Earn 1000$+ A Month With Auto Blogging, Make Money Online Tips , SEO Tips and Guide Online , Online market trading , Review websites & apps for cash , Online surveys , Start your own website , Write and publish a Kindle eBook, Affiliate marketing


Home / Bitcoin / Cryptocurrency news / Cryptocurrency news and discussions. / Ethereum / A Warning to Kucoin Users

A Warning to Kucoin Users

, , ,

Hi everybody. I'm here to talk about kucoin, our star child.

I really loved the concept of kucoin. When it first came out. Granted, there are other companies that do it better, but we all know kucoin. It was fast. Blazing and meteoric. Lambos for everybody, you know the drill.

Well today I'm here to tell you how I fell out of love with kucoin, and why you should too. To put it simply. They are a hackers wet dream. I have a background in web application security and would like to inform you of some of the dangers I've found.

This is a SHORT list of security problems that I've found in half an hour of investigation, that's not exaggeration. I do not want to delve any farther and feel it would be irresponsible. I would also like to point out that while these problems seem extreme, they are surface level problems that anybody could spot, literally problems with the cookies, the lockbox not showing up on the emails... I don't want to allow anybody to steal anybodies money, I just want to warn you of the problems with this website. If you think this is bad, just imagine a list ten times as long and ten times as bad in the hands of a pro. Because I'm an idiot.

I've delayed doing this for a long time out of fear of retaliation, but I care a lot more about your well being than kucoins, as should we all. Moving on : This is a list of some problems, If you are an average user, please scroll down to find out the recommended ways to mitigate dangers.

  1. They send out unencrypted email. I don't know exactly what can be garnered from this information but from the one email I tested this with, they included. A confirmation link (withdraw request) A personal wallet id (where I was sending the withdrawal to) Amount being withdrawn. And they probably send a heck of a lot more than that in the other ones. Be wary of this. I cannot underestimate how many potential attack vectors could be opened up here. But I wont divulge any more information. I'm only revealing what's easily found from a public eye. These problems have all been here since the inception of kucoin.

  2. Their csrf tokens are non-random. Hopefully another security person can chime in here and confirm "this is bad". Basically, you can get your money drained if you click on a link. They are generated on an incremental basis, counting through the base64 alphabet. I've done successful timing attacks against the csrf token. I'd like to have not included this, because combined with the previous and next problem, we already have a drained user account. That's how these things work, you find the flaws and piece them together. But this stuff is frankly... kind of obvious. Any attacker worth their salt will notice this very quickly.

  3. Their 2fa validates for 2 hours. So any command you've authorized with 2fa is very susceptible to their non-random keys.

  4. Their unencrypted withdrawal confirmations don't even need to be unencrypted because the confirmation key isn't randomly generated. Can't intercept an email? Don't worry, just do a timing attack on your own confirmation.

  5. No difference between 2 consecutive withdrawal requests. This is the kind of thing that I'd send in a bug report. I'd say, "hey guys, fix this, it could open you up to potential problems down the road!". Well, It's in my notes, so I'm including it, but it really isn't a big deal compared to some of this other stuff.

Now I don't work for kucoin, so I can't say how well made their database code is.

But it only takes one mistake guys. You could lose it all.

A final note. You should all keep in mind that most people are stupid. Most people are lazy, and that this isn't all that uncommon. The world really is run by children, Donald J Trump is the president, we're not always reasonable, and that includes cool tech guys like the ones who made kucoin, sometimes the people who are doing great just suck.

So be wary and don't accidentally feel safe just because someone told you to. And especially don't feel safe if that person is you. This website is honestly kids stuff, made by kids, made for kids. Breaking character here, you're gonna get completely fucked over if you stay on it. Thanks for reading.

-Matt

Recommended practices:

  1. Use 2fa, this will still thwart most attempts at theft. There are however workarounds on kucoin.com, so be wary of links.
  2. Always log out when not using kucoin. This will (hopefully) deactivate your session token.
  3. Browse Kucoin in a private session. Don't go anywhere else in that session. This is a very good way to keep your cookies safe.

What I've found is so bad, though, that I have to recommend withdrawing your funds as well. And know that I don't say this lightly, I am just an average guy. I don't want a legal shitstorm knocking down my door.

submitted by /u/kettlechip
[link] [comments]

from Cryptocurrency news and discussions. http://ift.tt/2CfCgDP
A Warning to Kucoin Users A Warning to Kucoin Users Reviewed by paksvideo on February 24, 2018 Rating: 5

You May Also Like

No comments:

Subscribe to: Post Comments ( Atom )
Powered by Blogger.