Issue 135: Millions stolen from cryptoexchanges through APIs 💱

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #135
Millions stolen from cryptoexchanges through APIs
This week, we take a look at how cybercriminals exploit leaked API keys to steal millions of dollars from cryptoexchanges. In addition, we also have the recent API vulnerabilities in Rocket.Chat, the upcoming change in Let’s Encrypt root certificate and its impact on APIs, and another video on common GraphQL API vulnerabilities.
Vulnerability: API keys and cryptoexchanges
 

Researchers from CyberNews found how cybercriminals locate and exploit API keys from cryptocurrency exchanges to steal millions of dollars.

Many users take advantage of various applications to make their cryptocurrency trades easier. To give these applications access to their cryptocurrency account, users give the apps their private API keys for the cryptoexchange.

Unfortunately, many applications (and users) do a poor job keeping these API keys safe. Some applications put them in unprotected environment variable files, or the keys end up in public GitHub repositories or S3 buckets. The API keys that researchers found in various public locations at the time of their research provided access to wallets with a total value of over a million dollars.

For security reasons, cryptoexchanges typically limit API key permissions. By default, the keys give access to data and trading operations, but the permission to withdraw money or transfer it to another wallet is not.

However, being infinitely ingenious as they are, cybercriminals have worked around that limitation. Instead of transferring the money out of an account directly, they use bots and controlled trade middlemen to manipulate the market and then use the trade permissions on the leaked or stolen API keys for massive simultaneous buy or sell orders in the cryptoexchange. These cause spikes and drops in the value of cryptocurrencies that criminals use to buy the assets cheaply or sell them at a premium (at the expense of the victims!), effectively ridding their victims of their account balances in a blink of an eye.

cryptoexchange sell wall

Lessons learned here:

  • Never underestimate cybercriminals: if there is profit to be made, they will find a way to take advantage of it.
  • Static, long-lived API keys are dangerous and should be avoided.
  • Additional measures must be taken to prevent API key reuse: mandatory IP whitelisting, mutual TLS authentication, tying the keys to specific API clients, and so on.
  • And, of course, API keys are extremely sensitive secrets and should be treated as such. Never, ever, store the keys in unprotected, accessible locations!

 

Vulnerability: Rocket.Chat
 

Rocket.Chat is a popular open-source team communication software that has more than 12 million users worldwide and is deployed on over 800 000 servers.

Security researchers at SonarSource found API vulnerabilities in Rocket.Chat that could be chained to take over an administrative account and lead to remote code execution. In short:

    1. Attackers locate the email address of a user account that does not have two-factor authentication (2FA) enabled. These tend to be regular users, not administrators.
    2. Attackers send a password reset request (which inherently cannot require authentication) for that account. The request includes a parameter with a regular expression that causes a MongoDB NoSQL injection and allows them to retrieve the password reset token one character at a time. Once they know the full token, the attackers take over the user account and are now authenticated as the user.
    3.  The attackers use the account to invoke the API endpoint /api/server/v1/users.js and cause the top-level NoSQL operator $where to throw an error that leaks any user’s — including administrators — email, password hash, and 2FA secret.For example, this query would leaks an admin user’s secret:

      {"$where":"this.username==='admin' && (()=>{ throw this.secret })()"}

      The API response for a call with this filter parameter would include the secret:
      {
        "success": false,
        "error": "uncaught exception: aHR0cHM6Ly9iaXQubHkvM3VQclgwUA=="
      }
    4. The attackers take over an admin account they have now discovered.
    5. The attackers have now access to perform remote code execution.

The root cause of the problem here boiled down to the fact API input was not validated, so researchers could send NoSQL injections, and initiate the whole chain of events. The fact that filtering was done with blocklists rather than allowlists did not help: it is much easier to miss something coming from outside, than when you can use your own definitions as a checklist.

You can see the attack in action in this quick video:

RocketChat_NoSQL_Injection_video

Lessons learned with this one:

  • Strictly define and enforce all your API inputs.
  • Also define and enforce outputs, so attackers cannot cause your APIs to leak unexpected data.
  • Use allowlists rather than blocklists. Not only will that support you in locking down your inputs and outputs, but blocklists are also a lot less effective than allowlists.
  • Use 2FA whenever possible.
Heads-Up: Let’s Encrypt root certificate change
 

Are you using Let’s Encrypt certificates for the HTTPS transport in your APIs? If so, you might need to update your clients.

The old Let’s Encrypt DST Root CA X3 root certificate will expire on September 30, 2021. This is not a problem for browsers, because all modern browsers include the current Let’s Encrypt ISRG Root X1 in their list of root certificates. However, API clients might not have that and thus might require a manual update.

If you use OpenSSL, you also need to make sure you are on OpenSSL 1.1.0 or later.

See the announcement from Let’s Encrypt for more details.

Video: Offensive GraphQL API Exploitation
 

“Offensive GraphQL API Exploitation” is a recording of the Red Team Village 2020 talk by Arun S. He discusses common security issues in GraphQL APIs and how attackers use them to attack the underlying infrastructure and ex-filtrate sensitive data:

GraphQL_prentesting_video

 

 
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 134: API vulnerabilities at Echelon, Instagram, Facebook Workspace

Thursday, May 20, 2021

Hi, today we look into details of 3 recent API vulnerability reports and have an RSCA interview with Forrester's Sandy Carielli APIsecurity.io The Latest API Security News, Vulnerabilities and Best

Issue 133: Vulnerable Peloton APIs, API contract generation for .NET 💻

Friday, May 14, 2021

Hi, this week we look at Peloton and India's CoWIN, OpenAPI contracts based on .NET annotations, API Security sessions at RSAC AppSec Village APIsecurity.io The Latest API Security News,

Issue 132: Experian API leak, breaches at DigitalOcean and Geico, Burp plugins, vAPI lab

Thursday, May 6, 2021

Hi, this week we look at new API tools & recent Experian, DigitalOcean, Geiko, Facebook APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #132 Experian API leak

Issue 131: API vulnerabilities at John Deere, Springfox, JWT lab, AutoGraphQL 🔎

Thursday, April 29, 2021

Hi, this week, we look at the recent API vulnerability in farming machinery and a few APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #131 API vulnerabilities at

Issue 130: GitHub’s new token format, MindAPI, Kiterunner

Thursday, April 22, 2021

Hi, this week we look at API token best practices, and tools for API recon & pentesting APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #130 GitHub's new

You Might Also Like

SWLW #592: Advice that I can't get out of my head, The Compass vs. Map method, and more

Friday, March 29, 2024

Weekly articles & videos about people, culture and leadership: everything you need to design the org that makes the product. A weekly newsletter by Oren Ellenbogen with the best content I found

ASP.NET Core News - 03/29/2024

Friday, March 29, 2024

View this email in your browser Get ready for this weeks best blog posts about ASP.NET Core! This newsletter is sponsored by elmah.io - the most advanced, yet so simple to set up, error logging and

New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking

Friday, March 29, 2024

THN Daily Updates Newsletter cover Refactoring in Java ($36.99 Value) FREE for a Limited Time Refactoring in Java serves as an indispensable guide to enhancing your codebase's quality and

Post from Syncfusion Blogs on 03/29/2024

Friday, March 29, 2024

New blogs from Syncfusion Introducing the New .NET MAUI Chat Control By Piruthiviraj Malaimelraj This blog explains the features of the new Syncfusion .NET MAUI Chat control added in the 2024 Volume 1

Re: Last Chance

Friday, March 29, 2024

Dear there, By this time tomorrow, your exclusive new subscriber discount will be gone and you'll have to pay twice as much to join Insider and master everything your iPhone has to offer. If, like

Hacker Newsletter #694

Friday, March 29, 2024

Always forgive your enemies - nothing annoys them so much. //Oscar Wilde hackernewsletter Issue #694 // 2024-03-29 // View in your browser Happy Easter if you celebrate it! Heads up - we're taking

Apple RCS 📱, SBF's 25 year sentence 👮, Linux Foundation's Redis fork 👨‍💻

Friday, March 29, 2024

RCS is coming to the iPhone in the fall of 2024 Sign Up|Advertise|View Online TLDR Together With Veracode TLDR 2024-03-29 Build fast, build secure (Sponsor) Software is drowning in security debt.

Data Science Weekly - Issue 540

Friday, March 29, 2024

Curated news, articles and jobs related to Data Science, AI, & Machine Learning ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

This Week in Rust #540

Friday, March 29, 2024

Email isn't displaying correctly? Read this e-mail on the Web This Week in Rust issue 540 — 27 MAR 2024 Hello and welcome to another issue of This Week in Rust! Rust is a programming language

The Value Of A Promise 🤞

Friday, March 29, 2024

How much is a promise from a tech company really worth, anyway? Here's a version for your browser. Hunting for the end of the long tail • March 28, 2024 The Value Of A Promise When you hear a