The tradeRifle Vulnerability Identified in Huobi OTC Service (CVE-2018–13149)
Nowadays, cryptocurrency exchanges play an important role in the crypto ecosystem. Among all exchanges, those providing Over-The-Counter (OTC) trading service attract our interest due to the convenience for fiat-to/from-crypto currency trading. In the meantime, the offline fiat exchange also poses security threats, such as the chargeback fraud that the buyer chargebacks the payment from the seller after receiving the crypto assets. By analyzing most of the OTC services provided by top cryptocurrency exchanges, we find out that the OTC trading service of Huobi is vulnerable to replay attack and man-in-the-middle (MITM) attack, which could be exploited to cause serious financial loss. Specifically, an attacker can eavesdrop financially-sensitive information of the seller and replays an message to impersonate the seller for issuing a privilege operation, for example, releasing the fund without paying any fiat currency. As for MITM attack, an attacker can fabricate the bank account of a crypto assets seller for collecting the fiat currency paid by the victim buyer.
In the following, we would like to go through the details of a vulnerable OTC service provided by Huobi. We want to highlight that upon our notification on July 4, Huobi has promptly responded by issuing a security fix, preventing any damage or financial loss from being caused to her customers .
First of all, we would like to go through the MITM attack. Before diving into the details, we need to explain how a normal fiat-to-crypto transaction work. As shown in Figure 1, the buyer needs three consecutive request/response pairs with the OTC server to initiate a transaction. After that, the buyer can make the fiat currency payment with the seller’s bank account information acquired from the OTC server. Then, the buyer sends a notification to the OTC server, which is forwarded to the seller to indicate that the fiat currency payment is completed. Whenever the seller is notified, she checks her bank account and release the crypto currency to the buyer when the fiat currency transaction is posted.
However, if all the transmissions in Figure 1 are done via http instead of https, this mechanism is vulnerable to both MITM attacks and replay attacks. Specifically, as highlighted in Figure 1, a MITM attack could be launched to fabricate the bank info such that the victim buyer may pay fiat to the attacker without getting any crypto money back. Figure 2 demonstrates such a scenario.
Figure 3 shows the http request sent by the buyer for querying the bank info from the seller in an experimental attack.
Figure 4 is the response in JSON format.
ur investigation indicates that the vulnerable Huobi OTC service uses a cleartext protocol. As a result, an attacker can simply modify the bank account info as highlighted in Figure 4. Moreover, another related attack scenario is the replay attack, which could be exploited to cause a severe financial loss to the seller. Specifically, by eavesdropping one normal transaction, the attacker can extract the token and password of the seller as shown in Figure 5.
After that, the attacker can initiate another trade with that victim seller. As shown in Figure 6, the attacker could release all the selling crypto assets of the victim seller by herself.
Once again, we are happy to note that upon our vulnerability report, Huobi OTC team promptly fixed the problem. We really applaud their responsive, prompt response. Since now Huobi has already upgraded the OTC service and the issue has been fixed, we choose to release the related technical details in this blog. Cybersecurity is essential to any cryptocurrency exchange, and PeckShield is here to help!
PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquires, please contact us at Telegram, Twitter, or Email.
-  Houbi: Announcement about Fixing the tradeRifle Vulnerabilities Identified in Huobi OTC Service, July 5, 2018