{"id":11311,"date":"2018-10-22T07:38:29","date_gmt":"2018-10-22T07:38:29","guid":{"rendered":"http:\/\/bulletins.bfconsulting.com\/?p=11311"},"modified":"2018-10-22T07:38:29","modified_gmt":"2018-10-22T07:38:29","slug":"why-cryptocurrency-exchanges-are-hacked-so-often","status":"publish","type":"post","link":"https:\/\/bulletins.bfconsulting.com\/en\/why-cryptocurrency-exchanges-are-hacked-so-often\/","title":{"rendered":"Why cryptocurrency exchanges are hacked so often"},"content":{"rendered":"<p>Last year, at least five major cryptocurrency exchanges were hacked, resulting in the loss of hundreds of millions of USD. The fault for such hacks resides on two fronts: the client side and the server side.<\/p>\n<p>On the client side:<\/p>\n<ul>\n<li><strong>Cross Site Scripting (aka XSS)<\/strong> allows attackers to use your browser as their own. A malicious JavaScript simply substitutes the withdrawal wallet address right before you withdraw funds.<\/li>\n<li><strong>Open redirects <\/strong>that allow hackers to (1) make real exchanges appear as malicious sites in search engines and (2) increase the success rate of malware installation attacks. The typical attack downloads a \u201cnew version of the trading desktop client\u201d, which is really malicious software that steals your wallet.<\/li>\n<li><strong>SSL issues related to mobile apps<\/strong> are a relatively minor issue (they are more common in countries like China, Iran and Russia, where governments can intercept internet connections with their own certificates).<\/li>\n<\/ul>\n<p>On the server side:<\/p>\n<ul>\n<li><strong>NoSQL\/key-value injections<\/strong> allow attackers to target new technologies like NoSQL and in-memory databases. These are newer methods and are rarely discovered by developers and frameworks.<\/li>\n<li><strong>Logic issues<\/strong> (mainly race conditions) are critical and hard to discover by automation tools like source code analyzers. An example of this is simultaneously processing more than one withdrawal transaction, which could result in a negative account balance.<\/li>\n<li><strong>Authentication issues<\/strong> (e.g. bypasses) have become risky due to logical or input validation problems that allow access to a user session without the proper credentials being checked.<\/li>\n<\/ul>\n<div class=\"rpbt_shortcode\">\n\n<div id='rpbt-related-gallery-1' class='gallery related-gallery related-galleryid-11311 gallery-columns-3 gallery-size-thumbnail'><figure class='gallery-item' role='group' aria-label='11 FinTech trends to follow in 2017'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/bulletins.bfconsulting.com\/en\/11-fintech-trends-to-follow-in-2017\/'><img width=\"150\" height=\"150\" src=\"https:\/\/bulletins.bfconsulting.com\/wp-content\/uploads\/2017\/02\/Fintech-trends-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" decoding=\"async\" aria-describedby=\"rpbt-related-gallery-1-6991\" loading=\"lazy\" \/><\/a>\n\t\t\t<\/div>\n\t\t\t\t<figcaption class='wp-caption-text gallery-caption' id='rpbt-related-gallery-1-6991'>\n\t\t\t\t11 FinTech trends to follow in 2017\n\t\t\t\t<\/figcaption><\/figure><figure class='gallery-item' role='group' aria-label='Unibank receives PCI Data Security Standard certificate'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/bulletins.bfconsulting.com\/en\/unibank-receives-pci-data-security-standard-certificate\/'><img width=\"150\" height=\"150\" src=\"https:\/\/bulletins.bfconsulting.com\/wp-content\/uploads\/2017\/11\/Unibank-receives-PCI-Data-Security-Standard-certificate-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" decoding=\"async\" aria-describedby=\"rpbt-related-gallery-1-6904\" loading=\"lazy\" srcset=\"https:\/\/bulletins.bfconsulting.com\/wp-content\/uploads\/2017\/11\/Unibank-receives-PCI-Data-Security-Standard-certificate-150x150.jpg 150w, https:\/\/bulletins.bfconsulting.com\/wp-content\/uploads\/2017\/11\/Unibank-receives-PCI-Data-Security-Standard-certificate-100x100.jpg 100w\" sizes=\"(max-width: 150px) 100vw, 150px\" \/><\/a>\n\t\t\t<\/div>\n\t\t\t\t<figcaption class='wp-caption-text gallery-caption' id='rpbt-related-gallery-1-6904'>\n\t\t\t\tUnibank receives PCI Data Security Standard certificate\n\t\t\t\t<\/figcaption><\/figure><figure class='gallery-item' role='group' aria-label='4 Digital Payment Trends for 2021'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/bulletins.bfconsulting.com\/en\/4-digital-payment-trends-for-2021\/'><img width=\"150\" height=\"150\" src=\"https:\/\/bulletins.bfconsulting.com\/wp-content\/uploads\/2021\/02\/39d44866-a65c-4c5f-822f-c2a9f0755b331-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" decoding=\"async\" aria-describedby=\"rpbt-related-gallery-1-15736\" loading=\"lazy\" \/><\/a>\n\t\t\t<\/div>\n\t\t\t\t<figcaption class='wp-caption-text gallery-caption' id='rpbt-related-gallery-1-15736'>\n\t\t\t\t4 Digital Payment Trends for 2021\n\t\t\t\t<\/figcaption><\/figure>\n\t\t<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Last year, at least five major cryptocurrency exchanges were hacked, resulting in the loss of hundreds of millions of USD. The fault for such hacks resides on two fronts: the client side and the server side. On the client side: Cross Site Scripting (aka XSS) allows attackers to use your browser as their own. A &hellip;<\/p>\n","protected":false},"author":5,"featured_media":11395,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[399,184],"_links":{"self":[{"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/posts\/11311"}],"collection":[{"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/comments?post=11311"}],"version-history":[{"count":3,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/posts\/11311\/revisions"}],"predecessor-version":[{"id":11396,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/posts\/11311\/revisions\/11396"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/media\/11395"}],"wp:attachment":[{"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/media?parent=11311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/categories?post=11311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/tags?post=11311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}