on these sites dealing with crypto currency I got: Trust management of example1.com: 1 btc. Trust management example2.com: 0.122 btc. Exchange livecoin.net: $ 200 by fiat means. Exchange okex.com: 2 btc, I'm very grateful to okex for the bounty, the Exchange's CTO allowed to publicly disclose the vulnerability. Exchange example3.com: 0.1 btc. 1 + 0.122 + 2 + 0.1 + $200 = $59 400 from the search for the vulnerabilities on these sites dealing with crypto currency, and with the growth rate bitcoin this amount will grow.

Conclusion from the article: Always hire highly qualified programmers for your projects, especially if your budget allows it. In the first two cases, the companies are large enough, they can afford to hire quality specialists, but they save money and because of this, users and reputation may suffer - they leave the admin board completely "naked" and ignore the problems pointed out by the security specialist.

P.P.S: I can also tell you about how I discovered a vulnerability on gearbest.com, which allowed to find out the login and password of any account and about the vulnerability on webmoney.ru (the largest system of electronic money transfers in SIC), with which you could send js/html to 35 000 000 users and for which I was paid $ 100 (a negligible amount for such a vulnerability). To be aware of my latest articles, I recommend subscribing to my twitter, link at the top.

en_USEnglish
ru_RURussian en_USEnglish