Chronology
It appeared that our web server’s Cross-Origin Resource Sharing (CORS) settings were misconfigured and it potentially allowed a third party to take over user accounts and perform a man-in-the-middle (MITM) attack. We fixed the reported vulnerability in less than 24 hours.
On Wednesday, July 05, one of our users reported on a public forum that his bitcoin address had been altered.
Initially we didn’t attach much importance to it, but the following day we received a few similar reports and it became evident that something bad was happening.
On Thursday, July 06, we suspended our bitcoin withdrawals and asked our users via site, twitter, forum and email to double check their withdrawal addresses and contact us in case if they had been altered.
We received even more reports after that.
We’ve spent lots of time trying to identify a problem and discovered that:
- some of our backup routines didn't work properly;
- we had lots of logs, but they were mostly useless and hard to analyze;
- we had a few security-related bugs that were unrelated to the problem.
Eventually we came to a conclusion that the problem was most likely caused by the CORS issue mentioned in the beginning of this post.
Scope
The vulnerability enabled attacker (let's call him or her Alice) to access at least dozens of accounts of our users who visited her site while being signed in at A-ADS.
Alice was probably able to collect user names / emails of those users and alter any editable data of their accounts (e. g. withdrawal settings, emails and passwords). We don't know when she discovered this vulnerability and for how long she was exploiting it.
When Alice noticed that we had fixed the CORS issue, she hurried up to profit from her possessed abilities and altered withdrawal addresses of the controlled accounts before their sessions expired.
She was smart enough to use unique IPs and bitcoin addresses, so we couldn't identify neither her, nor the exact amount of the hacked accounts.
Aftermath
On Monday, July 07, we resumed the bitcoin withdrawals. We did it with mixed feelings because we still have more questions than answers.
According to our estimations Alice was able to withdraw only a fraction of bitcoin and we'll be able to cover it from our funds.
She may still control some of the accounts (in case if she managed to change their passwords) and profit from them. So if you haven't signed in for a while, please check your account and contact support in case of a problem.
W
e apologize to our users for this incident and thank them for
their patience. We hope that the affected users will not stop bombing
our support with their messages until their issues get fully resolved.
Unfortunately it may take a lot of time and we apologize for that too.
We
feel that we got a valuable lesson, and we are still to do our
homework, but we would like to ask Alice and other hackers to refrain
from attacking us in the future.
If you find any serious vulnerability, please send us a bug report with proof of concept as @jensvoid did
and we will pay you a bounty depending on the potential damage. It
would be ethically correct and would save lots of time for both you and
us.