Bitcoin Forum
November 28, 2021, 08:40:13 AM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bittrex vuln in IP whitelist - ticket open since 3 months - Full disclosure  (Read 210 times)
Xavier59
Hero Member
*****
Offline Offline

Activity: 736
Merit: 545


View Profile
November 05, 2017, 01:04:57 PM
Last edit: November 11, 2017, 12:53:52 PM by Xavier59
 #1

Vulnerability description :

When you are logging from a new IP, Bittrex send you an email asking you to confirme the new IP.
If you are not using 2FA, someone knowing your password can bypass this IP whitelist and thus connect to your account.

Technical informations :

IP is not correctly sanitized in the email sent by Bittrex.
When connecting to bittrex, the X-Forwarded-For header is not sanitized.

To replicate the issue, here is a POC. Set the following rule in Fiddler :
Code:
if(oSession.HostnameIs("bittrex.com")){
oSession.oRequest["X-Forwarded-For"] = "<style>a{visibility: hidden;}</style>";
}

Then, in the Bittrex mail, it will display the following instead of the IP:  "<style>a{visibility: hidden;}</style>", x.x.x.x allowing you to change the style in the mail.
With css3 and selectors, it is then possible to extract the secret token to a domain you control when the user is viewing the mail, allowing you to validate the new IP. (See how to with Stealing the Pie Without Touching the Sill)

Timeline :

During all the process, I have also been raising the ticket through the customer support channel on slack multiple time.

August 17 : vulnerability identified
August 18 : vulnerability reported in ticket #167335
August 27 : ticket reminder
September 1 : aknowledgement from Bittrex
September 2 : Ticket assigned to Bill
September 8 : Asking for status - no answer
October 8 : Asking for status - no answer
November 6 : Patched in dev
November 8 : Fix pushed in production

Regular crypto trader at https://www.bitmex.com/register/tf5P6n | Regular Stock & Forex trader at https://simplefx.com/n/_8220
If you click, contact me and I'll help you setup Wink
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1638088813
Hero Member
*
Offline Offline

Posts: 1638088813

View Profile Personal Message (Offline)

Ignore
1638088813
Reply with quote  #2

1638088813
Report to moderator
1638088813
Hero Member
*
Offline Offline

Posts: 1638088813

View Profile Personal Message (Offline)

Ignore
1638088813
Reply with quote  #2

1638088813
Report to moderator
1638088813
Hero Member
*
Offline Offline

Posts: 1638088813

View Profile Personal Message (Offline)

Ignore
1638088813
Reply with quote  #2

1638088813
Report to moderator
Xavier59
Hero Member
*****
Offline Offline

Activity: 736
Merit: 545


View Profile
November 11, 2017, 12:53:43 PM
 #2

Vuln has been patched.

Edited timeline to match the following :

November 6 :

Quote
Thank you for reporting this issue to us.
Our security team has been able to reproduce your issue and a fix has been checked in. 
You will see the fix in the next deployment to our production environment

November 8 :

Quote
Fix has been pushed to production.  If you find anything else, feel free to message me on Slack.

Regular crypto trader at https://www.bitmex.com/register/tf5P6n | Regular Stock & Forex trader at https://simplefx.com/n/_8220
If you click, contact me and I'll help you setup Wink
mayadin
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
November 11, 2017, 08:18:47 PM
 #3

I would’ve just put the vuln on twitter if they don’t take it seriously after one week. Well done
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!