Voted Coins
Icon Karma (on Sol) - Airdrop Icon AlttC (on Sol) Icon Get your coin listed here
Icon Karma (on Sol) - Airdrop Icon AlttC (on Sol) Icon Get your coin listed here
follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel . ask urgent question ONLY . Subscribe to our reddit . Altcoins Talks Shop Shop


This is an Ad. Advertised sites are not endorsement by our Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise Here

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Klq!@Gjqoqp./

Pages: [1]
1
Announcements [ANN] / Re: 🤡 JokerMix.to - Bitcoin Tumbler - BTC Tumbler - Dash Mixer
« on: September 01, 2024, 07:24:33 PM »
Vulnerability Report for JokerMix.to


Vulnerability Description:


A security flaw has been identified in the wallet creation process on JokerMix.to. This vulnerability allows an attacker to manipulate the letter of guarantee by injecting unverified content into the user address field.



Steps to Reproduce:

1. Generate a token for a PHPSESSID:
   - Send a POST request to /php-back/handle-capcha.php
   - Parameters: {"isChecked":1} (in JSON)
   - Note: The PHPSESSID should be set by the attacker in the header of subsequent requests.

2. Create a wallet with injected content:
   - Send a request to /php-back/create_wallet.php?
   - Use the PHPSESSID from step 1 in the request header
   - JSON parameters:
     {
       "userAddress": "1HsM2JbyKnqwcYvEm1kLMNwJtqb6uxSczd                     Vuln: I can add some content",
       "feeRate": 12
     }

3. The injected content appears in the signed letter of guarantee, demonstrating a lack of input validation.



Potential Impact:

This vulnerability could allow an attacker to:
- Inject malicious content into the letter of guarantee
- Potentially execute XSS attacks if the injected content is displayed without proper escaping
- Compromise the integrity and reliability of the mixing system



Recommendations:

1. Implement strict input validation for the user address field.
2. Use whitelists to allow only valid characters in cryptocurrency addresses.
3. Implement proper escaping when displaying generated content.
4. Review and strengthen the PGP signature verification process for the letter of guarantee.


Proof of Concept: Exploited Letter of Guarantee

The following is an example of an exploited letter of guarantee that is valid on the "Verify Letter of Guarantee" tool at bitmixlist[.]org:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

jokermix.to
your session:
w_66d49d7fe8cc5

Payment Address:
bc1q2drz78efq5sftm0nhleallm4l0u3ff8wzpxx4m

User Address:
1HsM2JbyKnqwcYvEm1kLMNwJtqb6uxSczd                                                                                                                                                                                                                                                                             Vuln:                                                                                                        I can add some content

Additional Token:
OW0vQU1qakJ3T3d6VzVGZG94a3A3dz09OjpoYQ12kGa+HgHuTMZhrxYj

ONLY 1 TRANSACTION ALLOWED!
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEe6Z+7Cg5oBjn1AlyZNhbwXRysjUFAmbUnZcACgkQZNhbwXRy
sjURDgv9GH/RGgKGFgLd78A92kMH96plwzCYn9pGniT97HcPj/7LpmgdDrzZdSHt
0RYA1ncX8LJ84DhybxfItwCMxWgso2vBa1VtGhH6yYkFQWefdj9zkgbE1qFpG8nZ
8uLSg794X1G44WLzO1WiUk7qBfodan3bg2qImz/dx1eHQ0d4CkQJvlJ5MGQtPlvW
LHwOS5JUrlrTwC0PrfqabYHP2u0vhVzjV8SyukHToquZO8cHb7IHnA4k2pxdmB1q
XC+k+r5D0HDedLWI606VDDIFaJIjZcL4aqKjbmFZaqOrVJ+jVHT9gDCHsfBnngGC
ZsAMdWawpNQEBdWHkAY6yQy9bFzcO6JjeEOaG7tc3pLKWTFMypTS3E1P3EvA5832
PJa5zhSGSXEZkPov7QbdrI1Dhy0Ixbymq9tzg1bATq5PBTsrKu++uZMb48ivxVVb
z7/aX1EpPBtRgDxp1OtH6pB1HLjN4HgTJ9mnj4jvNqrqqjjSK0E+PQ9Z7JDK1PbC
ekx8e2Dj
=lvMZ
-----END PGP SIGNATURE-----

This letter of guarantee demonstrates the successful exploitation of the vulnerability, allowing arbitrary content to be injected into the user address field while maintaining a valid PGP signature.

2
Announcements [ANN] / Security Alert: Multiple Critical Vulnerabilities Discovered on RoyalMix - Follo
« on: July 03, 2024, 02:15:14 AM »
Security Alert: Multiple Critical Vulnerabilities Discovered on RoyalMix - Follow-up Report

Dear RoyalMix users and crypto enthusiasts,
This is a follow-up to my previous security report. I've uncovered additional critical security issues on RoyalMix that I feel compelled to share with the community.

New Issues Discovered:

Weak ID system for order retrieval
Exposure of real IP behind DDoS Guard proxy
Direct access via public IP
Vulnerabilities in Apache HTTPD 2.4.52

Consequences:

These newly discovered flaws, combined with the previously reported API token exposure, severely compromise user security and anonymity, potentially exposing transactions and personal data.

Technical Details:
  • Order IDs used to fetch user orders consist of only 6 digits, allowing only 1 million combinations
  • The server's real IP is exposed despite using a DDoS proxy
  • The site is directly accessible via its public IP, bypassing protections
  • Apache HTTPD 2.4.52 is vulnerable to buffer overflow and HTTP request smuggling attacks

Proof:

In addition to the API token issue previously reported, I've gathered concrete evidence of these vulnerabilities:

Weak Order ID system: I've observed that order IDs like 633366, 361622, and 962585 are used to fetch user orders. This 6-digit system is highly insecure and susceptible to brute-force attacks.
Censys scan results: I've attached a screenshot from Censys showing sensitive information about the RoyalMix server, including TLS certificate details and the real IP address behind the DDoS protection.

[https://ibb.co/SN3RHsq]
This screenshot reveals:

The domain name (royalmix.io) associated with the IP
ECDSA public key details
Certificate fingerprints
The real IP address: 193.203.190.80


Direct IP access: I was able to access the site directly using the IP address 193.203.190.80, bypassing the DDoS protection.
Apache version: The Censys scan confirms the use of Apache HTTPD 2.4.52, which is known to be vulnerable.

Call to Action:

In light of these new findings, I strongly urge the RoyalMix team to:
  • Address the API token exposure issue from the previous report
  • Completely revise their order identification system to use longer, more secure IDs
  • Properly configure their DDoS proxy to mask the real IP
  • Disable direct access via IP
  • Immediately update Apache HTTPD to the latest stable version
  • Conduct a comprehensive security audit of their entire infrastructure
Note: This information is shared in a spirit of responsibility and transparency. The goal is to improve security for all users. I strongly recommend immediate action on both this and the previous report's findings.

3
Announcements [ANN] / Security Alert: Potential Privacy Issue on RoyalMix
« on: July 02, 2024, 05:04:00 PM »
Security Alert: Potential Privacy Issue on RoyalMix

Dear RoyalMix users and crypto enthusiasts,
I've recently uncovered a potential privacy issue in RoyalMix's mixing process that I'd like to share with the community.

The Issue:
When creating an order, RoyalMix verifies the validity of destination addresses using the BlockCypher API. However, their implementation unintentionally exposes the API token being used.

Consequence:
It would be possible for a third party to use this token to query the API call history, potentially compromising the anonymity of mixed transactions.

Technical Details:
  • The issue is located in the 'submit-addresses.js' file
  • The 'checkBitcoinAddressInBlockchain' function sends each address to BlockCypher with the API token in plain text
  • API call: [https://api.blockcypher[.]com/v1/btc/main/addrs/${address}?token=${token}]

This information leak could theoretically allow for partial reconstruction of the mixing history.

Proof:
I've attached a screenshot to this post showing the hits (number of requests) passed through the BlockCypher API with this token. This concretely demonstrates the potential exposure of data.
[Screenshot of API hits][https://ibb.co/cCG15hp]

Call to Action:
I strongly encourage the RoyalMix team to:
  • Review their implementation to protect the API token
  • Consider safer alternatives for address verification
Note: This information is shared in a spirit of responsibility and transparency. The goal is to improve security for all users.[/list]

Pages: [1]
ETH & ERC20 Tokens Donations: 0x2143F7146F0AadC0F9d85ea98F23273Da0e002Ab
BNB & BEP20 Tokens Donations: 0xcbDAB774B5659cB905d4db5487F9e2057b96147F
BTC Donations: bc1qjf99wr3dz9jn9fr43q28x0r50zeyxewcq8swng
BTC Tips for Moderators: 1Pz1S3d4Aiq7QE4m3MmuoUPEvKaAYbZRoG
Powered by SMFPacks Social Login Mod