![]() ![]() It turns out that when a user is directed to Coinbase to authorize an application to access their account, Coinbase generates a token which is submitted along with the request when the user clicks the authorize button. One of his posts, “The Most Common OAuth2 Vulnerability” gave me some ideas of what to look for. Egor Homakov has posted some interesting attacks against common implementations of the OAuth2 protocol on his blog. The API allows users to authenticate to their own account with an API key, or use OAuth2 to grant authorization for a 3rd party app to interact with their Coinbase account. Coinbase presents a standard REST API for their system which allows developers to interact with user accounts. Insecure OAuth Application Approval #Īfter giving the site a look over for XSS/injection vulnerabilities I moved on to look at what else on the site was open for exploitation. I reported this issue to the Coinbase team and they had it fixed in a couple of hours. Persistent XSS affect all customers of a merchant Coinbase have taken steps to mitigate the impact of any XSS vulnerabilities by setting their session cookies to be HttpOnly, which cannot not be read with Javascript, preventing an attacker from high jacking the users session It looks perfectly normal, but when a user either completes payment or cancels the checkout process and wants to return to the original page, the malicious javascript is executed in the context of their Coinbase session and could potentially transfer their entire BTC balance to the attacker’s Bitcoin address. I created a malicious checkout page as a proof-of-concept. I simply had to put a comment after my malicious javascript code containing “ and it was stored in the database. Unfortunately for Coinbase, it looked like they made a mistake with their regular expression to sanitize this input and were only checking that or occurred anywhere in the provided URL. At first, it looked like they were checking if the callback URLs were valid and began with or and were blocking my basic attempts to redirect users to javascript: addresses. Merchants have the ability to set up checkout pages, which they can direct users and easily receive bitcoin payments. #Īfter reporting the first XSS vulnerability, I continued searching their website. Persistent XSS on Merchant Checkout Pages. The Coinbase team still sent me 1 BTC for it. I reported the vulnerability to Coinbase but who referred me to the Coinbase bug bounty program had reported it independently a few hours before. Bingo! We have found a reflected XSS vulnerability on Coinbase with a known vulnerability in third party code (CVE-2013-1808). In this case it was also uploaded but not referenced. swf file is typically bundled with ZeroClipboard10.swf. I recalled reading an advisory about this swf file before, but on first tests it did not appear to be exploitable. I quickly saw references to a file, in the main CSS file. Previously I have had some successes finding XSS vulnerabilities in Flash. This was supported by the fact Coinbase’s founder Brian Armstrong had a lot of Ruby snippets on his Github Gist and some more Ruby questions on his Stack Overflow account. ![]() I quickly determined it was running Ruby on Rails based on the encoding of the “_coinbase_session” cookie. When I first started analyzing the Coinbase website I had a quick look over the site layout and the functionality/attack surface available for potential exploitation. Noting his reaction to when news of the GoFundMe freeze broke, he revealed that he “thought it was something another fund-raising platform – one less likely to collaborate with the Canadian authorities – could route around.” And he was right as another platform, GiveSendGo, filled the gap very quickly.Coinbase – Owning a Bitcoin Exchange Bug Bounty Program Jun 24 2013 Hansson all but goes through the motions in his post that outlines not only his past history with cryptocurrencies but how current affairs have caused a shift in his beliefs. The Canadian Truckers Protest proved him wrong. In his post, the Basecamp founder outlined his past history with crypto, explaining that while he saw the need for it in places like Venezuela with its crumbling economy or China with its authoritarian government, he just did not see the need for it in the west. Hansson has chipped into this debate with what can only be regarded as a heartfelt admission that he was wrong about the role cryptocurrencies can play in the west. This move from Prime Minister Justin Trudeau has sparked debates regarding government control and individual liberty to transact.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |