Withdrawal vulnerabilities enabled bitcoin theft from Flexcoin and Poloniex

The flaws allowed hackers to overdraw accounts on the two websites without being detected

By Lucian Constantin, IDG News Service |  IT Management

Hackers found security weaknesses that allowed them to overdraw accounts with Flexcoin and Poloniex, two websites that facilitate bitcoin transactions, and exploited them to steal bitcoins from the two services. The attacks put Flexcoin out of business and cost Poloniex's users 12.3 percent of their bitcoins.

Flexcoin, which described itself as the "world's first bitcoin bank," announced Monday that it was closing down after hackers stole 896 bitcoins worth around US$600,000 from its "hot wallet" -- a bitcoin wallet connected to the Internet. The company released more details about the hack in an update posted on its website late Tuesday.

The attacker first created a new Flexcoin account and deposited some bitcoins into it, Flexcoin said in the update. He then "successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to 'move' coins from one user account to another until the sending account was overdrawn, before balances were updated. This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins."

The company described the vulnerability as a flaw in its front-end, but did not clarify why its system didn't account for overdrawing.

"The description from Flexcoin reminds me of vulnerabilities I used to see in online banking applications 10 years ago," said Amichai Shulman, CTO of security firm Imperva, via email. "An individual vulnerability is excusable, not having monitoring in place to timely detect it is not."

"Without more details, it's hard to say exactly how complex the condition was, but the fact that it required multiple active accounts and requests does make it less likely that they would have found this condition through basic testing," said Tim Erlin, director of security risk strategy at security firm Tripwire, via email.

However, whether the vulnerability was complex or basic is not as important as the impact it had, Erlin said. "The seriousness of the flaw is evidenced by the impact: Flexcoin is out of business."

A bitcoin exchange called Poloniex also announced Tuesday that an attacker stole 12.3 percent of its funds using a technique that resulted in overdrawn accounts. However, it's not clear if the attack is related to the one against Flexcoin.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

IT ManagementWhite Papers & Webcasts

Webcast On Demand

Data Breaches - Don't Be a Headline

Sponsor: Absolute Software Corporation

White Paper

PCI 3.0 Compliance

See more White Papers | Webcasts

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness