Bountyportals (
https://app.bountyportals.com/) is a popular platform for bounty hunters, and unfortunately it has pretty bad security. 10 days ago I've discovered a Cross-site Request Forgery vulnerability on this site and immediately contacted the owner (irfan_pak10). He told me that his developer will check it, but the vulnerability is still there today, even though it's very easy to fix it.
1. POC
Login into bountyportals account (create one if necessary), then visit my demo site from the same browser in a different tab:
https://codepen.io/learningtocodein2018/pen/LaMMXBThis will change your ETH address into "hacked" on your profile page.
2. Impact
Attackers can easily replace users account details with their own if users will visit attacker's site and are logged into their bountyportals account. Probably the worst thing attackers can do is replace victim's ETH and BTC addresses with their own, thus stealing money on future payouts.
3. Mitigation
I'm making this report in order to help people protect their accounts, so here's a list of tips:
- login into bountyportals only with secondary browser or in incognito mode
- always manually log out when you are done
- install noscript addon for your browser
- always verify that the address in your profile is still yours
- don't visit shady sites, don't click on suspicious links
