Privacy matters to most of us! That applies for crypto world too. Bitcoin transactions don’t directly link to a person, but in case of NiceHash, attackers could find a miner’s BTC wallet address using his Email address.
This is a story about How I found a random guy’s recent payments from his cryptocurrency mining activity using twitter and LinkedIn.
NiceHash is a Crypto-Currency marketplace where miners use their PC, ASICs, Laptops’ computing power and receive Bitcoins in return. Miners can perform crypto mining using a software called NiceHash Miner.
You may wonder what’s the big deal if someone knows a crypto miner’s information? well, a lot of things could go wrong such as,
Violation of local law, where crypto-currency mining is banned:
[Worst-case Scenario] if attackers know that you get a lot of bitcoins regularly, you could be kidnapped and asked for ransom in BTC, It happened to Exmo’s CEO Pavel Lerner. (He was released after payment of $1 Mn.)
In a less dangerous scenario, your boss can know that you are into Cryptocurrency mining. He may consider your earnings from it at the time of your appraisals. [Applicable to some countries]
NiceHash was hacked in December 2017 and its customers lost around ~ $64 Million to hackers. So, they improved their security posture and implemented impressive best practices for securing their web applications and IT infrastructure. NiceHash promised that it will fully reimburse its users, ~71% of the old balance amount is already reimbursed to all users that were impacted by the security breach within a year.
Proof of Concept:
I found a security issue in NiceHash miner for windows v18.104.22.168, which allowed an adversary to view a NiceHash miner’s recent payment history, BTC wallet address, Mining History, workers etc. information, if his email address was known. also the issue was resulted into GDPR Violation.
Root cause for this issue was a functionality, using which miners were able to add their wallets using their email address. There was no authorization check to verify that email address was entered by the user himself.
There were Three security issues with the software. which could lead to privacy violation of multiple users.
1. Username Enumeration through error message. [CVE-2019-6122]
An adversary can identify valid/invalid users email address using this error message. MITRE has assigned CVE-2019-6122 for this finding.
2. Missing Rate Limit while adding a wallet. [CVE-2019-6120]
Using this issue, an adversary can try large number of email addresses, and verify if an email address is associated with NiceHash. MITRE has assigned CVE-2019-6120 for this finding.
3. Missing authorization check after submitting email address. [CVE-2019-6121]
In earlier versions of NiceHash, users were required to enter their Bitcoin wallet address, but they changed the process in v22.214.171.124 and allowed users to mine using Email only.
After entering a valid email address user can start mining. The BTC he earns goes to Bitcoin wallet address associated with the email. Miners can use a functionality in NiceHash Miner thick client called ‘view online stats‘.
It leads to a page** in which shows information about user’s recent payments, unclaimed Balance, Old Balance (at the time of December 2017 breach) , Projected payout, Mining stats like profitability, Efficiency, Number of workers, etc.
**URL for that page looks like this:
NiceHash web platform has ‘Find Miner’ functionality that enables anyone who knows NiceHash miner’s BTC address to display his recent statistics: Recent history of mining payments, current profitability, active workers, recent mining stats.
It also shows user’s “Old Balance” and Repayment Program info and his BTC wallet balance at the time of the breach in December 2017. This user joined NiceHash before the breach.
Also an adversary can start mining BTCs for the user (That’s not a security issue), but He can use any text for workers and use it to try to fool miners with the text. I think miner should ‘accept’ a worker.
The security issue is because of ability to identify a BTC wallet address associated with user’s email address.
MITRE has assigned CVE-2019-6121 for this finding.
Note: These Three CVEs are in RESERVED state, they will be disclosed soon.
In order to confirm the severity of impact, I used some OSINT and performed a search in twitter with #NiceHash, I was able to find some users on twitter talking about Mining experience on NiceHash. One of them had an email as his twitter handle, [twitterhandle]@gmail.com . [Easy!!].
I tried Another user’s email with his twitter handle, Failed! I tried emails with his first name, last name combinations, Failed! After several attempts I noticed his twitter bio, which had a link to his LinkedIn profile. I was able to find his email address used for NiceHash in the Resume he uploaded on LinkedIn! It worked!
He wouldn’t have thought that his resume will lead to his recent payments (in bitcoins) earned from Cryptocurrency mining!
Dear NiceHash miners, we are happy to announce our first new release this year 👉 NiceHash Miner v126.96.36.199 is now available for download! 💪
— NiceHash (@NiceHashMining) 14 January 2019
NiceHash announced a fix in NiceHash Miner v188.8.131.52 .. It no longer accepts email address for adding BTC wallets, However, miner’s information can stll be acquired using the older version of the software, if his email address is known.
As of now [Jan-2019], NiceHash users can not change their email address, and this thing is still working in older versions!
Moral of the story:
If your Web Application and thick client are connected, you have to secure both of them.
NiceHash has decided to send a T-shirt as token of appreciation for finding out this issue!
1 December, 2018 – [Reported to NiceHash]
1 December, 2018 – [First Response from NiceHash]
“Thank you very much for bringing this potential vulnerability to our attention. Privacy of our users is very important to us, so we will take a close look into possible additional measures for validation of email address and preventing abuse of this page for harvesting valid email accounts.”
14 January, 2019 [v184.108.40.206 released with a fix and other updates]
Feel free to reach me on LinkedIn,
- Protect Your MongoDB – Story of “The Same Database” - May 21, 2019
- Crypto-Mining Marketplace NiceHash Fixed a Vulnerability Which Leaked Miners’ Information - January 27, 2019
- How to watch movies via flash drive in Sony Bravia? - July 8, 2018
- How to create a great proof of concept video? - July 8, 2018
- Temporary Solution If You Received Message That Crashed Your iPhone - February 16, 2018