Saturday 11 November 2017

Stealing bitcoin wallet backups from

Oauth, where many bugs arise :)

This was one of my finding for the bug-bounty program of, where  I was able to steal anyone's bitcoin wallet backup of their account with negligible user interaction.

If you want to know what was this wallet backup feature meant for, you can check here.

[P.S This feature has been removed after the bug was reported. Sad! ]

So basically it created a JSON file which was the backup of your account which you could
Download, Email yourself or store it directly on your Gdrive and Dropbox accounts. The bad part was that if someone else gets your JSON file, he can simply import it at and steal all your bitcoins from your account.

Now the bug was in the implementation of storing it directly to Dropbox and Google Drive.

I noticed once you click on Dropbox or Gdrive button, you will be asked to log in with your Google or Dropbox account and once its authorized blockchain will automatically store the backup file in your dropbox or Gdrive using your access token.

When I looked more closely at all the requests, I found that if someone makes a Gdrive authentication at the end, the redirect URI was something like this.{YourGdriveToken}

Noticed something bad? No CSRF token yay!!!!

So all I had to do was
1) authenticate my google account at
2) Grab my drive token
3) Send the below link to a victim.{MYGdriveToken}
4) Once the link is clicked, when the victim is logged in into his bitcoin wallet backup will be stored in my Google Drive account

But a normal CSRF is boring. So clickjacking will serve as a catalyst for our attack :)

Although the complete website has clickjacking protection, but this URL was frameable.

So final POC

<title>Some fancy bitcoin lottery page</title>
<p>You won a lottery just open this page when you are logged in to and amount will be credited to you </p>
<iframe sandbox="allow-scripts allow-forms" src="{Attackers Gdrive Token}" style="width:1%;height:1%"></iframe>

Once the victim lands on the page,  a hiding iframe will be loaded, and the wallet will be stored on the attackers google drive.



They fixed the bug very quickly, and indeed, takes care of their security very seriously. Unfortunately, after reporting this issue, they took down the backup feature forever. Sorry for breaking the backup feature.

Shashank :)

No comments: