Author

Topic: Bittrex vuln in IP whitelist - ticket open since 3 months - Full disclosure (Read 259 times)

full member
Activity: 154
Merit: 100
I would’ve just put the vuln on twitter if they don’t take it seriously after one week. Well done
hero member
Activity: 729
Merit: 545
Vuln has been patched.

Edited timeline to match the following :

November 6 :

Quote
Thank you for reporting this issue to us.
Our security team has been able to reproduce your issue and a fix has been checked in. 
You will see the fix in the next deployment to our production environment

November 8 :

Quote
Fix has been pushed to production.  If you find anything else, feel free to message me on Slack.
hero member
Activity: 729
Merit: 545
Vulnerability description :

When you are logging from a new IP, Bittrex send you an email asking you to confirme the new IP.
If you are not using 2FA, someone knowing your password can bypass this IP whitelist and thus connect to your account.

Technical informations :

IP is not correctly sanitized in the email sent by Bittrex.
When connecting to bittrex, the X-Forwarded-For header is not sanitized.

To replicate the issue, here is a POC. Set the following rule in Fiddler :
Code:
if(oSession.HostnameIs("bittrex.com")){
oSession.oRequest["X-Forwarded-For"] = "";
}

Then, in the Bittrex mail, it will display the following instead of the IP:  "", x.x.x.x allowing you to change the style in the mail.
With css3 and selectors, it is then possible to extract the secret token to a domain you control when the user is viewing the mail, allowing you to validate the new IP. (See how to with Stealing the Pie Without Touching the Sill)

Timeline :

During all the process, I have also been raising the ticket through the customer support channel on slack multiple time.

August 17 : vulnerability identified
August 18 : vulnerability reported in ticket #167335
August 27 : ticket reminder
September 1 : aknowledgement from Bittrex
September 2 : Ticket assigned to Bill
September 8 : Asking for status - no answer
October 8 : Asking for status - no answer
November 6 : Patched in dev
November 8 : Fix pushed in production
Jump to: