Title: Public vulnerability disclosure - CSRF in Bountyportals Post by: hatshepsut93 on April 05, 2019, 12:41:14 AM Bountyportals (https://app.bountyportals.com/) is a popular platform for bounty hunters, and unfortunately it has pretty bad security. 10 days ago I've discovered a Cross-site Request Forgery vulnerability on this site and immediately contacted the owner (irfan_pak10). He told me that his developer will check it, but the vulnerability is still there today, even though it's very easy to fix it.
1. POC Login into bountyportals account (create one if necessary), then visit my demo site from the same browser in a different tab: https://codepen.io/learningtocodein2018/pen/LaMMXB This will change your ETH address into "hacked" on your profile page. 2. Impact Attackers can easily replace users account details with their own if users will visit attacker's site and are logged into their bountyportals account. Probably the worst thing attackers can do is replace victim's ETH and BTC addresses with their own, thus stealing money on future payouts. 3. Mitigation I'm making this report in order to help people protect their accounts, so here's a list of tips:
Title: Re: Public vulnerability disclosure - CSRF in Bountyportals Post by: elda34b on April 05, 2019, 01:22:59 PM Have you notified Bountyportal about this? Or post on their ANN thread directly? I think that way they can respond more quickly because I doubt Bountyportal guys lurk in this board 24/7.
Hopefully, no one uses this 'bug' to steal somebody work. Title: Re: Public vulnerability disclosure - CSRF in Bountyportals Post by: hatshepsut93 on April 05, 2019, 02:20:32 PM Have you notified Bountyportal about this? Or post on their ANN thread directly? I think that way they can respond more quickly because I doubt Bountyportal guys lurk in this board 24/7. Yes I did, it's in the post: 10 days ago I've discovered a Cross-site Request Forgery vulnerability on this site and immediately contacted the owner (irfan_pak10). He told me that his developer will check it, but the vulnerability is still there today, even though it's very easy to fix it. 10 days is more than enough time to fix it, a good programmer would fix it in an hour or two, so I have disclosed this vulnerability publicly to warn the users about it, because they are in danger and the owner seems unwilling to fix it. Title: Re: Public vulnerability disclosure - CSRF in Bountyportals Post by: Crypto Girl on April 08, 2019, 07:58:51 AM 10 days is more than enough time to fix it, a good programmer would fix it in an hour or two, so I have disclosed this vulnerability publicly to warn the users about it, because they are in danger and the owner seems unwilling to fix it. Hopefully, no one uses this 'bug' to steal somebody work. They now have an idea since you said it. |