On 07/05/2018 5PM, blockchain security company PeckShield discovered that the mobile client app of the cryptocurrency exchange Coinw has a tradeRifle security loophole. Attackers can use the clear text in some Coinw’s functions to intercept users’ token, use the token to execute a replay attack, and create any transaction requests, which may result to users asset loss. We have reported this loophole to Coinw immediately after our attack tests. On 07/19, Coinw’s technical team informed us that they have completed the loophole repair and software upgrade. Coinw website didn’t announce this loophole, and for security purpose, we decided to disclose the details of it one month after its discovery.

The following is the detailed explanation of the loophole. First, let’s see Coinw normal user login and currency trade process. As shown in Figure 1, after login, server returns user’s token, to be used for currency trades.

Figure 1: Normal trade process

During login, Coinw uses dual-factor verification and HTTPS to guarantee security, but changes to HTTP once user starts to trade, so attackers can interrupt HTTP clear texts and get user’s password and token. After that, it does use HTTP 301 to redirect back to https, but it’s too late since user’s password and token have been stolen, as shown in Figure 2. Using the password and token, attackers can sell user’s asset at low price, and it may affect the entire market if there are many victims.

Figure 2: Clear text transaction request

Using the intercepted token, attackers can also send requests to Coinw’s server and get user’s other information such as real name, ID number, etc, as shown in Figure 3.

Figure 3: Using intercepted token to get user's other information

Our analysis also found that coinw software has “Sensitive information log exposure” loophole, and through the log, the user’s entire communication data can be seen, illustrated in Figure 4.

Figure 4: Using logcat to examine Coinw clear text communication data

Summary: So far, PeckShield’s tradeRifle loophole warning has affected three well known exchanges, Houbin OTC[1], LBank[2], and Coinw. Fortunately, after receiving our reports, these three exchanges have responded quickly and fixed the loophole. We’d like to thank them for their prompt actions, although this event also showed that exchanges may not have necessary security auditing procedure, and here we call on them to pay enough attention to it, or get third party security company’s help, to ensure the absolute safety of customers’ assets.

About Us

PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquires (e.g., smart contract auditing), please contact us at telegram, twitter, or email.