____  ___    _  _     _   _ _____     _______
 / ___|/ _ \  | || |   | | | |_ _\ \   / / ____|
| |  _| | | | | || |_  | |_| || | \ \ / /|  _|
| |_| | |_| | |__   _| |  _  || |  \ V / | |___
 \____|\___/     |_|   |_| |_|___|  \_/  |_____|

 --- A GOPHER-LIKE INTERFACE FOR HIVE BLOCKCHAIN ---

Hive App subject to multiple security vulnerabilities

BY: @keys-defender | CREATED: June 16, 2024, 6:31 p.m. | VOTES: 298 | PAYOUT: $9.80 | [ VOTE ]

This article is optimized for Desktop browsers and  Peakd

[IMAGE: https://files.peakd.com/file/peakd-hive/keys-defender/23wWpaeUGCucxr39rwxbbt4WREDfKtGT7ZFp9roiHeRJPzgZM9o16RowjZoFVtq93emMN.png]

Image AI-generated by @karina.gpt in the Crypto Shots server

I recently volunteered to test a Hive Dapp (that won't be named at the very least until all the flagged issues are resolved).

Please find below my findings.

Use these to ensure that your own Hive frontend has protections in place for things like these.

Don't know how?

Stay tuned for my guide on how to build Secure Hive Applications !
It should be out around mid-July with links to a test repo.

1- Stored XSS (Cross-Site-Scripting)

Missing sanitization for SVG files.
The following snippet was able to trigger the code execution every time the page was visited:





          alert(1)

To learn more about XSS vulnerabilities see:
https://owasp.org/www-community/attacks/xss

2- Open Redirect

Triggered a redirect: Did not execute:

To learn more about malicious redirect see:
https://learn.snyk.io/lesson/open-redirect

Exploit:
> This can be used to redirect to a page very similar to yours and it could prompt you to start any operations (eg. transfer) from your Hive Keychain masking it as a simple login.

3- Pinata Gateway token leak

This is what gets generated for all image uploads...

![](https://ipfs.VULNERABLE_DAPP.app/ipfs/QmaGDjdgPQcgpKUTEE9kD4YW9QLmLsodfQADhy51E65d46?pinataGatewayToken=nxHS...eXWH-gXCY....OOPS....XyFE)

Note the ?pinataGatewayToken URL parameter.

Impact:

Less critical ones...

4- Clickjacking

An attacker can simply embed full-screen your website as is and display an overlay with invisible fields on top of the real login fields, in order to steal users' credentials.

Or they could show an overlay with an amazing offer to subscribe to your services with a huge discount by paying with a credit card or sending funds to the attacker's account.

To learn more about clickjacking:
https://owasp.org/www-community/attacks/Clickjacking

5- Reverse Tabnabbing:

test

None of the external links have rel=“noopener noreferrer” to protect from it.

To learn more about reverse tabnabbing:
https://owasp.org/www-community/attacks/Reverse_Tabnabbing

That's all folks.
Stay tuned for my guide on Securing your Hive Apps!

My security disclosures for Hive:
- XSS vulnerabilities in #########.com
- XSS vulnerabilities in hive-db.com
- XSS vulnerabilities in scribe.hivekings.com
- XSS vulnerabilities in hiveblockexplorer.com
- Malicious ads redirecting all Steemit iOS users to a phishing site
- Reverse tabnabbing and clickjacking in steem.chat and steeemit registration page

Other contributions:
- Universal script to prevent phishing in all Hive frontends
- Commands for community reports and ban/mute lists
Future development:   plan
Last report: https://peakd.com/@keys-defender/monthly-report-june-july-august-2021-hive-13323

Keys-Defender features:

To support this project..

https://images.hive.blog/DQmWmRN7k741DbkG5jL19Y5h1H5tqhpHLJUtGiTgPUy3C4y/image.png

10, 50, 100

 

This project is sponsored by @cryptoshots.nft
Browser-based   play-to-earn  3D Shooter on HIVE

https://youtu.be/H1LT1gLQZW0

Discord    Twitter  

TAGS: [ #security ] [ #community ] [ #cybersecurity ] [ #tech ] [ #leo ]

Replies

@enginewitty | June 17, 2024, 9:35 p.m. | Votes: 1 | [ VOTE ]

Working on a new front end for PIMP as we speak, might have to ask you to test it out :P

[ BACK TO TRENDING ] [ BACK TO MENU ]
CMD>