Explore the world of cryptocurrency security in this conference talk from #NahamCon2022. Delve into a three-year journey of hacking crypto web applications, uncovering vulnerabilities in cloud wallets, and learning about the evolving landscape of digital asset protection. Discover real-world examples of security breaches, including blind XSS attacks, SQL injections, and full account takeovers affecting major platforms in the crypto ecosystem. Gain insights into the Ethereum and DeFi ecosystems, and understand the implications of various security flaws in popular services. Learn about remote code execution vulnerabilities that led to the compromise of high-value stablecoins and the takeover of critical infrastructure. Conclude with final thoughts on the state of cryptocurrency security and the importance of robust protection measures in the rapidly growing digital asset industry.
Breaking Into Cloud Wallets - Hacking Crypto Web Apps
Overview
Syllabus
Intro
Speaker background
My introduction to cryptocurrency
Blind XSS and Internal Privilege E
Blind XSS on Wyre leads to full KYC
In 2022, who owns your crypto?
SQL injection on Vulcan Forged lead Key and API Key Disclosure
Introduction of the Ethereum and Defi ecosyste
Full Account Takeover on Vercel via
uxss on nux/image library via improper parsing
Universal Open Redirect on Next.js
UXSS via Reverse Proxy loading Unrestricted
UXSS via Reverse Proxy loading Up
Instapage XSS and Subdomain Take
Improper Host Whitelisting on Gitbook
Remote Code Execution leads t compromise of 150mm market-cap stable
Remote Code Execution leads to AWS compromise of 150mm market-cap stablecoin
Full Takeover of .TO TLD leads to Compromise of USDT provisioning ser
Full Account Takeover on Crypteriun
Full Account Takeover on Roll
Final thoughts
Taught by
NahamSec
