Bitcoin Forum

Alternate cryptocurrencies => Service Discussion (Altcoins) => Topic started by: hatshepsut93 on April 05, 2019, 12:41:14 AM


Title: Public vulnerability disclosure - CSRF in Bountyportals
Post by: hatshepsut93 on April 05, 2019, 12:41:14 AM
Bountyportals (https://app.bountyportals.com/) is a popular platform for bounty hunters, and unfortunately it has pretty bad security. 10 days ago I've discovered a Cross-site Request Forgery vulnerability on this site  and immediately contacted the owner (irfan_pak10). He told me that his developer will check it, but the vulnerability is still there today, even though it's very easy to fix it.

1. POC

Login into bountyportals account (create one if necessary), then visit my demo site from the same browser in a different tab: https://codepen.io/learningtocodein2018/pen/LaMMXB

This will change your ETH address into "hacked" on your profile page.

2. Impact

Attackers can easily replace users account details with their own if users will visit attacker's site and are logged into their bountyportals account. Probably the worst thing attackers can do is replace victim's ETH and BTC addresses with their own, thus stealing money on future payouts.

3. Mitigation

I'm making this report in order to help people protect their accounts, so here's a list of tips:

  • login into bountyportals only with secondary browser or in incognito mode
  • always manually log out when you are done
  • install noscript addon for your browser
  • always verify that the address in your profile is still yours
  • don't visit shady sites, don't click on suspicious links

Title: Re: Public vulnerability disclosure - CSRF in Bountyportals
Post by: elda34b on April 05, 2019, 01:22:59 PM
Have you notified Bountyportal about this? Or post on their ANN thread directly? I think that way they can respond more quickly because I doubt Bountyportal guys lurk in this board 24/7.

Hopefully, no one uses this 'bug' to steal somebody work.

Title: Re: Public vulnerability disclosure - CSRF in Bountyportals
Post by: hatshepsut93 on April 05, 2019, 02:20:32 PM
Quote from: elda34b on April 05, 2019, 01:22:59 PM
Have you notified Bountyportal about this? Or post on their ANN thread directly? I think that way they can respond more quickly because I doubt Bountyportal guys lurk in this board 24/7.

Yes I did, it's in the post:

Quote from: hatshepsut93 on April 05, 2019, 12:41:14 AM
10 days ago I've discovered a Cross-site Request Forgery vulnerability on this site  and immediately contacted the owner (irfan_pak10). He told me that his developer will check it, but the vulnerability is still there today, even though it's very easy to fix it.

10 days is more than enough time to fix it, a good programmer would fix it in an hour or two, so I have disclosed this vulnerability publicly to warn the users about it, because they are in danger and the owner seems unwilling to fix it.

Title: Re: Public vulnerability disclosure - CSRF in Bountyportals
Post by: Crypto Girl on April 08, 2019, 07:58:51 AM
Quote from: hatshepsut93 on April 05, 2019, 02:20:32 PM

10 days is more than enough time to fix it, a good programmer would fix it in an hour or two, so I have disclosed this vulnerability publicly to warn the users about it, because they are in danger and the owner seems unwilling to fix it.
Shoot, that's too bad and seems the owner doesn't care about the people using it. I'm betting eventually some will rant here that their account got hacked. Hope this serves as a warning.

Quote from: elda34b on April 05, 2019, 01:22:59 PM
Hopefully, no one uses this 'bug' to steal somebody work.
They now have an idea since you said it.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines