Bitcoin Forum

Vulnerability description :

When you are logging from a new IP, Bittrex send you an email asking you to confirme the new IP.
If you are not using 2FA, someone knowing your password can bypass this IP whitelist and thus connect to your account.

Technical informations :

IP is not correctly sanitized in the email sent by Bittrex.
When connecting to bittrex, the X-Forwarded-For header is not sanitized.

To replicate the issue, here is a POC. Set the following rule in Fiddler :

Then, in the Bittrex mail, it will display the following instead of the IP:  "<style>a{visibility: hidden;}</style>", x.x.x.x allowing you to change the style in the mail.
With css3 and selectors, it is then possible to extract the secret token to a domain you control when the user is viewing the mail, allowing you to validate the new IP. (See how to with Stealing the Pie Without Touching the Sill (https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf))

Timeline :

During all the process, I have also been raising the ticket through the customer support channel on slack multiple time.

August 17 : vulnerability identified
August 18 : vulnerability reported in ticket #167335
August 27 : ticket reminder
September 1 : aknowledgement from Bittrex
September 2 : Ticket assigned to Bill
September 8 : Asking for status - no answer
October 8 : Asking for status - no answer
November 6 : Patched in dev
November 8 : Fix pushed in production

Vuln has been patched.

Edited timeline to match the following :

November 6 :


November 8 :

I would’ve just put the vuln on twitter if they don’t take it seriously after one week. Well done