How we hacked yet another cryptocurrency stock exchange

in #cryptocurrency7 years ago

Our company ZdalnyAdmin.com.pl provides services for more and more businesses involved in the global market of cryptocurrencies such as Bitcoin, Litecoin or Ethereum. It has been developing rapidly as a branch of the financial market. The total capitalisation of digital currencies is estimated at 30 billion dollars. It’s a very tempting target for cybercriminals can become rich instantly without even leaving their homes.

Beatcoin.pl is an online stock exchange of popular cryptocurrencies whose owners requested a penetration test from us before they entered the actual market. It only proved the maturity of the company’s management and the urge to provide the highest safety standards.

Our team, experienced in penetration tests on cryptocurrency stock exchange, currency exchange and other FinTech businesses, realised the main goal of people who attempt to hack such a stock exchange. They want to access wallets containing cryptocurrencies in order to steal from them.

The client provided us with the stock exchange URL and the access to mock user accounts.

We started from a reconaissance which let us gain the real IP address of the stock exchange server from a couple of locations within the system. Then we managed to directly connect to the server, without the necessity of using an original Internet domain protected from DDoS and application attacks by CloudFlare and application firewall (WAF).

Thanks to this operation we came across a number of minor issues in the client’s application, e.g. Cross-site scripting (XSS), Cross-site request forgery (CSRF), Full Path Disclosure, and access to admin panel as well as the database. We weren’t able to log into obtained admin panels and the described errors would let us attack mostly the clients of the stock exchange, but not the application itself. We focused not on attacking admins but on the stock exchange itself.

After a couple of days we found an SQL Injection attack in one of the HTTP headings sent to the server. This attack enabled us to access the database. Thanks to this, we were able to collect information about the stock exchange’s users, change our status and buy bitcoins.

However, stealing this way wouldn’t be possible thanks to a high security level. The owners implemented a safety procedure that obliged the stock exchange’s employees to verify and manually confirm every account withdrawal. What we attempted to do would immediately alarm the employees and such a withdrawal wouldn’t be confirmed.

Of course, the SQL Injection’s critical vulnerability is extremely dangerous. We could download the users’ profile data (login, password), then try to break it and log into the accounts of selected users. Unfortunately, we didn’t know what was the secret sauce in the password protection system.

After next couple of days’ work we managed to make the server send not only result files (HTML, JS) but also source files which let us copy practically all sources of the whole cryptocurrency stock exchange. One of such files included access to cryptocurrency wallets - our mission was accomplished. Every hacker attempting to attack the stock exchange would have it done at that very moment. Stealing the funds proved possible and, apart from gaining access to cryptocurrency wallets, our team was able to reach the wallets of payment gateway providers - quick money transfers and SMS.

At that moment we had it all: the sources of the stock exchange the owners had been developing for months, the access to cruptocurrency wallets and payment gateway providers’ accounts. If we were criminals, we would be able to illegally get rich or launch an identical stock exchange platform without spending a penny on it - we could simply steal the effect of a couple of months’ work from the founders.

Obviously, we haven’t withdrawn any money from the hacked accounts. Instead, we informed the client about the test results. The owners corrected discovered vulnerabilities and asked us to perform a penetration test one more time so that they could be sure the platform is secure.

Being aware of the importance of software safety and potential threats as well as an obligation to protect sensitive data, the company management proved their business maturity. It’s a business safety requirement any entrepreneur can afford, no matter the size of the organisation.

Our work for the FinTech industry show that such issues occur very often in the organisations for which we perform penetration tests. A couple of weeks earlier we also managed to access the wallets of other cryptocurrency stock exchange and Bitcoin exchange.

Everything we do is always compliant with the law. We never attack servers without a specific request from the client. Our goal is to improve the system’s safety.

We would like to congratulate the beatcoin.pl clients for choosing a stock exchange run by people who put safety in the first place.

https://zdalnyadmin.com.pl/blog/2017/07/13/jak-wlamalismy-sie-na-gielde-kryptowalut/

Sort:  

it would be nice if you would add some pictures, it would make reading more easy.

Thanks for the advice

Really interesting stuff man. Would love an interview with you at some point, to write up in my Threat Intelligence blog I gave you a follow, and if you'll comment with some point of contact I'd love to contact you and set up an interview.

Hi, please send me mail to address Ymxhc3pjemFrbUBnbWFpbC5jb20=

Good article. Always store crypto offline on a hardware wallet when you want to be safe for hackers:

https://steemit.com/crypto/@niel96/fkxwctmxw

Coin Marketplace

STEEM 0.25
TRX 0.20
JST 0.038
BTC 93413.26
ETH 3418.78
USDT 1.00
SBD 3.80