XSS Attack Embedded in an ERC20 Token Contract Steals Thousands(hackernoon.com) |
XSS Attack Embedded in an ERC20 Token Contract Steals Thousands(hackernoon.com) |
This isn't some sort of fancy cryptocontract based attack. The private key is just stored as a JavaScript object in the session and an attacker found and exploited a reflected XSS vulnerability to send off the key.
Even if you're not sending your private key to the server directly surely some people must have made these users aware of the risks they were taking? Not only XSS risks, but risks of a rogue admin or backend compromise injecting malicious JS.
Google has a good introduction to using them here: https://csp.withgoogle.com/
CSP doesn't mean that people should forget about proper HTML encoding of user input, but it means that when a developer messes that up somewhere, the issue is generally a minor formatting glitch rather than an exploitable flaw that lets attackers do whatever they want with users' browsers within your domain (like steal thousands of dollars). It's some invaluable defense-in-depth.
Even "in concept", releasing fintech software without doing the security basics verges on professional misconduct.
https://news.ycombinator.com/item?id=15321015
"I put it to you that it’s impossible to write secure web apps."
Maybe it's time to refine some of these ideas? While regular money does get stolen, maybe storing it online isn't the best method? Maybe requiring some human interaction is a good idea?
At this point, I can't really justify investing in any cryptocurrency. I'm absolutely unable to justify investing in any ICO.
If I opened a contract and my PayPal balance disappeared, I'd be pretty angry and might have some recourse. I'd absolutely have some options if it were with my credit/debit card or directly through my bank.
Good luck, folks. I'm still going to maintain the wait-and-see approach.
What's the fun in that?
Did Samy say "Maybe I should ask the user if they want to friend me"? NO! He said "People want to friend me" and "LOL MYSPACE XSS", then became the most popular person on the network overnight.
After Tom, of course, who cheated.
Hugh hype was created.
Last time: It was safe because it was back by mortgage.
This time: It is safe because it is back by crypto algorithm.
Last time few smart insiders got billions richer and unload everything before the bubble burst.
And the time ...... (Love to see all imaginable endings to this time's story - good or bad)
I'd do the same with cryptocurrency, but I can't figure out how. My 2008 investments were pretty risk-free. Of course the economy was going to recover. It always does.
I've no idea how to do that with cryptocurrency.
If you look at the kind of attacks that happen I feel like two major problems came from the fact that addresses can be real account addresses or contracts (it could have been good to segregate them) and errors/exceptions don't propagate well.
Code will always have bugs, and you cannot truly understand how something written in a Turing complete language will behave without running it.
> very painful tool if mishandled
Part of being a skilled craftsman is choosing the right tools, which includes understanding and respecting their limits. The language for writing contracts makes all state mutable by default, has ambiguous operators that change behavior depending on storage location or if the operand was a literal, and doesn't defined the order of evaluation for expressions, to name just a few of it's design problems[1]. This isn't a "useful tool:", it's a strong indicator of a another fractal of bad design[2].
The article is out of date. People are saying the amount is now $6 billion.
> Which as of this writing, has over $130,000 worth of Ethereum and over 88,000 transactions.
[1] https://medium.com/@decktonic/following-the-trail-what-we-kn...
There are also other contract languages aimed to solve some of the limitations you mention, like Tezos/Michelson [2][3], which facilitate formal verification.
The issues you point out are certainly valid, but I believe people in the space are cognizant of them and are working on solutions.
It's limiting, but you can still have many of the fancier features by baking standard versions of them into the language/stdlib itself.
> I believe people in the space are cognizant of them and are working on solutions.
The problem with that is that this isn't a bug or engineering problem that we can solve with impossibly talented devs and a sufficiently large r&d budget. Questions about any non-trivial semantic behavior of a program (such as, "will the program halt"[2]) are known[3] too be undecidable[4].
[1] according to LangSec, the grammar needs to be deterministic context-free (or simpler). Anything more complex is undecidable.
[2] https://en.wikipedia.org/wiki/Halting_problem
You could make a killing because you knew from history that the market usually overreacts and the 2007 financial crisis was such an event. Everything went down, even stuff that had good fundamentals, so you could scoop up lots of good stuff in 2008 at a cheap price.
Such events happen in cryptocurrencies every few months because of the increased pace. Like a few weeks ago when the whole market dumped 30% because China was flexing their muscles again and now we are about 20% up from that bottom.
So, that was easy money. But OTOH, if you bought in Q1 and just did hold since then, you would even be up 3x. Despite the dips in between. Insane performance but nobody knows if we are 10x next year or /10.
> Of course the economy was going to recover. It always does.
That's the important point. We have a long history of the stock market and we have some rules of thumb how it behaves.
We are in the exponential growth phase of a new technology and we don't know yet if the cryptocurrency hype has passed its top or not. The concept of cryptocurrencies is certainly here to stay but how much worth will it be and even more important, how much worth are the coins and tokens that exists now going to be?
Look at the history of other new technologies and try to decide where in that cycle we are right now. If that's easy money is up to you :-)
These ICOs are starting to make powerful people angry. Thefts like this one are starting to get regular media coverage. At some point, probably soon, the governments are going to come and clamp down on it.
Is there a way to long-term short Etherium or Bitcoin?
Plenty of exchanges will offer you shorts if you're that confident, though. BitFinex and Kraken come to mind.
Someone else in this thread said, well, serves them right, they should have used CSP, and then someone else pointed out that doesn't work for inline scripts, and there was a reply of the form "only stupid people use inline scripts" although this is news to me, as nearly every website I see uses inline scripts of some form or another. This whole discussion looks like people in denial.
The problem here is that XSS is so easy to create. A jungle of half-broken workarounds, mitigations, static analysis tools, fuzzers etc doesn't change the basic truth that the web is a fundamentally unsound platform on which to do secure coding. Data and code bleed together far, far too easily - by design.
One is the exploit I describe above: data taken from the block chain was not escaped properly.
Another is a more "traditional" XSS. It was possible to format a URL such that it contained script tags that were injected into the page.
https://github.com/etherdelta/etherdelta.github.io/issues/14...
The reason is, the data after the hash was not escaped.
Perhaps a fuzzer would have caught that. But a good tool would make it hard to make such mistakes by default. A desktop app would not have suffered from such errors, by construction. The web is not a good tool.
While you are correct it would not of suffered from this particular vulnerability, a improperly utilized malloc for example could have similar if not more disastrous effects and would be exploitable under the same threat model. Yet I wouldn't call it a bad tool, just a tool used by an inexperienced carpenter.
News would be boring if it wasn't for the negative stuff.
All I'm saying that one should always question the motives of the media & not necessarily conclude a general opinion just by reading a bunch of articles that landed on the front page.
As for the exploit itself, it's hard to believe that in this day and age XSS is still a problem despite so many solutions & fixes for it.