
XSS Attack Embedded in an ERC20 Token Contract Steals Thousands - brett
https://hackernoon.com/how-one-hacker-stole-thousands-of-dollars-worth-of-cryptocurrency-with-a-classic-code-injection-a3aba5d2bff0
======
meowface
>Thus, users of EtherDelta must enter their public wallet address and private
key when using the site, meaning their private key could be captured from the
browser session by a malicious code injection.

This isn't some sort of fancy cryptocontract based attack. The private key is
just stored as a JavaScript object in the session and an attacker found and
exploited a reflected XSS vulnerability to send off the key.

Even if you're not sending your private key to the server directly surely some
people must have made these users aware of the risks they were taking? Not
only XSS risks, but risks of a rogue admin or backend compromise injecting
malicious JS.

~~~
meowface
(Persistent XSS actually, but exploited similarly to a reflected XSS
vulnerability because you have to send a specific link to your victims. It has
a much higher exploitation success chance than reflected XSS since pesky
browser XSS auditors won't be able to step in.)

------
AgentME
I'm surprised and disappointed that EtherDelta doesn't use Content-Security-
Policy headers. They pretty much solve XSS.

Google has a good introduction to using them here:
[https://csp.withgoogle.com/](https://csp.withgoogle.com/)

~~~
codedokode
You will need to disable inline scripts which is inconvenient. CSP looks more
like as hack for broken sites.

~~~
AgentME
Personally and from experience, I think inline scripts are generally a bad
idea often abused for hacky one-off tweaks, so the fact that CSP blocks them
by default is a bonus to me. But for the cases that they do make sense, there
are ways to allow them with the nonce property.

CSP doesn't mean that people should forget about proper HTML encoding of user
input, but it means that when a developer messes that up somewhere, the issue
is generally a minor formatting glitch rather than an exploitable flaw that
lets attackers do whatever they want with users' browsers within your domain
(like steal thousands of dollars). It's some invaluable defense-in-depth.

------
jdp23
> I want to make one point clear: I believe that EtherDelta, in concept, is
> safer and more “trustworthy” than a traditional exchange. Everything about
> how EtherDelta functions is transparent and verifiable by users.... The
> attack detailed in this piece could have been identified by anyone before it
> was exploited, and if there had been a security review protocol in place, it
> would have been easily prevented.

Even "in concept", releasing fintech software without doing the security
basics verges on professional misconduct.

~~~
imaginenore
This blows my mind. These programmers can implement quite complex contacts-
financial-exchanges on top of a quite complex distributed system, but then
fail to sanitize user input in their web interface. It makes no sense.

~~~
mike_hearn
Well, from my blog post three days ago, discussed here:

[https://news.ycombinator.com/item?id=15321015](https://news.ycombinator.com/item?id=15321015)

"I put it to you that it’s impossible to write secure web apps."

~~~
KekDemaga
This is like saying "It's impossible to perfectly secure a bike on a city
steet" when it gets stolen because you forgot to engage the lock. I have
fuzzers that would of likely found this pretty quickly.

~~~
mike_hearn
I doubt that. What sort of fuzzer is going to create an Ethereum smart
contract of a very specific type, insert JavaScript into the contract title,
insert the contract into the Ethereum block chain, synthesise the correct URL
(which doesn't contain any JavaScript) and then detect that data from the
backend was emitted unescaped?

Someone else in this thread said, well, serves them right, they should have
used CSP, and then someone else pointed out that doesn't work for inline
scripts, and there was a reply of the form "only stupid people use inline
scripts" although this is news to me, as nearly every website I see uses
inline scripts of some form or another. This whole discussion looks like
people in denial.

The problem here is that XSS is so easy to create. A jungle of half-broken
workarounds, mitigations, static analysis tools, fuzzers etc doesn't change
the basic truth that the web is a fundamentally unsound platform on which to
do secure coding. Data and code bleed together far, far too easily - by
design.

~~~
KekDemaga
I misunderstood the design then. I assumed the XSS was done via an input on
the page not an input in Ethereum itself.

~~~
mike_hearn
The article was updated. Apparently there were two different XSS at the same
time.

One is the exploit I describe above: data taken from the block chain was not
escaped properly.

Another is a more "traditional" XSS. It was possible to format a URL such that
it contained script tags that were injected into the page.

[https://github.com/etherdelta/etherdelta.github.io/issues/14...](https://github.com/etherdelta/etherdelta.github.io/issues/143)

The reason is, the data after the hash was not escaped.

Perhaps a fuzzer would have caught that. But a good tool would make it hard to
make such mistakes by default. A desktop app would not have suffered from such
errors, by construction. The web is not a good tool.

~~~
KekDemaga
>A desktop app would not have suffered from such errors, by construction. The
web is not a good tool.

While you are correct it would not of suffered from this particular
vulnerability, a improperly utilized malloc for example could have similar if
not more disastrous effects and would be exploitable under the same threat
model. Yet I wouldn't call it a bad tool, just a tool used by an inexperienced
carpenter.

~~~
mike_hearn
Yes, but modern desktop apps tend to be written in GCd and bounds checked
languages.

------
KGIII
I read the headline and my immediate guess was cryptocurrency. I clicked and,
sure enough, there it was.

Maybe it's time to refine some of these ideas? While regular money does get
stolen, maybe storing it online isn't the best method? Maybe requiring some
human interaction is a good idea?

At this point, I can't really justify investing in any cryptocurrency. I'm
absolutely unable to justify investing in any ICO.

If I opened a contract and my PayPal balance disappeared, I'd be pretty angry
and might have some recourse. I'd absolutely have some options if it were with
my credit/debit card or directly through my bank.

Good luck, folks. I'm still going to maintain the wait-and-see approach.

~~~
srcmap
The story is almost like the 2008 time where wall street wiz kids package the
mortgages to special mortgages back securities/contacts and resell them over
and over again to banks, mutual funds, etc.

Hugh hype was created.

Last time: It was safe because it was back by mortgage.

This time: It is safe because it is back by crypto algorithm.

Last time few smart insiders got billions richer and unload everything before
the bubble burst.

And the time ...... (Love to see all imaginable endings to this time's story -
good or bad)

~~~
KGIII
In 2007, I sold my business. In 2008, I put a bunch into the stock market and
property. It was comparatively dirt cheap. I made a killing.

I'd do the same with cryptocurrency, but I can't figure out how. My 2008
investments were pretty risk-free. Of course the economy was going to recover.
It always does.

I've no idea how to do that with cryptocurrency.

~~~
mhluongo
What are you having trouble figuring out? Happy to help people into crypto

~~~
KGIII
Basically, how to bet that it is going to plummet in value and make money on
that process. I figure it's a bubble and there's going to be a popping, even
if it is done by force of law.

These ICOs are starting to make powerful people angry. Thefts like this one
are starting to get regular media coverage. At some point, probably soon, the
governments are going to come and clamp down on it.

Is there a way to long-term short Etherium or Bitcoin?

~~~
flashmob
Media coverage is negative only because that's what people like to click on. I
think government regulation will only legitimize it and bring it to the
masses.

~~~
KGIII
This very thread is about a negative. Would you rather they just ignore it?

~~~
flashmob
Ignore? No. I found the story interesting myself & there's some nice
discussion on here.

News would be boring if it wasn't for the negative stuff.

All I'm saying that one should always question the motives of the media & not
necessarily conclude a general opinion just by reading a bunch of articles
that landed on the front page.

As for the exploit itself, it's hard to believe that in this day and age XSS
is still a problem despite so many solutions & fixes for it.

~~~
KGIII
I'm not sure what is worse, the XSS or that the system allows transfer of
assets without human intervention. Probably the latter, actually. Why would a
coin system even allow that? That is, shall we say, not the best idea.

------
davewritescode
The smart contracts in Ethereum sounds awesome in practice and way more useful
than Bitcoin mining but it seems like a giant security hole.

~~~
thephyber
Kinda like a knife -- it's a very useful tool if used well and a very painful
tool if mishandled.

~~~
pdkl95
You're assuming it's _possible_ to "use well". It's _delusional_ to believe
it's possible to understand the subtle interactions within and between "smart
contracts". Even if we ignore the ambiguity of the real world, malicious
actors, and other complexity multipliers, we already know it isn't possible to
know if a "smart contract" will _halt_.

Code will _always_ have bugs, and you cannot truly understand how something
written in a Turing complete language will behave without running it.

> very painful tool if mishandled

Part of being a skilled craftsman is choosing the right tools, which includes
understanding and respecting their limits. The language for writing contracts
makes all state mutable by default, has ambiguous operators that change
behavior depending on storage location or if the operand was a literal, and
doesn't defined the order of evaluation for expressions, to name just a few of
it's design problems[1]. This isn't a "useful tool:", it's a strong indicator
of a another fractal of bad design[2].

[1]
[https://news.ycombinator.com/item?id=14810008](https://news.ycombinator.com/item?id=14810008)

[2] [https://blog.codinghorror.com/the-php-
singularity/](https://blog.codinghorror.com/the-php-singularity/)

~~~
alphast0rm
Isn't that something that can be helped by having a good standard library
though (e.g. STL)? OpenZeppelin [1] is one example that comes to mind.

There are also other contract languages aimed to solve some of the limitations
you mention, like Tezos/Michelson [2][3], which facilitate formal
verification.

The issues you point out are certainly valid, but I believe people in the
space are cognizant of them and are working on solutions.

[1] [https://openzeppelin.org/](https://openzeppelin.org/)

[2] [https://www.tezos.com/](https://www.tezos.com/)

[3]
[https://www.tezos.com/static/papers/language.pdf](https://www.tezos.com/static/papers/language.pdf)

~~~
pdkl95
While a good standard library would help, the fundamental problem
(undecidability) still exists. You could build a system that is understandable
if you _only_ use calls into a (presumably proven/tested to be safe) standard
library. At that point it would _de facto_ be a declarative language, which is
decidable iff the grammar is _not_ Turing complete[1].

It's limiting, but you can still have many of the fancier features by baking
standard versions of them into the language/stdlib itself.

> I believe people in the space are cognizant of them and are working on
> solutions.

The problem with that is that this isn't a bug or engineering problem that we
can solve with impossibly talented devs and a sufficiently large r&d budget.
Questions about any non-trivial semantic behavior of a program (such as, "will
the program halt"[2]) are known[3] too be undecidable[4].

[1] according to LangSec, the grammar needs to be deterministic context-free
(or simpler). Anything more complex is undecidable.

[2]
[https://en.wikipedia.org/wiki/Halting_problem](https://en.wikipedia.org/wiki/Halting_problem)

[3]
[https://en.wikipedia.org/wiki/Rice%27s_theorem](https://en.wikipedia.org/wiki/Rice%27s_theorem)

[4]
[https://en.wikipedia.org/wiki/Undecidable_problem](https://en.wikipedia.org/wiki/Undecidable_problem)

------
foota
Don't you also have to trust that the person running EtherDelta hasn't
modified what's running on the site...?

~~~
AgentME
If you use EtherDelta through MetaMask or Mist, then EtherDelta doesn't have
direct access to your private keys, and you're given a prompt outside of
EtherDelta's control to confirm any action you take, so you're much less
vulnerable to malicious behavior from the EtherDelta admin.

~~~
foota
Aw, so there's some local client you run that you use to do the cryptographic
bits, and the web client is just used to display results and let you navigate
things?

~~~
AgentME
Optionally yes, but EtherDelta specifically does let you instead use it in a
normal browser if you give it an Ethereum private key. The hack only affected
people who used it that way.

------
chroem-
>thousands of dollars

The article is out of date. People are saying the amount is now $6 billion.

~~~
CryptoPunk
This linked to an 'unlisted' token (a token which doesn't have enough
recognition to be 'officially listed' on Etherdelta, and thus doesn't have its
own ticker symbol), which the vast majority of token buyers have no interest
in, so there's no chance that many people were interested in purchasing it,
let alone through Etherdelta (which still has very little volume relative to
centralized exchanges).

