[Exit Scam] RoyalMix.io

[Klq!@Gjqoqp./]

Security Alert: Potential Privacy Issue on RoyalMix

Dear RoyalMix users and crypto enthusiasts,
I've recently uncovered a potential privacy issue in RoyalMix's mixing process that I'd like to share with the community.

The Issue:
When creating an order, RoyalMix verifies the validity of destination addresses using the BlockCypher API. However, their implementation unintentionally exposes the API token being used.

Consequence:
It would be possible for a third party to use this token to query the API call history, potentially compromising the anonymity of mixed transactions.

Technical Details:

• The issue is located in the 'submit-addresses.js' file
• The 'checkBitcoinAddressInBlockchain' function sends each address to BlockCypher with the API token in plain text
• API call: [https://api.blockcypher[.]com/v1/btc/main/addrs/${address}?token=${token}]

This information leak could theoretically allow for partial reconstruction of the mixing history.

Proof:
I've attached a screenshot to this post showing the hits (number of requests) passed through the BlockCypher API with this token. This concretely demonstrates the potential exposure of data.
[Screenshot of API hits][https://ibb.co/cCG15hp]

Call to Action:
I strongly encourage the RoyalMix team to:

• Review their implementation to protect the API token
• Consider safer alternatives for address verification

Note: This information is shared in a spirit of responsibility and transparency. The goal is to improve security for all users.[/list]

[SamReomo]

Sorry to ask, but was this before the maintenance period? Because mine has always been translating to English even before they went offline to work on the site - as soon as I open the site it shows everything in Russian but then switches to English [this was all before the update on the site].

I don't really remember if it existed before the maintenance period or not but from other replies I also got the idea that the thing existed before the update and hasn't been fixed yet. I hope that in future we may see a quick fix for that issue meanwhile we can enjoy the site the way it is.

[notblox1]

Security Alert: Potential Privacy Issue on RoyalMix

Thank you for reporting this security issue early, RoyalMix team should fix this and update here when they finish.
Did you notice this security problem happening when you used Tor browser onion link or clearnet website?

[examplens]

This information leak could theoretically allow for partial reconstruction of the mixing history.

+ karma for you.
You are right, Blockcypher can have complete insight into all deposit addresses that are checked using their API and Royalmix token. A self-hosted solution must be sought here.

Sorry to ask, but was this before the maintenance period? Because mine has always been translating to English even before they went offline to work on the site - as soon as I open the site it shows everything in Russian but then switches to English [this was all before the update on the site].

I don't really remember if it existed before the maintenance period or not but from other replies I also got the idea that the thing existed before the update and hasn't been fixed yet. I hope that in future we may see a quick fix for that issue meanwhile we can enjoy the site the way it is.

It is probably Google Translate that is performed during loading. I would say that it is a bad practice and in general Royalmix relies too much on API from third parties. Here I also take into account what Klq!@Gjqoqp./ stated
In essence, this is not a big problem, but when it comes to a service that deals with privacy, the inclusion of third-party services should be kept to a minimum.

Code: [Select]

<link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Open+Sans:ital,wght@0,300..800;1,300..800&display=swap" rel="stylesheet">
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Inter:[email protected]&display=swap" rel="stylesheet">
    <link rel="stylesheet" href="./assets/css/main.css">
    <link href="https://cdn.jsdelivr.net/npm/nouislider/distribute/nouislider.min.css" rel="stylesheet">
    <script src="https://cdnjs.cloudflare.com/ajax/libs/wnumb/1.2.0/wNumb.min.js"></script>
    <script src="./plugs/i18next.min.js"></script>
    <script src="./plugs/i18nextHttpBackend.min.js"></script>

[Klq!@Gjqoqp./]

Security Alert: Multiple Critical Vulnerabilities Discovered on RoyalMix - Follow-up Report

Dear RoyalMix users and crypto enthusiasts,
This is a follow-up to my previous security report. I've uncovered additional critical security issues on RoyalMix that I feel compelled to share with the community.

New Issues Discovered:

Weak ID system for order retrieval
Exposure of real IP behind DDoS Guard proxy
Direct access via public IP
Vulnerabilities in Apache HTTPD 2.4.52

Consequences:

These newly discovered flaws, combined with the previously reported API token exposure, severely compromise user security and anonymity, potentially exposing transactions and personal data.

Technical Details:

• Order IDs used to fetch user orders consist of only 6 digits, allowing only 1 million combinations
• The server's real IP is exposed despite using a DDoS proxy
• The site is directly accessible via its public IP, bypassing protections
• Apache HTTPD 2.4.52 is vulnerable to buffer overflow and HTTP request smuggling attacks

Proof:

In addition to the API token issue previously reported, I've gathered concrete evidence of these vulnerabilities:

Weak Order ID system: I've observed that order IDs like 633366, 361622, and 962585 are used to fetch user orders. This 6-digit system is highly insecure and susceptible to brute-force attacks.
Censys scan results: I've attached a screenshot from Censys showing sensitive information about the RoyalMix server, including TLS certificate details and the real IP address behind the DDoS protection.

[https://ibb.co/SN3RHsq]
This screenshot reveals:

The domain name (royalmix.io) associated with the IP
ECDSA public key details
Certificate fingerprints
The real IP address: 193.203.190.80


Direct IP access: I was able to access the site directly using the IP address 193.203.190.80, bypassing the DDoS protection.
Apache version: The Censys scan confirms the use of Apache HTTPD 2.4.52, which is known to be vulnerable.

Call to Action:

In light of these new findings, I strongly urge the RoyalMix team to:

• Address the API token exposure issue from the previous report
• Completely revise their order identification system to use longer, more secure IDs
• Properly configure their DDoS proxy to mask the real IP
• Disable direct access via IP
• Immediately update Apache HTTPD to the latest stable version
• Conduct a comprehensive security audit of their entire infrastructure

Note: This information is shared in a spirit of responsibility and transparency. The goal is to improve security for all users. I strongly recommend immediate action on both this and the previous report's findings.

[Yamane_Keto]

 Klq!@Gjqoqp./ good job, If you find any Critical Vulnerabilities, it is best to share them privately and I advise RoyalMix to create a bugs campaign to encourage developers to search for vulnerabilities.

Weak Order ID system is a problem but less likely to be exploited.
The server's real IP is a serious problem and must be changed, or at least the domain redirected through it to a Tor link.
BlockCypher API is a serious problem. As long as the service cares about customer privacy, it must manage a full node and verify all transactions. Using BlockCypher not only reduces customer privacy, but may lead to address balance manipulation.

[snowpega]

<snip>

Dear, I just opened the site to check this problem, on my side I can see English words on the main page of the site but there I can see a recommendation drop-down tab by the Google Services I guess, and this shows me that translate the site from the Russian language to your desired language but the thing is that site is already in the English languages. so this is why I am thinking is it also a kind of bug or is it fine?

Also when I reload the page it again says to me translate the page from Russian to any desired language so which in my view is a kind of bug that is why I am asking if is it a bug or not or if you have the same experience as of me? Must share your opinion if you have any idea about this. Many Thanks!

[icopress]

Thanks for the answer. RoyalMix just informed me that they have fixed the problem. Validation takes place on the server, and then all information is deleted, so everything is safe. Information on the site has been updated (FAQ).

Security Alert: Potential Privacy Issue on RoyalMix

Dear RoyalMix users and crypto enthusiasts,
I've recently uncovered a potential privacy issue in RoyalMix's mixing process that I'd like to share with the community.

The Issue:
When creating an order, RoyalMix verifies the validity of destination addresses using the BlockCypher API. However, their implementation unintentionally exposes the API token being used.

Consequence:
It would be possible for a third party to use this token to query the API call history, potentially compromising the anonymity of mixed transactions.

Technical Details:

• The issue is located in the 'submit-addresses.js' file
• The 'checkBitcoinAddressInBlockchain' function sends each address to BlockCypher with the API token in plain text
• API call: [https://api.blockcypher[.]com/v1/btc/main/addrs/${address}?token=${token}]

This information leak could theoretically allow for partial reconstruction of the mixing history.

Proof:
I've attached a screenshot to this post showing the hits (number of requests) passed through the BlockCypher API with this token. This concretely demonstrates the potential exposure of data.
[Screenshot of API hits][https://ibb.co/cCG15hp]

Call to Action:
I strongly encourage the RoyalMix team to:

• Review their implementation to protect the API token
• Consider safer alternatives for address verification

Note: This information is shared in a spirit of responsibility and transparency. The goal is to improve security for all users.[/list]

[dkbit98]

Klq!@Gjqoqp./ well done!
We need more members like you in Altcoinstalsk forum, and you deserved some karma and tip donations for your contribution in finding this issues.

Did you check all other mixer services for security issues or only Royalmix?

[SamReomo]

Also when I reload the page it again says to me translate the page from Russian to any desired language so which in my view is a kind of bug that is why I am asking if is it a bug or not or if you have the same experience as of me? Must share your opinion if you have any idea about this. Many Thanks!

That's how the site works and there's no problem at your end. The site may get updated in future and then users may not see that auto-translate pop-up of Google translate, however that thing isn't a big issue as the site works flawlessly.

[PX-Z]

The Issue:
When creating an order, RoyalMix verifies the validity of destination addresses using the BlockCypher API. However, their implementation unintentionally exposes the API token being used

Good find! +1

If the reason of using blockcypher api is only to check if the bitcoin address is valid, then regex (with starting characters and characters length) should be enough to check it. Aside from that it's users responsibility to check their address is correct.

Also, mempool.space has its own api to check wallet address too but i don't think its okay to use it.

[Paragon2]

Also when I reload the page it again says to me translate the page from Russian to any desired language so which in my view is a kind of bug that is why I am asking if is it a bug or not or if you have the same experience as of me? Must share your opinion if you have any idea about this. Many Thanks!

That's how the site works and there's no problem at your end. The site may get updated in future and then users may not see that auto-translate pop-up of Google translate, however that thing isn't a big issue as the site works flawlessly.

Of all the mixer sites I've used, I find SI to be the best.  And very quickly I succeeded in mixing it, but of course google may update. Users have no problem with this as they can be assured of using this mixer with peace of mind.

[Rengga Jati]

RoyalMix pays 50% of all income generated from affiliate clients, and the minimum you can withdraw is $100. It is also great that the withdrawal is automatic once the minimum amount is reached, you should try it out if you can.

You're right. Sure, I can. $100 isn't something difficult to reach. Have you tried this, too?

I am having a hard time understanding you here, can you clarify.

I think it is not a very complicated statement. I believe you can understand it if you have the intention to read it carefully. 

Sometimes the foundation of a good Mix always speaks volume from the beginning of the platform because it will give you an insight on what there future will look like, though RoyalMix is a new Mix but without doubt it will surely become one of the best MiX in the future because already there are more interest on it, however like they said, in every successful platform there is always a good and dedicated team behind it, so of course for RoyalMix to arrive at there current state they are now on the world of Mix is obvious there team is very experienced.

I believe RoyalMix teams are experienced people in this field. They may do the same way as other mixer teams but I feel something different with RoyalMix. From the beginning, they stated that they are a premium mixer, it means they will offer something better than other mixer services. I think you will trust them as well.

[NotATether]

I believe RoyalMix teams are experienced people in this field. They may do the same way as other mixer teams but I feel something different with RoyalMix. From the beginning, they stated that they are a premium mixer, it means they will offer something better than other mixer services. I think you will trust them as well.

With that kind of thinking, anyone can slap the word "Premium" on their website and it gets a trustworthy name. For example, if I wrote "Premium Bitcoin Mixer List" instead of just "Bitcoin Mixer List".

Do you see the problem here?

All this is just marketing, it is not actually stuff that should be invoking trust. The trust comes from providing the service to the users without any issues.

[ZAINmalik75]

<snip>

Dear, I just opened the site to check this problem, on my side I can see English words on the main page of the site but there I can see a recommendation drop-down tab by the Google Services I guess, and this shows me that translate the site from the Russian language to your desired language but the thing is that site is already in the English languages. so this is why I am thinking is it also a kind of bug or is it fine?

Also when I reload the page it again says to me translate the page from Russian to any desired language so which in my view is a kind of bug that is why I am asking if is it a bug or not or if you have the same experience as of me? Must share your opinion if you have any idea about this. Many Thanks!

I also face the same issue. I don't think its a big issue because it automatically change the language after few second. And you can see we can manually change the language from the top right corner as well. Therefore I don't think its big problem and I don't that google translator is changing the language. It is being changed automatically.

You don't have to press English on the google translator on your screen it automatically changes to English after sometime. I think we should check the site by opening with Russian location set on VPN but I don't have it in my VPN don't know why. Maybe you can check by opening the site as Russian to confirm if they also see the English for few seconds.