How we hacked into a cryptocurrency market – BeatCoin.pl

Zdalny Admin more and more often provides services for global players on the cryptocurrency market, such as Bitcoin, Litecoin or Etherum. The industry is developing at a very fast pace. It’s estimated the industry is worth around 30 billion USD.

Cryptocurrencies became a great temptation for the cybercriminals who are looking for an opportunity to make some extra money without leaving their house.

BeatCoin is an Internet cryptocurrencies market. As they are looking at expanding to the Polish market, they asked us to test their website’s safety via a penetration test. This was a very mature decision from the management, and it proves that BeatCoin really puts safety first.

The client gave us the address of the market, as well as access to some accounts created especially for the purpose of the test.

We started looking around, and it helped us discover the market’s real IP address. The original domain was protected from DDoS (CloudFare) and web app attacks (WAF). However, since we discovered the real IP, we were able to connect directly to the server.

Thanks to that we were able to discover other minor errors, such as Cross-site scripting (XSS), Cross-site request forgery (CSRF), Full Path Disclosure etc.

We were not able to log into the administration panels, but the errors we found allowed us to attack users accounts – since our goal was to attack the market itself, not administrators.

A few days later we encountered an SQL Injection attack in one of the HTTP headers transferred to the server. The attack allowed us to gain access to the main database. Thanks to that we could download details on the users, change our balance and buy bitcoin.
Unfortunately, BeatCoin could not be stolen from like this; the owners introduced a safety policy that all operations had to be manually approved by the employees. What we were planning on doing would raise suspicions instantly and the withdrawal for sure would not get approved.

Of course, the SQL injection itself is very dangerous, since it allowed us to download the client’s data (login, password), which we could use to try to log into their accounts. We didn’t, cause we did not know the salt that hashed the passwords.

After the next couple of days we managed to get the server to send us not only the output files (THML, JS), but also source files, which allowed us to practically copy all the sources of the whole cryptocurrency market. In one of the files we found access to the cryptocurrency wallets, and in addition we also gained access to the intermediaries’ wallets (fast transfers, SMS) – we reached our goal. And so would every hacker attacking the portal; stealing resources was made possible.

At this point we had it all: access to the wallets, access to the intermediaries, details on the users. If we were cybercriminals, we could easily get rich by launching an identical platform without spending a penny on it. We would steal the effects of the owners’ hard work.

Of course we didn’t. 😊 We gave a full report to BeatCoin on what we managed to find out, we also indicated weak points that required attention. After all the improvements were implemented, we repeated the test to double-check the security of the platform.

BeatCoin’s decision to conduct the pentest was a very mature one. It shows they value safety of their clients’ data more than anything else. We believe every entrepreneur (no matter the size of their company) should order such a procedure to make sure their customers are truly safe.

Everything we do is 100% legal, we never attack servers without the owner’s clear request. Our goal is solely to improve safety of their platform.