{"id":11311,"date":"2018-10-22T07:38:29","date_gmt":"2018-10-22T07:38:29","guid":{"rendered":"http:\/\/bulletins.bfconsulting.com\/?p=11311"},"modified":"2018-10-22T07:38:29","modified_gmt":"2018-10-22T07:38:29","slug":"why-cryptocurrency-exchanges-are-hacked-so-often","status":"publish","type":"post","link":"https:\/\/bulletins.bfconsulting.com\/en\/why-cryptocurrency-exchanges-are-hacked-so-often\/","title":{"rendered":"Why cryptocurrency exchanges are hacked so often"},"content":{"rendered":"<p>Last year, at least five major cryptocurrency exchanges were hacked, resulting in the loss of hundreds of millions of USD. The fault for such hacks resides on two fronts: the client side and the server side.<\/p>\n<p>On the client side:<\/p>\n<ul>\n<li><strong>Cross Site Scripting (aka XSS)<\/strong> allows attackers to use your browser as their own. A malicious JavaScript simply substitutes the withdrawal wallet address right before you withdraw funds.<\/li>\n<li><strong>Open redirects <\/strong>that allow hackers to (1) make real exchanges appear as malicious sites in search engines and (2) increase the success rate of malware installation attacks. The typical attack downloads a \u201cnew version of the trading desktop client\u201d, which is really malicious software that steals your wallet.<\/li>\n<li><strong>SSL issues related to mobile apps<\/strong> are a relatively minor issue (they are more common in countries like China, Iran and Russia, where governments can intercept internet connections with their own certificates).<\/li>\n<\/ul>\n<p>On the server side:<\/p>\n<ul>\n<li><strong>NoSQL\/key-value injections<\/strong> allow attackers to target new technologies like NoSQL and in-memory databases. These are newer methods and are rarely discovered by developers and frameworks.<\/li>\n<li><strong>Logic issues<\/strong> (mainly race conditions) are critical and hard to discover by automation tools like source code analyzers. An example of this is simultaneously processing more than one withdrawal transaction, which could result in a negative account balance.<\/li>\n<li><strong>Authentication issues<\/strong> (e.g. bypasses) have become risky due to logical or input validation problems that allow access to a user session without the proper credentials being checked.<\/li>\n<\/ul>\n<div class=\"rpbt_shortcode\">\n\n<div id='rpbt-related-gallery-1' class='gallery related-gallery related-galleryid-11311 gallery-columns-3 gallery-size-thumbnail'><figure class='gallery-item' role='group' aria-label='Why the FinTech revolution has not turned the financial industry on its head'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/bulletins.bfconsulting.com\/en\/why-the-fintech-revolution-has-not-turned-the-financial-industry-on-its-head\/'><img width=\"150\" height=\"150\" src=\"https:\/\/bulletins.bfconsulting.com\/wp-content\/uploads\/2020\/01\/why-the-fintech-revolution-has-not-turned-the-financial-industry-on-its-head-150x150.png\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" decoding=\"async\" aria-describedby=\"rpbt-related-gallery-1-14412\" loading=\"lazy\" \/><\/a>\n\t\t\t<\/div>\n\t\t\t\t<figcaption class='wp-caption-text gallery-caption' id='rpbt-related-gallery-1-14412'>\n\t\t\t\tWhy the FinTech revolution has not turned the financial industry on its head\n\t\t\t\t<\/figcaption><\/figure><figure class='gallery-item' role='group' aria-label='BFC FinTech Monitor 8th \u2013 15th May'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/bulletins.bfconsulting.com\/en\/bfc-fintech-monitor-8th-15th-may\/'><img width=\"150\" height=\"150\" src=\"https:\/\/bulletins.bfconsulting.com\/wp-content\/uploads\/2020\/05\/digest_cover-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" decoding=\"async\" aria-describedby=\"rpbt-related-gallery-1-14924\" loading=\"lazy\" \/><\/a>\n\t\t\t<\/div>\n\t\t\t\t<figcaption class='wp-caption-text gallery-caption' id='rpbt-related-gallery-1-14924'>\n\t\t\t\tBFC FinTech Monitor 8th \u2013 15th May\n\t\t\t\t<\/figcaption><\/figure><figure class='gallery-item' role='group' aria-label='RegTech improves compliance but also increases costs'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/bulletins.bfconsulting.com\/en\/regtech-improves-compliance-but-also-increases-costs\/'><img width=\"150\" height=\"150\" src=\"https:\/\/bulletins.bfconsulting.com\/wp-content\/uploads\/2018\/03\/business-finance-man-calculating-budget-numbers-invoices-and-financial-adviser-working_1423-120-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" decoding=\"async\" aria-describedby=\"rpbt-related-gallery-1-9303\" loading=\"lazy\" \/><\/a>\n\t\t\t<\/div>\n\t\t\t\t<figcaption class='wp-caption-text gallery-caption' id='rpbt-related-gallery-1-9303'>\n\t\t\t\tRegTech improves compliance but also increases costs\n\t\t\t\t<\/figcaption><\/figure>\n\t\t<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Last year, at least five major cryptocurrency exchanges were hacked, resulting in the loss of hundreds of millions of USD. The fault for such hacks resides on two fronts: the client side and the server side. On the client side: Cross Site Scripting (aka XSS) allows attackers to use your browser as their own. A &hellip;<\/p>\n","protected":false},"author":5,"featured_media":11395,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[399,184],"_links":{"self":[{"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/posts\/11311"}],"collection":[{"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/comments?post=11311"}],"version-history":[{"count":3,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/posts\/11311\/revisions"}],"predecessor-version":[{"id":11396,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/posts\/11311\/revisions\/11396"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/media\/11395"}],"wp:attachment":[{"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/media?parent=11311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/categories?post=11311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bulletins.bfconsulting.com\/en\/wp-json\/wp\/v2\/tags?post=11311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}