Monday, July 10, 2017

2017-07-05 incident report

Chronology


On Tuesday, July 04, we received a vulnerability report from Jens A Mueller (@jensvoid)

It appeared that our web server’s Cross-Origin Resource Sharing (CORS) settings were misconfigured and it potentially allowed a third party to take over user accounts and perform a man-in-the-middle (MITM) attack. We fixed the reported vulnerability in less than 24 hours.

On Wednesday, July 05, one of our users reported on a public forum that his bitcoin address had been altered.


Initially we didn’t attach much importance to it, but the following day we received a few similar reports and it became evident that something bad was happening.

On Thursday, July 06, we suspended our bitcoin withdrawals and asked our users via site, twitter, forum and email to double check their withdrawal addresses and contact us in case if they had been altered.


We received even more reports after that. 

We’ve spent lots of time trying to identify a problem and  discovered that:
- some of our backup routines didn't work properly;
- we had lots of logs, but they were mostly useless and hard to analyze;
- we had a few security-related bugs that were unrelated to the problem.

Eventually we came to a conclusion that the problem was most likely caused by the CORS issue mentioned in the beginning of this post.

Scope

The vulnerability enabled attacker (let's call him or her Alice) to access at least dozens of accounts of our users who visited her site while being signed in at A-ADS.

Alice was probably able to collect user names / emails of those users and alter any editable data of their accounts (e. g. withdrawal settings, emails and passwords). We don't know when she discovered this vulnerability and for how long she was exploiting it.

When Alice noticed that we had fixed the CORS issue, she hurried up to profit from her possessed abilities and altered withdrawal addresses of the controlled accounts before their sessions expired.

She was smart enough to use unique IPs and bitcoin addresses, so we couldn't identify neither her, nor the exact amount of the hacked accounts.

Aftermath

On Monday, July 07, we resumed the bitcoin withdrawals. We did it with mixed feelings because we still have more questions than answers.


According to our estimations Alice was able to withdraw only a fraction of bitcoin and we'll be able to cover it from our funds.

She may still control some of the accounts (in case if she managed to change their passwords) and profit from them. So if you haven't signed in for a while, please check your account and contact support in case of a problem.


We apologize to our users for this incident and thank them for their patience. We hope that the affected users will not stop bombing our support with their messages until their issues get fully resolved. Unfortunately it may take a lot of time and we apologize for that too. 

We also Jens A Mueller for his precious help.

We feel that we got a valuable lesson, and we are still to do our homework, but we would like to ask Alice and other hackers to refrain from attacking us in the future.

If you find any serious vulnerability, please send us a bug report with proof of concept as @jensvoid did and we will pay you a bounty depending on the potential damage. It would be ethically correct and would save lots of time for both you and us.