XSS Attack Embedded in an ERC20 Token Contract Steals Thousands
hackernoon.com>Thus, users of EtherDelta must enter their public wallet address and private key when using the site, meaning their private key could be captured from the browser session by a malicious code injection.
This isn't some sort of fancy cryptocontract based attack. The private key is just stored as a JavaScript object in the session and an attacker found and exploited a reflected XSS vulnerability to send off the key.
Even if you're not sending your private key to the server directly surely some people must have made these users aware of the risks they were taking? Not only XSS risks, but risks of a rogue admin or backend compromise injecting malicious JS.
(Persistent XSS actually, but exploited similarly to a reflected XSS vulnerability because you have to send a specific link to your victims. It has a much higher exploitation success chance than reflected XSS since pesky browser XSS auditors won't be able to step in.)
I'm surprised and disappointed that EtherDelta doesn't use Content-Security-Policy headers. They pretty much solve XSS.
Google has a good introduction to using them here: https://csp.withgoogle.com/
You will need to disable inline scripts which is inconvenient. CSP looks more like as hack for broken sites.
Personally and from experience, I think inline scripts are generally a bad idea often abused for hacky one-off tweaks, so the fact that CSP blocks them by default is a bonus to me. But for the cases that they do make sense, there are ways to allow them with the nonce property.
CSP doesn't mean that people should forget about proper HTML encoding of user input, but it means that when a developer messes that up somewhere, the issue is generally a minor formatting glitch rather than an exploitable flaw that lets attackers do whatever they want with users' browsers within your domain (like steal thousands of dollars). It's some invaluable defense-in-depth.
It's only inconvenient if you didn't write your code properly in the first place - and even then you can still use nonces for <script> and <style> elements which is better than nothing.
> I want to make one point clear: I believe that EtherDelta, in concept, is safer and more “trustworthy” than a traditional exchange. Everything about how EtherDelta functions is transparent and verifiable by users.... The attack detailed in this piece could have been identified by anyone before it was exploited, and if there had been a security review protocol in place, it would have been easily prevented.
Even "in concept", releasing fintech software without doing the security basics verges on professional misconduct.
This blows my mind. These programmers can implement quite complex contacts-financial-exchanges on top of a quite complex distributed system, but then fail to sanitize user input in their web interface. It makes no sense.
They're pretty different programming disciplines, though. For a company as a whole it's not really excusable, but I'm sure there are plenty of fintech or distributed systems programmers who aren't up on web attack vectors, just as there are lots of web people who're well aware of them but who know nothing about fintech.
Well, from my blog post three days ago, discussed here:
https://news.ycombinator.com/item?id=15321015
"I put it to you that it’s impossible to write secure web apps."
This is like saying "It's impossible to perfectly secure a bike on a city steet" when it gets stolen because you forgot to engage the lock. I have fuzzers that would of likely found this pretty quickly.
I doubt that. What sort of fuzzer is going to create an Ethereum smart contract of a very specific type, insert JavaScript into the contract title, insert the contract into the Ethereum block chain, synthesise the correct URL (which doesn't contain any JavaScript) and then detect that data from the backend was emitted unescaped?
Someone else in this thread said, well, serves them right, they should have used CSP, and then someone else pointed out that doesn't work for inline scripts, and there was a reply of the form "only stupid people use inline scripts" although this is news to me, as nearly every website I see uses inline scripts of some form or another. This whole discussion looks like people in denial.
The problem here is that XSS is so easy to create. A jungle of half-broken workarounds, mitigations, static analysis tools, fuzzers etc doesn't change the basic truth that the web is a fundamentally unsound platform on which to do secure coding. Data and code bleed together far, far too easily - by design.
I misunderstood the design then. I assumed the XSS was done via an input on the page not an input in Ethereum itself.
The article was updated. Apparently there were two different XSS at the same time.
One is the exploit I describe above: data taken from the block chain was not escaped properly.
Another is a more "traditional" XSS. It was possible to format a URL such that it contained script tags that were injected into the page.
https://github.com/etherdelta/etherdelta.github.io/issues/14...
The reason is, the data after the hash was not escaped.
Perhaps a fuzzer would have caught that. But a good tool would make it hard to make such mistakes by default. A desktop app would not have suffered from such errors, by construction. The web is not a good tool.
>A desktop app would not have suffered from such errors, by construction. The web is not a good tool.
While you are correct it would not of suffered from this particular vulnerability, a improperly utilized malloc for example could have similar if not more disastrous effects and would be exploitable under the same threat model. Yet I wouldn't call it a bad tool, just a tool used by an inexperienced carpenter.
Yes, but modern desktop apps tend to be written in GCd and bounds checked languages.
I read the headline and my immediate guess was cryptocurrency. I clicked and, sure enough, there it was.
Maybe it's time to refine some of these ideas? While regular money does get stolen, maybe storing it online isn't the best method? Maybe requiring some human interaction is a good idea?
At this point, I can't really justify investing in any cryptocurrency. I'm absolutely unable to justify investing in any ICO.
If I opened a contract and my PayPal balance disappeared, I'd be pretty angry and might have some recourse. I'd absolutely have some options if it were with my credit/debit card or directly through my bank.
Good luck, folks. I'm still going to maintain the wait-and-see approach.
> Maybe requiring some human interaction is a good idea?
What's the fun in that?
Did Samy say "Maybe I should ask the user if they want to friend me"? NO! He said "People want to friend me" and "LOL MYSPACE XSS", then became the most popular person on the network overnight.
After Tom, of course, who cheated.
The story is almost like the 2008 time where wall street wiz kids package the mortgages to special mortgages back securities/contacts and resell them over and over again to banks, mutual funds, etc.
Hugh hype was created.
Last time: It was safe because it was back by mortgage.
This time: It is safe because it is back by crypto algorithm.
Last time few smart insiders got billions richer and unload everything before the bubble burst.
And the time ...... (Love to see all imaginable endings to this time's story - good or bad)
In 2007, I sold my business. In 2008, I put a bunch into the stock market and property. It was comparatively dirt cheap. I made a killing.
I'd do the same with cryptocurrency, but I can't figure out how. My 2008 investments were pretty risk-free. Of course the economy was going to recover. It always does.
I've no idea how to do that with cryptocurrency.
Cryptocurrency runs at a much faster pace than the usual stock market. Because we are still in a dot-com like phase and we haven't found the true valuation of the whole concept, yet.
You could make a killing because you knew from history that the market usually overreacts and the 2007 financial crisis was such an event. Everything went down, even stuff that had good fundamentals, so you could scoop up lots of good stuff in 2008 at a cheap price.
Such events happen in cryptocurrencies every few months because of the increased pace. Like a few weeks ago when the whole market dumped 30% because China was flexing their muscles again and now we are about 20% up from that bottom.
So, that was easy money. But OTOH, if you bought in Q1 and just did hold since then, you would even be up 3x. Despite the dips in between. Insane performance but nobody knows if we are 10x next year or /10.
> Of course the economy was going to recover. It always does.
That's the important point. We have a long history of the stock market and we have some rules of thumb how it behaves.
We are in the exponential growth phase of a new technology and we don't know yet if the cryptocurrency hype has passed its top or not. The concept of cryptocurrencies is certainly here to stay but how much worth will it be and even more important, how much worth are the coins and tokens that exists now going to be?
Look at the history of other new technologies and try to decide where in that cycle we are right now. If that's easy money is up to you :-)
What are you having trouble figuring out? Happy to help people into crypto
Basically, how to bet that it is going to plummet in value and make money on that process. I figure it's a bubble and there's going to be a popping, even if it is done by force of law.
These ICOs are starting to make powerful people angry. Thefts like this one are starting to get regular media coverage. At some point, probably soon, the governments are going to come and clamp down on it.
Is there a way to long-term short Etherium or Bitcoin?
A long term way that doesn't bankrupt you first? I doubt it, but I don't know your financial situation.
Plenty of exchanges will offer you shorts if you're that confident, though. BitFinex and Kraken come to mind.
Media coverage is negative only because that's what people like to click on. I think government regulation will only legitimize it and bring it to the masses.
This very thread is about a negative. Would you rather they just ignore it?
Ignore? No. I found the story interesting myself & there's some nice discussion on here.
News would be boring if it wasn't for the negative stuff.
All I'm saying that one should always question the motives of the media & not necessarily conclude a general opinion just by reading a bunch of articles that landed on the front page.
As for the exploit itself, it's hard to believe that in this day and age XSS is still a problem despite so many solutions & fixes for it.
I'm not sure what is worse, the XSS or that the system allows transfer of assets without human intervention. Probably the latter, actually. Why would a coin system even allow that? That is, shall we say, not the best idea.
The smart contracts in Ethereum sounds awesome in practice and way more useful than Bitcoin mining but it seems like a giant security hole.
There are two problems. First, when writing a contract every line you write might be a potential avenue for an attack. Second, the language (Solidity) and the parsing of the bytecode (EVM) don't help.
If you look at the kind of attacks that happen I feel like two major problems came from the fact that addresses can be real account addresses or contracts (it could have been good to segregate them) and errors/exceptions don't propagate well.
Kinda like a knife -- it's a very useful tool if used well and a very painful tool if mishandled.
You're assuming it's possible to "use well". It's delusional to believe it's possible to understand the subtle interactions within and between "smart contracts". Even if we ignore the ambiguity of the real world, malicious actors, and other complexity multipliers, we already know it isn't possible to know if a "smart contract" will halt.
Code will always have bugs, and you cannot truly understand how something written in a Turing complete language will behave without running it.
> very painful tool if mishandled
Part of being a skilled craftsman is choosing the right tools, which includes understanding and respecting their limits. The language for writing contracts makes all state mutable by default, has ambiguous operators that change behavior depending on storage location or if the operand was a literal, and doesn't defined the order of evaluation for expressions, to name just a few of it's design problems[1]. This isn't a "useful tool:", it's a strong indicator of a another fractal of bad design[2].
Isn't that something that can be helped by having a good standard library though (e.g. STL)? OpenZeppelin [1] is one example that comes to mind.
There are also other contract languages aimed to solve some of the limitations you mention, like Tezos/Michelson [2][3], which facilitate formal verification.
The issues you point out are certainly valid, but I believe people in the space are cognizant of them and are working on solutions.
While a good standard library would help, the fundamental problem (undecidability) still exists. You could build a system that is understandable if you only use calls into a (presumably proven/tested to be safe) standard library. At that point it would de facto be a declarative language, which is decidable iff the grammar is not Turing complete[1].
It's limiting, but you can still have many of the fancier features by baking standard versions of them into the language/stdlib itself.
> I believe people in the space are cognizant of them and are working on solutions.
The problem with that is that this isn't a bug or engineering problem that we can solve with impossibly talented devs and a sufficiently large r&d budget. Questions about any non-trivial semantic behavior of a program (such as, "will the program halt"[2]) are known[3] too be undecidable[4].
[1] according to LangSec, the grammar needs to be deterministic context-free (or simpler). Anything more complex is undecidable.
[2] https://en.wikipedia.org/wiki/Halting_problem
Don't you also have to trust that the person running EtherDelta hasn't modified what's running on the site...?
If you use EtherDelta through MetaMask or Mist, then EtherDelta doesn't have direct access to your private keys, and you're given a prompt outside of EtherDelta's control to confirm any action you take, so you're much less vulnerable to malicious behavior from the EtherDelta admin.
Aw, so there's some local client you run that you use to do the cryptographic bits, and the web client is just used to display results and let you navigate things?
Optionally yes, but EtherDelta specifically does let you instead use it in a normal browser if you give it an Ethereum private key. The hack only affected people who used it that way.
the etherdelta owner can change the js code then send you founds to faker contract:)
The contract address is shown in the Mist/MetaMask prompt. Checking that when you first deposit would be sufficient. (Sure, it's probably true that many users would fail to check that, but I think it counts for something that there is an obvious way that anyone could verify what they were committing their funds to.)
>thousands of dollars
The article is out of date. People are saying the amount is now $6 billion.
This linked to an 'unlisted' token (a token which doesn't have enough recognition to be 'officially listed' on Etherdelta, and thus doesn't have its own ticker symbol), which the vast majority of token buyers have no interest in, so there's no chance that many people were interested in purchasing it, let alone through Etherdelta (which still has very little volume relative to centralized exchanges).
It is out of date, but the author created a followup post[1] on Medium:
> Which as of this writing, has over $130,000 worth of Ethereum and over 88,000 transactions.
[1] https://medium.com/@decktonic/following-the-trail-what-we-kn...
Do you have a link to that. Seems like a huge difference if it is thousands of dollars vs billions of dollars?
Uh no, there is literally no chance.