Bitcoin Forum
November 09, 2024, 01:14:06 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  

Warning: Moderators do not remove likely scams. You must use your own brain: caveat emptor. Watch out for Ponzi schemes. Do not invest more than you can afford to lose.

Pages: [1]
  Print  
Author Topic: Almost Every Crypto Exchangers Have Web Vulnerabilities  (Read 335 times)
melina152 (OP)
Newbie
*
Offline Offline

Activity: 75
Merit: 0


View Profile WWW
June 26, 2018, 06:02:08 AM
Last edit: June 26, 2018, 06:12:20 AM by melina152
 #1

I am researching about crypto exchangers from few days ago about their security.I found almost every exchanger have atleast one security issue.

I do not know how they care their security but they should solve bugs from their web.Otherwise their website may be hack anytime by hacker.
I am not a hacker nor anyting like that.This thread is only for research purposes.

I will try to point out all popular crypto exchangers web vulnerability and how to reproduce it.

1.https://www.bit-z.com/

Vulnerabilty Details:

Cross site scripting


Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /user/signup.

Attack details
URL encoded POST input email was set to sample%40email.tst" eKPi=a4zo([!+!]) Zp4="
The input is reflected inside a tag parameter between double quotes.


The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

How to fix this vulnerability
Their script should filter metacharacters from user input.




*HTML form without CSRF protection*

Vulnerability description


Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

I found a HTML form with no apparent CSRF protection implemented.

Attack details:

*Form action: https://www.bit-z.com/user/signup
*Form method: POST

*Form inputs:

.email [Text]
.pwd [Password]
.repwd [Password]
.invite_code [Text]

*Form action: https://www.bit-z.com/user/signin
*Form method: GET

*Form inputs:

.email [Text]
.pwd [Password]

*Form action: https://www.bit-z.com/user/signup
*Form method: POST

*Form inputs:

.email [Text]
.pwd [Password]
.repwd [Password]
.invite_code [Text]


The impact of this vulnerability

*An attacker may force the users of a web application to execute actions of the attacker''s choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

*How to fix this vulnerability

They should make that form using html form with CSRF protection.


Clickjacking: X-Frame-Options header missing


Vulnerability description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.


The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.


Affected items
Web Server


The impact of this vulnerability
The impact depends on the affected web application


How to fix this vulnerability
They should configure their web server to include an X-Frame-Options header.

Also they have some more bugs

e.g.  cookie without HTTP only flag set
cookie without secure flag set


I will update here almost all crypto exchangers website vulnerability details one by one.This is not possible to publish web vulnerability details about all crypto currency exchangers at a time.

If anyone found any bugs report here ,So it will better to make a safe crypto world.

octacoincc
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
June 28, 2018, 01:37:43 PM
 #2

Brilliant post .keep it up.
Sherwood_Archer
Jr. Member
*
Offline Offline

Activity: 126
Merit: 3


View Profile
July 24, 2018, 04:23:47 PM
 #3

Great idea! This is important info for people on the ground level to know because it is all so confusing from down here. No one really knows who to trust, especially if they don't have enough info about the security of a site.

Common sense says that if the platform is reputable and well established it should be worthwhile, but I guess that isn't so true with those high profile hacks. What do you think about major platforms like binance, kracken, bitstamp, coinbase, etc? Is anything truly secure anymore?
bongnor531
Newbie
*
Offline Offline

Activity: 114
Merit: 0


View Profile
July 26, 2018, 12:55:25 PM
 #4

I expect that no site (or anything in this world) can be always 100% safe. Even the biggest ones had several breakdowns and there always be opportunities for hackers. One should always use common sense and read after as much as possible that is the most a single person with no coding experience or advanced IT skills can do.
melina152 (OP)
Newbie
*
Offline Offline

Activity: 75
Merit: 0


View Profile WWW
February 20, 2019, 04:24:44 PM
 #5

Great idea! This is important info for people on the ground level to know because it is all so confusing from down here. No one really knows who to trust, especially if they don't have enough info about the security of a site.

Common sense says that if the platform is reputable and well established it should be worthwhile, but I guess that isn't so true with those high profile hacks. What do you think about major platforms like binance, kracken, bitstamp, coinbase, etc? Is anything truly secure anymore?
Surely every exchange platform have some security fault.
coin-investor
Hero Member
*****
Offline Offline

Activity: 3010
Merit: 608


Leading Crypto Sports Betting & Casino Platform


View Profile
March 11, 2019, 11:40:04 AM
 #6

One of the weakest is Cryptopia after they got hacked again, but I believe not every exchange, securities are evolving and some of the exchanges are upgrading their system, Kucoin one of my favorite exchange has a good security I hope it will stay that way to attract more traders.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
melina152 (OP)
Newbie
*
Offline Offline

Activity: 75
Merit: 0


View Profile WWW
March 16, 2019, 02:31:49 AM
 #7

One of the weakest is Cryptopia after they got hacked again, but I believe not every exchange, securities are evolving and some of the exchanges are upgrading their system, Kucoin one of my favorite exchange has a good security I hope it will stay that way to attract more traders.

I warned to cryptopia about their website bugs by message but they ignored me and i did not get a reply from them and hackers did their job.
stomachgrowls
Hero Member
*****
Offline Offline

Activity: 3038
Merit: 795



View Profile
March 16, 2019, 09:57:45 AM
 #8

One of the weakest is Cryptopia after they got hacked again, but I believe not every exchange, securities are evolving and some of the exchanges are upgrading their system, Kucoin one of my favorite exchange has a good security I hope it will stay that way to attract more traders.

I warned to cryptopia about their website bugs by message but they ignored me and i did not get a reply from them and hackers did their job.
So do you mean that the thing/bugs you have discovered is the main reason why they get hacked? If it is then they are unlucky why they do let that simple message of yours
being ignored.  Smiley


All exchangers do have vulnerabilities even the most popular ones thats why its always be a safe practice as an exchange user to set 2fa on your account or just simply dont let your funds
sits too long on exchange accounts. People do only learn when its too late.

███████████████████████████
███████▄████████████▄██████
████████▄████████▄████████
███▀█████▀▄███▄▀█████▀███
█████▀█▀▄██▀▀▀██▄▀█▀█████
███████▄███████████▄███████
███████████████████████████
███████▀███████████▀███████
████▄██▄▀██▄▄▄██▀▄██▄████
████▄████▄▀███▀▄████▄████
██▄███▀▀█▀██████▀█▀███▄███
██▀█▀████████████████▀█▀███
███████████████████████████
.
.Duelbits.
..........UNLEASH..........
THE ULTIMATE
GAMING EXPERIENCE
DUELBITS
FANTASY
SPORTS
████▄▄█████▄▄
░▄████
███████████▄
▐███
███████████████▄
███
████████████████
███
████████████████▌
███
██████████████████
████████████████▀▀▀
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀
.
▬▬
VS
▬▬
████▄▄▄█████▄▄▄
░▄████████████████▄
▐██████████████████▄
████████████████████
████████████████████▌
█████████████████████
███████████████████
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀
/// PLAY FOR  FREE  ///
WIN FOR REAL
..PLAY NOW..
alexcopper
Member
**
Offline Offline

Activity: 280
Merit: 12


View Profile
April 11, 2019, 12:16:54 AM
 #9

you could also look to see who complies with AML regs and compliance monitoring through legit cyber security firms like Ciphertrace. more are starting to move in this direction due to all the scams and vulnerabilities that are present
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!