How I hacked one cryptocurrency service

Valeriy Shevchenko
Mar 31, 2018 · 3 min read

A couple of weeks ago one morning began not as usual.

Message: — “Is it your article?(article about one hacking story) Do you want to check our service?”
As a result, after several messages in the telegram, I was on a way to start Recon, to check new service. The service name was

Image for post
Image for post

It's payment provider service almost for cryptocurrencies. And yes, it was official request without bug-bounty routine, long time for fixing, claiming about reward amount and so on.

Testing session was interesting. And i am here to share with you my findings.

  1. Blind XSS in support chat (fixed)

First of all i checked case with support chats. It was two support areas. One with widget and second with official request from profile menu. Second rout was successed. I found how to use XSS with attached file from filename and from title.

Image for post
Image for post

Also it was the biggest impact here because guys from support send to me this smile ;) and it was good to me. Because i caught his cookies → url to admin menu → at the end I can control service from admin tool with this caught cookies.

For XSS I used this vector ( always collect my logs with )

“><script src=></script>

And the result was — Powerful Admin Menu

Image for post
Image for post

2. XSS attack from interesting directory (fixed)

Under the Recon process i found interesting directory

This page has one form which provide to sent POST request to the main service. Service returned to use time to time some data

  • first of all it's unrestricted access to the service data
  • second- it's place where some data was reflected on the page

Attacker can craft malicious page with XSS+CSRF vector to steal victim cookies on this page from reflected parameter.

Image for post
Image for post

3. CSRF attack on user settings (fixed)

On the personal page of my test user i found that there is no CSRF tokens which provide for me unique request for saving private data. I checked it with two different users. And my theory was right. First user with using malicious crafted page can modify data for second user.

Timeline for fixing was around 1–2 hours every time. That was great!

Reward amount was around 300$. For me, money does not play an important role. That's why project didn't scare me.

PS: You can contact with me if you have interesting project for testing.

Click "Clap" icon if you like this article ;)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store