KuCoin Disclosed Report

Bug bounty report KuCoin

RED ENVELOPE WITHDRAW HOLE

Company
Created date
Mar 07 2024

Target

KuCoin Mobile Application for iOS

Vulnerability Details

when you use the red envolope feature on the mobile app it doesnt require 2FA AND EMAIL, it only requires the TRADING PASSWORD

so this way anyone knowing only the trading password can withdraw by sending the funds as a gift to any other kucoin account, even after a few sends it will ask for email + 2fa + trading password....but if you wait 24 hours it will reset again, and now you can withdraw another amount

i believe this is a critical security issue, because a direct WITHDRAWAL requires ALL 3 security measures EMAIL + 2FA + TRADING PASSWORD, but here you can withdraw it bypassing the 2fa and email which are critical

Validation steps

just send the red envelope every 24 hours without typing the EMAIL + 2FA, ONLY USING THE TRADING PASSWORD

THATS ALL

CommentsReport History
Comments on this report are hidden
Details
Statedisclosed
Severity
None
Bounty
hidden
Visibilitypartially
VulnerabilityAuthentication Bypass
Participants (2)