Bitcoin Forum
October 22, 2017, 08:39:44 AM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: How we HACKED cryptocurrency exchange  (Read 163 times)
w4cky
Newbie
*
Offline Offline

Activity: 1


View Profile
July 18, 2017, 06:16:16 AM
 #1

Our company  provides services for more and more businesses involved in the global market of cryptocurrencies such as Bitcoin, Litecoin or Ethereum. It has been developing rapidly as a branch of the financial market. The total capitalisation of digital currencies is estimated at 30 billion dollars. It’s a very tempting target for cybercriminals can become rich instantly without even leaving their homes.

Beatcoin.pl is an online stock exchange of popular cryptocurrencies whose owners requested a penetration test from us before they entered the actual market. It only proved the maturity of the company’s management and the urge to provide the highest safety standards.

Our team, experienced in penetration tests on cryptocurrency stock exchange, currency exchange and other FinTech businesses, realised the main goal of people who attempt to hack such a stock exchange. They want to access wallets containing cryptocurrencies in order to steal from them.

The client provided us with the stock exchange URL and the access to mock user accounts.

We started from a reconaissance which let us gain the real IP address of the stock exchange server from a couple of locations within the system. Then we managed to directly connect to the server, without the necessity of using an original Internet domain protected from DDoS and application attacks by CloudFlare and application firewall (WAF).

Thanks to this operation we came across a number of minor issues in the client’s application, e.g. Cross-site scripting (XSS), Cross-site request forgery (CSRF), Full Path Disclosure, and access to admin panel as well as the database. We weren’t able to log into obtained admin panels and the described errors would let us attack mostly the clients of the stock exchange, but not the application itself. We focused not on attacking admins but on the stock exchange itself.

After a couple of days we found an SQL Injection attack in one of the HTTP headings sent to the server. This attack enabled us to access the database. Thanks to this, we were able to collect information about the stock exchange’s users, change our status and buy bitcoins.

However, stealing this way wouldn’t be possible thanks to a high security level. The owners implemented a safety procedure that obliged the stock exchange’s employees to verify and manually confirm every account withdrawal. What we attempted to do would immediately alarm the employees and such a withdrawal wouldn’t be confirmed.

Of course, the SQL Injection’s critical vulnerability is extremely dangerous. We could download the users’ profile data (login, password), then try to break it and log into the accounts of selected users. Unfortunately, we didn’t know what was the secret sauce in the password protection system.

After next couple of days’ work we managed to make the server send not only result files (HTML, JS) but also source files which let us copy practically all sources of the whole cryptocurrency stock exchange. One of such files included access to cryptocurrency wallets - our mission was accomplished. Every hacker attempting to attack the stock exchange would have it done at that very moment. Stealing the funds proved possible and, apart from gaining access to cryptocurrency wallets, our team was able to reach the wallets of payment gateway providers - quick money transfers and SMS.


At that moment we had it all: the sources of the stock exchange the owners had been developing for months, the access to cruptocurrency wallets and payment gateway providers’ accounts. If we were criminals, we would be able to illegally get rich or launch an identical stock exchange platform without spending a penny on it - we could simply steal the effect of a couple of months’ work from the founders.

Obviously, we haven’t withdrawn any money from the hacked accounts. Instead, we informed the client about the test results. The owners corrected discovered vulnerabilities and asked us to perform a penetration test one more time so that they could be sure the platform is secure.

Being aware of the importance of software safety and potential threats as well as an obligation to protect sensitive data, the company management proved their business maturity. It’s a business safety requirement any entrepreneur can afford, no matter the size of the organisation.

Our work for the FinTech industry show that such issues occur very often in the organisations for which we perform penetration tests. A couple of weeks earlier we also managed to access the wallets of other cryptocurrency stock exchange and Bitcoin exchange.

Everything we do is always compliant with the law. We never attack servers without a specific request from the client. Our goal is to improve the system’s safety.

We would like to congratulate the beatcoin.pl clients for choosing a stock exchange run by people who put safety in the first place.

source: https://zdalnyadmin.com.pl/blog/2017/07/13/jak-wlamalismy-sie-na-gielde-kryptowalut/
1508661584
Hero Member
*
Offline Offline

Posts: 1508661584

View Profile Personal Message (Offline)

Ignore
1508661584
Reply with quote  #2

1508661584
Report to moderator
1508661584
Hero Member
*
Offline Offline

Posts: 1508661584

View Profile Personal Message (Offline)

Ignore
1508661584
Reply with quote  #2

1508661584
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508661584
Hero Member
*
Offline Offline

Posts: 1508661584

View Profile Personal Message (Offline)

Ignore
1508661584
Reply with quote  #2

1508661584
Report to moderator
1508661584
Hero Member
*
Offline Offline

Posts: 1508661584

View Profile Personal Message (Offline)

Ignore
1508661584
Reply with quote  #2

1508661584
Report to moderator
1508661584
Hero Member
*
Offline Offline

Posts: 1508661584

View Profile Personal Message (Offline)

Ignore
1508661584
Reply with quote  #2

1508661584
Report to moderator
helloal
Member
**
Offline Offline

Activity: 112


View Profile
July 18, 2017, 06:40:39 AM
 #2

As a newbie who hasn't been around during the prominent hacks, its scary how easy it can be for hackers.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!