Recently we have performed a pentest for a crypto currency exchange site and below are the complete case study of the engagement.
Case Study – Penetration Testing Crypto Currency Exchange
Introduction:
This case study of a start-up company in India who have started Crypto currency exchange in Indian market.
Challenges:
- Client’s key business goal was to provide its customers with a safe and secure trading platform.
- Our Client wanted assurance that the website and the mobile application was secure and contained appropriate security controls.
- Client had provided crypto coins such as Bitcoin, Ethereum, and Litecoin & Ripple for trading on their platform.
- Client expectation was to go beyond the basic proof of concept for identified vulnerabilities and they want to know if anyone can have access to wallets containing cryptocurrency in order to steal from them.
ISECURION’s Approach:
- Combination of Black box & Grey box testing methodology was used to mimic all possible attack scenarios.
- Identified all the entry points to the web & Mobile Platform.
- Performed different scenarios based attacks on the exchange.
Results:
- At the initial stage of testing we found that during KYC process in which an user can uploads documents such has AADHAR details was vulnerable to malicious file upload and we were able to execute shell code on the server.
- While testing sql injection we found that USER-AGENT header was Vulnerable to blind sql injection which gave complete access to database.
- During the Android Mobile Application testing we were able to bypass the login mechanism and access other user’s wallets and were able to transfer the crypto currency to our wallet.
- User complete details such as Bank A/C no, IFSC code and complete details of users were stored in mobile in clear text.
- Mobile application was Vulnerable to Two factor authentication bypass.
- Users crypto currency were stored in hot wallet on the server it means your private keys are stored on server anyone who gets the private keys can steal your coins.
Benefits:
- ISECURION minimized security risks by assessing the customer’s application vulnerabilities and recommended solutions with proven methods to enhance security.
- The depth of coverage that was carried by the team and the deliverables submitted helped client to not only identify technical and process related vulnerabilities but also assisted them in knowing how to fix them.
- Complied with all regulations, gained ability to focus on just the high-risk events and take immediate action.
In next blog we will be discussing on best security practices which are followed for securing crypto exchange site.
About Manjunath NG,
Manjunath is an information security enthusiast and Director at “ ISECURION Technology and Consulting Pvt Ltd.”
Every organization should know about this crypto currency vapt
what was your approach like? Was it similar to testing other web applications?
Hi Akshay,
Approach note is combination of Web and business login flaws based on best practices for crypto exchange which we have developed.
Regards,
Manju
it is acceptable that digital currency will change the future of cash flow, but seems there will increase in network security. Nice case study thanks for sharing the article.
Thanks for sharing useful information. I appreciate your blog its very helpful for who want to by cryptocurrency.
We Want to Submit a High Quality Awareness Article for All Your Blockchain Users
Hello,
Just gone through your site and was wondering if you accept guest blog posting? We want to submit our top quality highly searched article on your website for all your crypto/blockchain users and in return we would want a reference link to our website.
We are one of the leading DeFi wallet companies in Europe with the facility of card, wallet & exchange.
Let us know if there is a way to submit guest posts on your website. We would love to submit our content piece on your website.
Looking forward to your reply.
Thanks & Regards,
Team Eidoo
Question from a complete noob in this world. Is there a specific regulation or governing body that requires crypto exchanges to pentest regularly? Hope this makes sense, thanks