Hive App subject to multiple security vulnerabilities

in CyberSecurity3 months ago (edited)
Authored by @gaottantacinque
This article is optimized for Desktop browsers and  Peakd

watermark.png

Image AI-generated by @karina.gpt in the Crypto Shots server

I recently volunteered to test a Hive Dapp (that won't be named at the very least until all the flagged issues are resolved).

Please find below my findings.

Use these to ensure that your own Hive frontend has protections in place for things like these.

Don't know how?

Stay tuned for my guide on how to build Secure Hive Applications !
It should be out around mid-July with links to a test repo.


1- Stored XSS (Cross-Site-Scripting)

Missing sanitization for SVG files.
The following snippet was able to trigger the code execution every time the page was visited:

<div>    
    <svg width="200px" height="200px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
        <script type="text/ecmascript">
          alert(1)
        </script>
        <circle cx="100" cy="100" r="80" fill="green"></circle>
    </svg>
</div>

To learn more about XSS vulnerabilities see:
https://owasp.org/www-community/attacks/xss


2- Open Redirect

Triggered a redirect: <meta http-equiv="refresh" content="0;URL=https://google.com">
Did not execute: <meta http-equiv="refresh" content="0;URL=javascript:alert()">

To learn more about malicious redirect see:
https://learn.snyk.io/lesson/open-redirect

Exploit:

This can be used to redirect to a page very similar to yours and it could prompt you to start any operations (eg. transfer) from your Hive Keychain masking it as a simple login.


3- Pinata Gateway token leak

This is what gets generated for all image uploads...

![](https://ipfs.VULNERABLE_DAPP.app/ipfs/QmaGDjdgPQcgpKUTEE9kD4YW9QLmLsodfQADhy51E65d46?pinataGatewayToken=nxHS...eXWH-gXCY....OOPS....XyFE)

Note the ?pinataGatewayToken URL parameter.

Impact:

  • Unauthorized Access:
     
    If someone gains access to your Pinata gateway token, they can use it to interact with your IPFS content. This could lead to unauthorized modifications, deletions, or other actions on your data.
    It’s crucial to keep your gateway tokens secure and avoid sharing them publicly.
  • Performance Issues:
     
    Public IPFS gateways, including Pinata’s public gateway, have rate limits and can be slower due to heavy usage by users worldwide.
    When you use a public gateway frequently, you might experience slower loading times for your content.
    Pinata recommends using public gateways only for testing purposes, not production apps.



Less critical ones...

4- Clickjacking

An attacker can simply embed full-screen your website as is and display an overlay with invisible fields on top of the real login fields, in order to steal users' credentials.

Or they could show an overlay with an amazing offer to subscribe to your services with a huge discount by paying with a credit card or sending funds to the attacker's account.

To learn more about clickjacking:
https://owasp.org/www-community/attacks/Clickjacking


5- Reverse Tabnabbing:

<a href="https://peakd.com" target="_blank">test</a>

None of the external links have rel=“noopener noreferrer” to protect from it.

To learn more about reverse tabnabbing:
https://owasp.org/www-community/attacks/Reverse_Tabnabbing


That's all folks.
Stay tuned for my guide on Securing your Hive Apps!


My security disclosures for Hive:
- XSS vulnerabilities in #########.com
- XSS vulnerabilities in hive-db.com
- XSS vulnerabilities in scribe.hivekings.com
- XSS vulnerabilities in hiveblockexplorer.com
- Malicious ads redirecting all Steemit iOS users to a phishing site
- Reverse tabnabbing and clickjacking in steem.chat and steeemit registration page

Other contributions:
- Universal script to prevent phishing in all Hive frontends
- Commands for community reports and ban/mute lists

 Future development:   plan

 Last report: https://peakd.com/@keys-defender/monthly-report-june-july-august-2021-hive-13323

Keys-Defender features:

- Keys protection [live scan of transfers/posts/comments/other_ops. Warnings (reply and memo), auto-transfers to savings until fully restored, auto-reset of keys, ..] {see automatic posts on leak and monthly reports}
- Phishing protection [live scan of comments and posts to warn users against known phishing campaigns and compromised domains or accounts, scan of memos and auto-replies, anti phishing countermeasures - eg. fake credentials]
- Re-posting detection [mitigates the issue of re-posters]
- Code injection detection [live scan of blocks for malicious code targeting dapps of the Hive ecosystem]
- Anti abuse efforts [counteracts spam from hive haters and milking campaigns]


To support this project..
- Delegations:  10, 50, 100
- Curation trail: join my curation trail to upvote all my posts with a fixed weight.
- Downvote trail: join my downvote trail to follow my downvotes on security threats and abuse.

- VOTE for our WITNESS !!        

 

This project is sponsored by @cryptoshots.nft
Browser-based   play-to-earn  3D Shooter on HIVE


Discord    Twitter  

#security #community #cybersecurity #tech #leo
3 months ago in CyberSecurity by
$9.80
  • Past Payouts $9.80
  • - Author $4.92
  • - Curators $4.88
298 votes
Reply 1
Sort:  
  • Trending
    • [-]
     3 months ago  

    Working on a new front end for PIMP as we speak, might have to ask you to test it out :P