** Insecure OAuth Redirect URI in the Coinbase Mobile App #Īfter finding that OAuth bug I was interested to find some more information about their backend systems and components to try and exploit it some more. The source code for this proof of concept is available on my GitHub account.** Not only could the attacker withdraw all their Bitcoin balance, if the victim had a bank account linked to their Coinbase account the attacker could use their bank balance to buy more bitcoins and steal those too, completely oblivious to the user! A logged in Coinbase user who viewed a malicious page would give complete API access to their account to the attacker. Here is a video of the Proof-of-Concept I created to demonstrate just how serious and transparent this attack was. As a result a attack could be performed a user is forced to submit an authorization requests generated for the attacker in the context of their own account, giving the attacker’s Coinbase OAuth application complete control of their account and transactions. Unfortunately they weren’t confirming that the token was valid for that user. It turns out that when a user is directed to Coinbase to authorize an application to access their account, Coinbase generates a token which is submitted along with the request when the user clicks the authorize button. One of his posts, “The Most Common OAuth2 Vulnerability” gave me some ideas of what to look for. Egor Homakov has posted some interesting attacks against common implementations of the OAuth2 protocol on his blog. The API allows users to authenticate to their own account with an API key, or use OAuth2 to grant authorization for a 3rd party app to interact with their Coinbase account. Coinbase presents a standard REST API for their system which allows developers to interact with user accounts. Insecure OAuth Application Approval #Īfter giving the site a look over for XSS/injection vulnerabilities I moved on to look at what else on the site was open for exploitation. I reported this issue to the Coinbase team and they had it fixed in a couple of hours. Persistent XSS affect all customers of a merchant Coinbase have taken steps to mitigate the impact of any XSS vulnerabilities by setting their session cookies to be HttpOnly, which cannot not be read with Javascript, preventing an attacker from high jacking the users session It looks perfectly normal, but when a user either completes payment or cancels the checkout process and wants to return to the original page, the malicious javascript is executed in the context of their Coinbase session and could potentially transfer their entire BTC balance to the attacker’s Bitcoin address. I created a malicious checkout page as a proof-of-concept. I simply had to put a comment after my malicious javascript code containing “ and it was stored in the database. Unfortunately for Coinbase, it looked like they made a mistake with their regular expression to sanitize this input and were only checking that or occurred anywhere in the provided URL. At first, it looked like they were checking if the callback URLs were valid and began with or and were blocking my basic attempts to redirect users to javascript: addresses. Merchants have the ability to set up checkout pages, which they can direct users and easily receive bitcoin payments. #Īfter reporting the first XSS vulnerability, I continued searching their website. Persistent XSS on Merchant Checkout Pages. The Coinbase team still sent me 1 BTC for it. I reported the vulnerability to Coinbase but who referred me to the Coinbase bug bounty program had reported it independently a few hours before. Bingo! We have found a reflected XSS vulnerability on Coinbase with a known vulnerability in third party code (CVE-2013-1808). In this case it was also uploaded but not referenced. swf file is typically bundled with ZeroClipboard10.swf. I recalled reading an advisory about this swf file before, but on first tests it did not appear to be exploitable. I quickly saw references to a file, in the main CSS file. Previously I have had some successes finding XSS vulnerabilities in Flash. This was supported by the fact Coinbase’s founder Brian Armstrong had a lot of Ruby snippets on his Github Gist and some more Ruby questions on his Stack Overflow account. I quickly determined it was running Ruby on Rails based on the encoding of the “_coinbase_session” cookie. When I first started analyzing the Coinbase website I had a quick look over the site layout and the functionality/attack surface available for potential exploitation. Coinbase – Owning a Bitcoin Exchange Bug Bounty Program Jun 24 2013
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |