Topic: Almost Every Crypto Exchangers Have Web Vulnerabilities (Read 309 times)
you could also look to see who complies with AML regs and compliance monitoring through legit cyber security firms like Ciphertrace. more are starting to move in this direction due to all the scams and vulnerabilities that are present
One of the weakest is Cryptopia after they got hacked again, but I believe not every exchange, securities are evolving and some of the exchanges are upgrading their system, Kucoin one of my favorite exchange has a good security I hope it will stay that way to attract more traders.
I warned to cryptopia about their website bugs by message but they ignored me and i did not get a reply from them and hackers did their job.
being ignored.
All exchangers do have vulnerabilities even the most popular ones thats why its always be a safe practice as an exchange user to set 2fa on your account or just simply dont let your funds
sits too long on exchange accounts. People do only learn when its too late.
One of the weakest is Cryptopia after they got hacked again, but I believe not every exchange, securities are evolving and some of the exchanges are upgrading their system, Kucoin one of my favorite exchange has a good security I hope it will stay that way to attract more traders.
I warned to cryptopia about their website bugs by message but they ignored me and i did not get a reply from them and hackers did their job.
One of the weakest is Cryptopia after they got hacked again, but I believe not every exchange, securities are evolving and some of the exchanges are upgrading their system, Kucoin one of my favorite exchange has a good security I hope it will stay that way to attract more traders.
Great idea! This is important info for people on the ground level to know because it is all so confusing from down here. No one really knows who to trust, especially if they don't have enough info about the security of a site.
Common sense says that if the platform is reputable and well established it should be worthwhile, but I guess that isn't so true with those high profile hacks. What do you think about major platforms like binance, kracken, bitstamp, coinbase, etc? Is anything truly secure anymore?
Surely every exchange platform have some security fault. Common sense says that if the platform is reputable and well established it should be worthwhile, but I guess that isn't so true with those high profile hacks. What do you think about major platforms like binance, kracken, bitstamp, coinbase, etc? Is anything truly secure anymore?
I expect that no site (or anything in this world) can be always 100% safe. Even the biggest ones had several breakdowns and there always be opportunities for hackers. One should always use common sense and read after as much as possible that is the most a single person with no coding experience or advanced IT skills can do.
Great idea! This is important info for people on the ground level to know because it is all so confusing from down here. No one really knows who to trust, especially if they don't have enough info about the security of a site.
Common sense says that if the platform is reputable and well established it should be worthwhile, but I guess that isn't so true with those high profile hacks. What do you think about major platforms like binance, kracken, bitstamp, coinbase, etc? Is anything truly secure anymore?
Common sense says that if the platform is reputable and well established it should be worthwhile, but I guess that isn't so true with those high profile hacks. What do you think about major platforms like binance, kracken, bitstamp, coinbase, etc? Is anything truly secure anymore?
Brilliant post .keep it up.
I am researching about crypto exchangers from few days ago about their security.I found almost every exchanger have atleast one security issue.
I do not know how they care their security but they should solve bugs from their web.Otherwise their website may be hack anytime by hacker.
I am not a hacker nor anyting like that.This thread is only for research purposes.
I will try to point out all popular crypto exchangers web vulnerability and how to reproduce it.
1.https://www.bit-z.com/
Vulnerabilty Details:
Cross site scripting
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects /user/signup.
Attack details
URL encoded POST input email was set to sample%40email.tst" eKPi=a4zo([!+!]) Zp4="
The input is reflected inside a tag parameter between double quotes.
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
How to fix this vulnerability
Their script should filter metacharacters from user input.
*HTML form without CSRF protection*
Vulnerability description
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
I found a HTML form with no apparent CSRF protection implemented.
Attack details:
*Form action: https://www.bit-z.com/user/signup
*Form method: POST
*Form inputs:
.email [Text]
.pwd [Password]
.repwd [Password]
.invite_code [Text]
*Form action: https://www.bit-z.com/user/signin
*Form method: GET
*Form inputs:
.email [Text]
.pwd [Password]
*Form action: https://www.bit-z.com/user/signup
*Form method: POST
*Form inputs:
.email [Text]
.pwd [Password]
.repwd [Password]
.invite_code [Text]
The impact of this vulnerability
*An attacker may force the users of a web application to execute actions of the attacker''s choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
*How to fix this vulnerability
They should make that form using html form with CSRF protection.
Clickjacking: X-Frame-Options header missing
Vulnerability description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Affected items
Web Server
The impact of this vulnerability
The impact depends on the affected web application
How to fix this vulnerability
They should configure their web server to include an X-Frame-Options header.
Also they have some more bugs
e.g. cookie without HTTP only flag set
cookie without secure flag set
I will update here almost all crypto exchangers website vulnerability details one by one.This is not possible to publish web vulnerability details about all crypto currency exchangers at a time.
If anyone found any bugs report here ,So it will better to make a safe crypto world.
I do not know how they care their security but they should solve bugs from their web.Otherwise their website may be hack anytime by hacker.
I am not a hacker nor anyting like that.This thread is only for research purposes.
I will try to point out all popular crypto exchangers web vulnerability and how to reproduce it.
1.https://www.bit-z.com/
Vulnerabilty Details:
Cross site scripting
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects /user/signup.
Attack details
URL encoded POST input email was set to sample%40email.tst" eKPi=a4zo([!+!]) Zp4="
The input is reflected inside a tag parameter between double quotes.
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
How to fix this vulnerability
Their script should filter metacharacters from user input.
*HTML form without CSRF protection*
Vulnerability description
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
I found a HTML form with no apparent CSRF protection implemented.
Attack details:
*Form action: https://www.bit-z.com/user/signup
*Form method: POST
*Form inputs:
.email [Text]
.pwd [Password]
.repwd [Password]
.invite_code [Text]
*Form action: https://www.bit-z.com/user/signin
*Form method: GET
*Form inputs:
.email [Text]
.pwd [Password]
*Form action: https://www.bit-z.com/user/signup
*Form method: POST
*Form inputs:
.email [Text]
.pwd [Password]
.repwd [Password]
.invite_code [Text]
The impact of this vulnerability
*An attacker may force the users of a web application to execute actions of the attacker''s choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
*How to fix this vulnerability
They should make that form using html form with CSRF protection.
Clickjacking: X-Frame-Options header missing
Vulnerability description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Affected items
Web Server
The impact of this vulnerability
The impact depends on the affected web application
How to fix this vulnerability
They should configure their web server to include an X-Frame-Options header.
Also they have some more bugs
e.g. cookie without HTTP only flag set
cookie without secure flag set
I will update here almost all crypto exchangers website vulnerability details one by one.This is not possible to publish web vulnerability details about all crypto currency exchangers at a time.
If anyone found any bugs report here ,So it will better to make a safe crypto world.
Jump to: