Critical Vulnerabilities in Cryptocurrency Exchanges: Real-Life Examples

April 12, 2024

Cryptocurrency exchange platforms have become a focal point for traders and investors worldwide, but with their increasing popularity comes a pressing need for protection from intruders. We are excited to share several critical vulnerabilities discovered during penetration testing of various cryptocurrency exchanges (at present, all these vulnerabilities have been fixed; any coincidences are purely random.) These vulnerabilities underscore the importance of robust security measures in cryptocurrency exchange platforms.

Vulnerability #1: Unauthorised Access to Administrative Panels

Description: Exploiting session cookies of authenticated users allows access to the administrative section without requiring login credentials. This grants malicious users control over crucial administrative functions, including cryptocurrency operations, exchange rates, KYC procedures, and fund withdrawals.

Worst-Case Scenario: Malicious actors manipulating cryptocurrency operations, exchange rates, and fund withdrawals, potentially resulting in financial losses for users and damaging the platform's reputation.

Vulnerability #2: Lack of CSRF Protection on Public Websites

Description: API methods on public websites lack protection against CSRF attacks. Authentication occurs via Authorization headers or authentication cookies, which, when absent, can be exploited for CSRF attacks.

Worst-Case Scenario: Malicious users executing unauthorised trades through the API, leading to financial losses for users and exploitation of price discrepancies.

Vulnerability #3: Ability to Register Users with Arbitrary Email Addresses

Description: The system allows unlimited attempts to verify user codes sent via email, enabling malicious users to guess valid authentication codes. Additionally, the authentication code is transmitted in URLs, leaving traces in browser logs.

Worst-Case Scenario: Malicious users impersonating legitimate users, potentially leading to identity theft and unauthorised access to accounts.

Vulnerability #4: Admin Access to User Accounts without Consent

Description: Admins with access to the administrative section can view session tokens of regular users in plain text. Exploiting this, auditors can maintain the validity of session tokens for prolonged periods, allowing unauthorised access to user accounts.

Worst-Case Scenario: Unauthorised access to user accounts by malicious actors, resulting in financial losses and manipulation of cryptocurrency prices.

In conclusion, the identification and rectification of critical vulnerabilities within cryptocurrency exchanges are imperative to maintain the trust and security of users and uphold the integrity of the platforms. The real-life examples highlighted in this article demonstrate the potential risks associated with inadequate security measures, emphasising the necessity for continuous vigilance and proactive measures to safeguard against malicious activities.

At Dhound, we specialise in penetration testing services tailored to the unique needs of cryptocurrency exchanges. Our team of expert security professionals conducts thorough assessments to identify vulnerabilities, simulate real-world attack scenarios, and provide actionable recommendations to strengthen your platform's security posture. With our comprehensive penetration testing services, you can proactively mitigate risks, enhance security controls, and fortify your defences against potential threats, thereby fostering trust among users and ensuring the long-term success of your cryptocurrency exchange.