Privacy matters to most of us! That applies for crypto world too. Bitcoin transactions don’t directly link to a person, but in case of NiceHash, attackers could find a miner’s BTC wallet address using his Email address.
This is a story about How I found a random guy’s recent payments from his cryptocurrency mining activity using twitter and LinkedIn.
NiceHash is a Crypto-Currency marketplace where miners use their PC, ASICs, Laptops’ computing power and receive Bitcoins in return. Miners can perform crypto mining using a software called NiceHash Miner.
You may wonder what’s the big deal if someone knows a crypto miner’s information? well, a lot of things could go wrong such as,
Violation of local law, where crypto-currency mining is banned:
[Worst-case Scenario] if attackers know that you get a lot of bitcoins regularly, you could be kidnapped and asked for ransom in BTC, It happened to Exmo’s CEO Pavel Lerner. (He was released after payment of $1 Mn.)
In a less dangerous scenario, your boss can know that you are into Cryptocurrency mining. He may consider your earnings from it at the time of your appraisals. [Applicable to some countries]
NiceHash was hacked in December 2017 and its customers lost around ~ $64 Million to hackers. So, they improved their security posture and implemented impressive best practices for securing their web applications and IT infrastructure. NiceHash promised that it will fully reimburse its users, ~71% of the old balance amount is already reimbursed to all users that were impacted by the security breach within a year.
Proof of Concept:
I found a security issue in NiceHash miner for windows v184.108.40.206, which allowed an adversary to view a NiceHash miner’s recent payment history, BTC wallet address, Mining History, workers etc. information, if his email address was known. also the issue was resulted into GDPR Violation.
Root cause for this issue was a functionality, using which miners were able to add their wallets using their email address. There was no authorization check to verify that email address was entered by the user himself.
There were Three security issues with the software. which could lead to privacy violation of multiple users.
1. Username Enumeration through error message. [CVE-2019-6122]
An adversary can identify valid/invalid users email address using this error message. MITRE has assigned CVE-2019-6122 for this finding.
2. Missing Rate Limit while adding a wallet. [CVE-2019-6120]
Using this issue, an adversary can try large number of email addresses, and verify if an email address is associated with NiceHash. MITRE has assigned CVE-2019-6120 for this finding.
3. Missing authorization check after submitting email address. [CVE-2019-6121]
In earlier versions of NiceHash, users were required to enter their Bitcoin wallet address, but they changed the process in v220.127.116.11 and allowed users to mine by entering email address.
After entering a valid email address user can start mining. The BTC he earns goes to Bitcoin wallet address associated with the email. Miners can use a functionality in NiceHash Miner thick client called ‘view online stats‘.
It leads to a page** in which shows information about user’s recent payments, unclaimed Balance, Old Balance (at the time of December 2017 breach) , Projected payout, Mining stats like profitability, Efficiency, Number of workers, etc.
**URL for that page looks like this:
NiceHash web platform has ‘Find Miner’ functionality that enables anyone who knows NiceHash miner’s BTC address to display his recent statistics: Recent history of mining payments, current profitability, active workers, recent mining stats.
It also shows user’s “Old Balance” and Repayment Program info and his BTC wallet balance at the time of the breach in December 2017. This user joined NiceHash before the breach.
Also an adversary can start mining BTCs for the user (That’s not a security issue), but He can use any text for workers and use it to try to fool miners with the text. I think miner should ‘accept’ a worker.
The security issue is because of ability to identify a BTC wallet address associated with user’s email address.
MITRE has assigned CVE-2019-6121 for this finding.
In order to confirm the severity of impact, I used some OSINT and performed a search in twitter with #NiceHash, I was able to find some users on twitter talking about Mining experience on NiceHash. One of them had an email as his twitter handle, [twitterhandle]@gmail.com . [Easy!!].
I tried Another user’s email with his twitter handle, Failed! I tried emails with his first name, last name combinations, Failed! After several attempts I noticed his twitter bio, which had a link to his LinkedIn profile. I was able to find his email address used for NiceHash in the Resume he uploaded on LinkedIn! It worked!
He wouldn’t have thought that his resume will lead to his recent payments (in bitcoins) earned from Cryptocurrency mining!
NiceHash announced a fix in NiceHash Miner v18.104.22.168 .. It no longer accepts email address for adding BTC wallets, However, miner’s information can stll be acquired using the older version of the software, if his email address is known.
As of now [Jan-2019], NiceHash users can not change their email address, and this thing is still working in older versions!
Moral of the story:
If your Web Application and thick client are connected, you have to secure both of them.
NiceHash decided to send a T-shirt as token of appreciation for finding out this issue (which I never received!)
1 December, 2018 – [Reported to NiceHash]
1 December, 2018 – [First Response from NiceHash]
“Thank you very much for bringing this potential vulnerability to our attention. Privacy of our users is very important to us, so we will take a close look into possible additional measures for validation of email address and preventing abuse of this page for harvesting valid email accounts.”
14 January, 2019 [v22.214.171.124 released with a fix and other updates]
Feel free to reach me on LinkedIn,
Ashutosh has found security issues that prevented leak of personal information belonging to 100 million+ people. He specialize in finding vulnerabilities in Web, Mobile applications, IT infrastructure, and consulting organizations on why, how, and when to fix them.
He is working with Deloitte since Jun 2017 as a Cyber Security Consultant/Engineer, Acknowledged by organizations like Google, Twitter, US Department of Defense, Symantec, United Nations, Rapid7, Trend Micro, Avira, United Airlines, IBM, Go Airlines, etc. for finding out security flaws in web applications.