Yobit withdrawal email check-up vulnerable

[Xavier59]

Hi,

Yobit has several options to protect against withdrawals in case your account has been compromised.
In letter settings, it has an option called : "Send confirmation letter at withdrawal request".
This one can be deactivated without the user agreement.

When you try to disable this option, Yobit send a mail to ask you for deactivation. If you click on the link contained on the email, it deactivate the option.

Most of mail agent have something called "Link Preview" activated by default. They load the page to get the user a preview of the page.
Yobit do not check if the user is authentificated when disabling the option.
This result in the fact that when opening the mail, even if you do not click the link, the letter at withdrawal request will be deactivated.

Proof of Concept, using a famous mail agent, Outlook :



This also work for apikey creation. You can create withdrawal apikey the same way, by the user just viewing the mail.

Timeline of disclosure :

02/11/2016 : Reported the vulnerability to Yobit support. No answer. Not fixed.
27/12/2016 : Public disclosure.

[rockmoney]

I am having issues withdrawing several altcoins I recently purchased on yo-bit. For over 3 weeks now, the wallet status for the coins I want to withdraw have been in "maintenance" status. I contacted yo-bit support on 2016-12-09 15:54:16 & still have not received a reply. If I am ever able to withdraw these coins, I will never use yo-bit exchange again & would advise others the same (or at least to use with extreme caution)!

Just an FYI - Here are some of the coins it has not allowed me to withdraw for several weeks:  BitBean [BITB], PayCon [CON], 1337 [1337], Chronos [CRX], SuperTurboStake [STRB], & a couple others - the big ones are Bitbean (purchased 333,333 coins), & PayCon (purchased 20,833 coins).

Thankfully, none of them are tremendously valuable but I purchased them for PoS mining, which I can't do without transferring the coins to my wallets so I can begin staking. Extremely disappointed & frustrated with yo-bit, & they have lost a good customer simply because of their ignorance (I have contacted support twice with 2 separate tickets, & 20 days have passed without any response whatsoever)..

[Xavier59]

Yobit not answering tickets and have some vulns, take care.
BOUM !

[aioc]

I have not used this feature,my withdrawal has no issues at all,I've got it coming within a few minutes,i don't know maybe because it's just a small amount always,I just notice that in the past 4 days the site loads very slow and they always had a downtime.