Denied Again Security Disclosure: Exposure of Platform Functionalities and Partner Services on Blockchain.com
The following is a writeup on a major issue with the security of Blockchain.com
TIMELINE · EXPORT
submitted a report to Blockchain.
January 8, 2024, 1:22pm UTC
Summary: The attempted request to https://www.blockchain.com/Resources/wallet-options.json reveals pertinent security insights into the services offered by the blockchain platform. The retrieved JSON payload contains various endpoints, configurations, and features associated with the platform’s wallet functionality and partner services.
Findings:
Endpoint Details:
Root Domains: Blockchain services are distributed across different root domains such as blockchain.info and blockchain.com. API Endpoints: Several API endpoints are exposed, enabling interaction with the platform for wallet management, buying, and selling cryptocurrencies. WebSocket: A WebSocket service is available for real-time interaction with the blockchain network. Geographical Restrictions:
Certain features like buying and selling cryptocurrencies have geographical restrictions imposed across multiple countries. Partner Services:
Partner services like Coinify, SFOX, and Unocoin offer specific functionalities across different countries, each having its own set of limitations and configurations. Qualtrics survey links are utilized for user feedback and engagement within these partner services. Cryptocurrency Support and Operations:
Support for various cryptocurrencies such as Bitcoin, Ethereum, and Stellar Lumens is evident, showcasing their respective functionalities and network details. Security Measures:
Utilization of restricted addresses for specific operations like exchanges, lending, and rewards is observed, indicating security measures for fund management. Mobile and Web Services:
Mobile and web services offer wallet functionalities and updates, including service alerts, rebranding information, and maintenance statuses. Vulnerability Exposure:
While the data retrieved doesn’t directly indicate security vulnerabilities, exposure of extensive service endpoints and partner configurations could potentially lead to exploitation if not properly secured. Recommendations:
Endpoint Security: Implement stringent access controls and regular security audits to protect exposed endpoints. Geographical Restrictions: Continuously monitor and update geographical restrictions to comply with regulatory requirements. Partner Service Security: Ensure robust security measures are in place for partner integrations and constantly review these integrations for vulnerabilities. Cryptocurrency Security: Enhance security protocols for managing cryptocurrency addresses and transactions. User Communication: Clearly communicate any service disruptions or maintenance to users for transparency and trust-building. Conclusion: The retrieved data provides a comprehensive overview of the blockchain platform’s services, revealing valuable insights into its functionalities, geographical restrictions, and partner integrations. Ensuring robust security measures across exposed endpoints, partner services, and cryptocurrency operations is imperative to maintain user trust and data integrity. Regular security assessments and proactive measures are essential to mitigate potential vulnerabilities and ensure a secure ecosystem for users.
Impact
The exposure of such detailed information could aid adversaries in understanding the platform’s infrastructure, partner integrations, and geographical restrictions, leading to potential exploitation of services and user data.
{ “enableDomainMigrationRedirects”: true, “domains”: { “root”: “https://blockchain.info", “comRoot”: “https://www.blockchain.com", “comWalletApp”: “https://login.blockchain.com", “webSocket”: “wss://ws.blockchain.info/inv”, “api”: “https://api.blockchain.info", “walletHelperUrl”: “https://wallet-helper.blockchain.com", “stellarHorizon”: “https://api.blockchain.info/stellar" }, “network”: “bitcoin”, “showBuySellTab”: [ “GB”, “AT”, “BE”, “BG”, “HR”, “CY”, “CZ”, “DK”, “EE”, “FI”, “FR”, “GF”, “DE”, “GI”, “GR”, “GP”, “GG”, “HU”, “IS”, “IE”, “IM”, “IT”, “JE”, “LV”, “LI”, “LT”, “LU”, “MT”, “MQ”, “YT”, “MC”, “NL”, “NO”, “PL”, “PT”, “RE”, “RO”, “RO”, “BL”, “MF”, “PM”, “SM”, “SK”, “SI”, “ES”, “SE”, “CH”, “IN”, “US” ], “buySell”: { “disabled”: false }, “partners”: { “coinify”: { “disabled”: false, “countries”: [ “GB”, “AT”, “BE”, “BG”, “HR”, “CY”, “CZ”, “DK”, “EE”, “FI”, “FR”, “GF”, “DE”, “GI”, “GR”, “GP”, “GG”, “HU”, “IS”, “IE”, “IM”, “IT”, “JE”, “LV”, “LI”, “LT”, “LU”, “MT”, “MQ”, “YT”, “MC”, “NL”, “NO”, “PL”, “PT”, “RE”, “RO”, “BL”, “MF”, “PM”, “SM”, “SK”, “SI”, “ES”, “SE”, “CH” ], “partnerId”: 19, “iSignThisDomain”: “https://verify.isignthis.com", “surveyLinks”: [ “https://blockchain.co1.qualtrics.com/SE/?SID=SV_8pupOEQPGkXx8Kp", “https://blockchain.co1.qualtrics.com/SE/?SID=SV_4ZuHusilGeNWm6V", “https://blockchain.co1.qualtrics.com/SE/?SID=SV_1RF9VhC96M8xXh3" ], “sellSurveyLinks”: [ “https://blockchain.co1.qualtrics.com/jfe/form/SV_56iZITjrjyMOrzL", “https://blockchain.co1.qualtrics.com/jfe/form/SV_9u8XxkrkiUUy6z3", “https://blockchain.co1.qualtrics.com/jfe/form/SV_9ysiGRC4rkMFwFv" ], “showSellFraction”: 1, “showRecurringBuy”: true }, “sfox”: { “disabled”: false, “production”: true, “countries”: [ “US” ], “states”: [ “AZ”, “CA”, “CO”, “DE”, “ID”, “IN”, “IL”, “KS”, “KY”, “MD”, “ME”, “MA”, “MI”, “MO”, “MT”, “OH”, “PA”, “SC”, “TN”, “TX”, “UT”, “VA” ], “showBuyFraction”: 0.05, “inviteFormFraction”: 0, “showCheckoutFraction”: 0, “apiKey”: “f31614a7–5074–49f2–8c2a-bfb8e55de2bd”, “plaid”: “0b041cd9e9fbf1e7d93a0d5a39f5b9”, “plaidEnv”: “production”, “siftScience”: “a19cc360a1”, “surveyLinks”: [ “https://blockchain.co1.qualtrics.com/jfe/form/SV_bPCcv7eZgqlQSrP", “https://blockchain.co1.qualtrics.com/jfe/form/SV_4HIEh5KIodM8UTP", “https://blockchain.co1.qualtrics.com/jfe/form/SV_51qOIk4EXHshNFX", “https://blockchain.co1.qualtrics.com/jfe/form/SV_4GEMndhhy58lapT" ], “buySurveyLinks”: [ “https://blockchain.co1.qualtrics.com/jfe/form/SV_8G431wYyJnciCHj", “https://blockchain.co1.qualtrics.com/jfe/form/SV_78S6RzM5ipN66fb" ] }, “unocoin”: { “countries”: [ “IN” ], “showCheckoutFraction”: 0, “production”: true, “surveyLinks”: [ “https://blockchain.co1.qualtrics.com/jfe/form/SV_0wAlAEnwlumr4XP", “https://blockchain.co1.qualtrics.com/jfe/form/SV_8jmvSfjqqPzNWVn", “https://blockchain.co1.qualtrics.com/jfe/form/SV_25JUYJLoLoHQ5b7" ], “surveyTradeLinks”: [ “https://blockchain.co1.qualtrics.com/jfe/form/SV_87YRZx6LVdaF4kR", “”, “https://docs.google.com/forms/d/e/1FAIpQLSfzk27LixcjpCiLn5BlhZHDLqG6mXiZgPA-b1T0fFCWpyxqAA/viewform" ], “disabled”: true } }, “service_charge”: {}, “ethereum”: { “mew”: true, “countries”: “*”, “rolloutFraction”: 1, “lastTxFuse”: 86400, “surveyLinks”: [ “https://blockchain.co1.qualtrics.com/jfe/form/SV_7Q987NPvIT4f6xn", “https://blockchain.co1.qualtrics.com/jfe/form/SV_b8A9pKaGE30Qb9X" ] }, “shapeshift”: { “apiKey”: “b7a7c320c19ea3a8e276c8921bc3ff79ec064d2cd9d98ab969acc648246b4be5ab2379af704c5d3a3021c0ddf82b3e479590718847c1301e1a85331d2d2a8370”, “statesWhitelist”: [ “AR”, “AZ”, “CA”, “CO”, “ID”, “IL”, “IN”, “KS”, “KY”, “LA”, “MA”, “MD”, “MI”, “MN”, “MO”, “MT”, “NE”, “NV”, “OK”, “PA”, “SC”, “SD”, “TN”, “TX”, “VA”, “WI”, “WV” ], “countriesBlacklist”: [ “BD”, “BO”, “EC”, “JP”, “JO”, “KG”, “KP”, “PH” ], “rolloutFraction”: 1, “upperLimit”: 750, “surveyLinks”: [ “https://blockchain.co1.qualtrics.com/jfe/form/SV_1MuVnVEtWhiVIQl", “https://blockchain.co1.qualtrics.com/jfe/form/SV_3QV1OgysGUC0hXD" ], “disabled”: false }, “bcash”: { “feePerByte”: 4 }, “xlm”: { “operationFee”: 1500, “sendTimeOutSeconds”: 600 }, “xlmExchange”: { “exchangeAddresses”: [ “GA4BYMUO5D7OLGVJWZ2D5FCWU7SB63FNZ4QUU574SMNA6ELK5TZD3SO3”, “GA5XIGA5C7QTPTWXQHY6MCJRMTRZDOSHR6EFIBNDQTCQHG262N4GGKTM”, “GABSZVZBYEO5F4V5LZKV7GR4SAJ5IKJGGOF43BIN42FNDUG7QPH6IMRQ”, “GAHK7EEG2WWHVKDNT4CEQFZGKF2LGDSW2IVM4S5DP42RBW3K6BTODB4A”, “GAW4E6NGM4NPNX2LO2BKDPCCTUX3FJLKWHPU4VQPGBIBQGD6JTVF5C7C”, “GAWPTHY6233GRWZZ7JXDMVXDUDCVQVVQ2SXCSTG3R3CNP5LQPDAHNBKL”, “GB3RMPTL47E4ULVANHBNCXSXM2ZA5JFY5ISDRERPCXNJUDEO73QFZUNK”, “GB6YPGW5JFMMP2QB2USQ33EUWTXVL4ZT5ITUNCY3YKVWOJPP57CANOF3”, “GB7GRJ5DTE3AA2TCVHQS2LAD3D7NFG7YLTOEWEBVRNUUI2Q3TJ5UQIFM”, “GBKTJSNUSR6OCXA5WDWGT33MNSCNQHOBQUBYC7TVS7BOXDKWFNHI4QNH”, “GBOEEVARKVASOQSSXCAHNTGJTVALJE2QM3AQQ2K3VXACQ6JJREQRJZKB”, “GBSTRH4QOTWNSVA6E4HFERETX4ZLSR3CIUBLK7AXYII277PFJC4BBYOG”, “GBSTRUSD7IRX73RQZBL3RQUH6KS3O4NYFY3QCALDLZD77XMZOPWAVTUK”, “GBTBVILDGCOIK26EPEHYCMKM7J5MTQ4FD5DO37GVTTBP45TVGRAROQHP”, “GBUQWP3BOUZX34TOND2QV7QQ7K7VJTG6VSE7WMLBTMDJLLAW7YKGU6EP”, “GBV4ZDEPNQ2FKSPKGJP2YKDAIZWQ2XKRQD4V4ACH3TCTFY6KPY3OAVS7”, “GBVOL67TMUQBGL4TZYNMY3ZQ5WGQYFPFD5VJRWXR72VA33VFNL225PL5”, “GBWZHAVWY23QKKDJW7TXLSIHY5EX4NIB37O4NMRKN2SKNWOSE5TEPCY3”, “GC4KAS6W2YCGJGLP633A6F6AKTCV4WSLMTMIQRSEQE5QRRVKSX7THV6S”, “GCGNWKCJ3KHRLPM3TM6N7D3W5YKDJFL6A2YCXFXNMRTZ4Q66MEMZ6FI2”, “GCLDH6L6FBLTD3H3B23D6TIFVVTFBLZMNBC3ZOI6FGI5GPQROL4FOXIN”, “GCNSGHUCG5VMGLT5RIYYZSO7VQULQKAJ62QA33DBC5PPBSO57LFWVV6P”, “GCO2IP3MJNUOKS4PUDI4C7LGGMQDJGXG3COYX3WSB4HHNAHKYV5YL3VC”, “GCVBUIXKKLH2DYHZRSLZUIZSVJUL74RTW6FVCCEYB2OE3RH7RVDBPCFG”, “GCXDR4QZ4OTVX6433DPTXELCSEWQ4E5BIPVRRJMUR6M3NT4JCVIDALZO”, “GDBCHKTHJUKDGSIQSTBUXFWVP3QVART5LED6KRZQ5X4Z5WLT4BGYXWCI”, “GDMXNQBJMS3FYI4PFSYCCB4XODQMNMTKPQ5HIKOUWBOWJ2P3CF6WASBE”, “GDRSWSKJCIB6Z65UA7W5RG62A7M5K3A5IHMED6DYHLPLWLVQCOOGDQ7S”, “GDU2FEL6THGGOFDHHP4I5FHNWY4S2SXYUBCEDB5ZREMD6UFRT4SYWSW2”, “GDZCEWJ5TVXUTFH6V5CVDQDE43KRXYUFRHKI7X64EWMVOVYYZJFWIFQ2”, “GDP34WXZRCSHVUDQLGKJKOBMS5LOQPHCIADZU5POEF3IICZ7XNQJ65Y6”, “GARAR5QR7WRL24MQMSO4INWV7C5SE4EE2YVXTLD6ORONYFHSUAGZYSLN”, “GCWYV4ZICBNDYJ3HE7GHPF3MJPIH63QNCWYPFTC5BQOIODUEI7HJBJVS”, “GDQP2KPQGKIHYJGXNUIYOMHARUARCA7DJT5FO2FFOOKY3B2WSQHG4W37”, “GBQ6RTEHEHXFPKSWCIM4KSVQXBANLFMVV6FJIZDLTF3ZOGFHTBDZUYDD” ] }, “showMobileLogin”: true, “iosBuyPercent”: 1, “androidBuyPercent”: 1, “mobile”: { “walletRoot”: “https://blockchain.info/wallet-buy-sell" }, “android”: { “showUnocoin”: false, “showShapeshift”: true, “showSfox”: false }, “android_update”: { “updateType”: “RECOMMENDED”, “latestStoreVersion”: “6.27.2” }, “ios”: { “update”: { “updateType”: “none”, “latestStoreVersion”: “” }, “showShapeshift”: true, “showSfox”: false }, “hotWalletAddresses”: { “swap”: { “eth”: “0xC88F7666330b4b511358b7742dC2a3234710e7B1” }, “exchange”: { “eth”: “0x9AA65464b4cFbe3Dc2BDB3dF412AeE2B3De86687” }, “simplebuy”: { “eth”: “0x23f4569002a5A07f0Ecf688142eEB6bcD883eeF8” }, “lending”: { “eth”: “0x67f889e6C1CE3E817705E00D528eB7F8be492B9E” }, “rewards”: { “eth”: “0xA00E2A7652248AbEb209398227DAE413E9479e52” } }, “web”: { “serviceAlert”: { “public”: { “id”: “blockchain-rebrand”, “type”: “info”, “icon”: “”, “hideType”: “dismiss”, “header”: { “en”: “We’re now Blockchain.com” }, “action”: { “title”: { “en”: “Learn more” }, “link”: “https://medium.com/blockchain/ushering-in-a-new-era-with-a-new-name-blockchain-com-17101e1bc198" } } } }, “webHardFork”: {}, “maintenance”: false, “mobileInfo”: { “en”: “We are experiencing an outage with the wallet. Please rest assured your funds are safe.” } }
HackerOne triage
closed the report and changed the status to Informative.
Hey @dbms ,
Thank you for your report!
After review, there doesn’t seem to be any significant security risk and/or security impact as a result of the behavior you are describing.
The following vulnerability doesn’t have significant security impact and would be considered as below threshold moving forward.
As a result, we will be closing this report as informative. If you are able to leverage this into a practical exploitation scenario, we will be happy to reevaluate this report.
This will not have any impact on your Signal or Reputation score. We appreciate your effort and look forward to seeing more reports from you in the future.
Kind regards, @h1_analyst_dmitry
Add comment
Request Mediation
