Bitcoin Forum
June 21, 2024, 10:42:36 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Public vulnerability disclosure - CSRF in Bountyportals  (Read 136 times)
hatshepsut93 (OP)
Legendary
*
Offline Offline

Activity: 3010
Merit: 2148


View Profile
April 05, 2019, 12:41:14 AM
 #1

Bountyportals (https://app.bountyportals.com/) is a popular platform for bounty hunters, and unfortunately it has pretty bad security. 10 days ago I've discovered a Cross-site Request Forgery vulnerability on this site  and immediately contacted the owner (irfan_pak10). He told me that his developer will check it, but the vulnerability is still there today, even though it's very easy to fix it.

1. POC

Login into bountyportals account (create one if necessary), then visit my demo site from the same browser in a different tab: https://codepen.io/learningtocodein2018/pen/LaMMXB

This will change your ETH address into "hacked" on your profile page.

2. Impact

Attackers can easily replace users account details with their own if users will visit attacker's site and are logged into their bountyportals account. Probably the worst thing attackers can do is replace victim's ETH and BTC addresses with their own, thus stealing money on future payouts.

3. Mitigation

I'm making this report in order to help people protect their accounts, so here's a list of tips:

  • login into bountyportals only with secondary browser or in incognito mode
  • always manually log out when you are done
  • install noscript addon for your browser
  • always verify that the address in your profile is still yours
  • don't visit shady sites, don't click on suspicious links
elda34b
Sr. Member
****
Offline Offline

Activity: 910
Merit: 351


View Profile
April 05, 2019, 01:22:59 PM
 #2

Have you notified Bountyportal about this? Or post on their ANN thread directly? I think that way they can respond more quickly because I doubt Bountyportal guys lurk in this board 24/7.

Hopefully, no one uses this 'bug' to steal somebody work.
hatshepsut93 (OP)
Legendary
*
Offline Offline

Activity: 3010
Merit: 2148


View Profile
April 05, 2019, 02:20:32 PM
 #3

Have you notified Bountyportal about this? Or post on their ANN thread directly? I think that way they can respond more quickly because I doubt Bountyportal guys lurk in this board 24/7.

Yes I did, it's in the post:

10 days ago I've discovered a Cross-site Request Forgery vulnerability on this site  and immediately contacted the owner (irfan_pak10). He told me that his developer will check it, but the vulnerability is still there today, even though it's very easy to fix it.

10 days is more than enough time to fix it, a good programmer would fix it in an hour or two, so I have disclosed this vulnerability publicly to warn the users about it, because they are in danger and the owner seems unwilling to fix it.
Crypto Girl
Sr. Member
****
Offline Offline

Activity: 980
Merit: 294


View Profile
April 08, 2019, 07:58:51 AM
 #4


10 days is more than enough time to fix it, a good programmer would fix it in an hour or two, so I have disclosed this vulnerability publicly to warn the users about it, because they are in danger and the owner seems unwilling to fix it.
Shoot, that's too bad and seems the owner doesn't care about the people using it. I'm betting eventually some will rant here that their account got hacked. Hope this serves as a warning.

Hopefully, no one uses this 'bug' to steal somebody work.
They now have an idea since you said it.

I use this provider to trade Cryptos : Bitcoin Revolution
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!