Coindrawer Bug Bounty Experience

Coindrawer claims to run a Bug Bounty program, offering recognition and a Bitcoin reward to people who submit valid security issues in their platform. For some of my most recent submissions to their program, Coindrawer have ignored my requests for updates and have not honoured their bounty program. As it stands, a number of reported vulnerabilities have not been addressed by Coindrawer, leaving their customers at risk.

Update 1 May 2014 - Coindrawer fixed all outstanding issues on 26 April 2014. They have not yet committed to honouring my submissions under their program.

Update 27 July 2014 - Coindrawer have shut down their service and have honoured my submissions under their program. See more at Coindrawer Bug Bounty finale.

Update 1 May 2014

Coindrawer fixed four issues on 26 April 2014:

• JSEC1046 - Persistent DOM XSS in Success/Cancel URL on paycoin page
• JSEC1051 - Replay attack, create multiple merchant orders with one payment
• JSEC1053 - Arbitrary buy/sell exchange rate
• JSEC1065 - Non-persistent XSS in cancel_order param, buy/sell function

These issues were resolved by totally removing the underlying features and functions (Merchant pages and buy/sell function) from the platform.

Coindrawer have not yet committed to honouring my submissions under their bug bounty program.

I have made updates throughout this post to include details of JSEC1053 and JSEC1065 as their public disclosure date has been reached.

Coindrawer and their Bug Bounty program

Coindrawer is a “simple cryptocoin wallet and trading platform”. Coindrawer provides a digital wallet service to store Bitcoin and Litecoin, a trading platform to trade Bitcoin to and from Litecoin, and merchant tools to accept Bitcoin for online and offline sales. Coindrawer offers a mechanism to buy and sell Bitcoin for USD, but this feature has been suspended at the time of writing citing “banking and regulatory challenges”. Coindrawer claims to be “architected to deliver the lowest cost, most secure Bitcoin transmissions for purchases as well as Bitcoin transfers”.

Coindrawer’s Whitehat program is a Bug Bounty program that offers recognition and Bitcoin rewards for the submission of valid security issues that “[have] the potential to compromise user data or cause financial loss”.

My experience

Of the eight submissions I have made to Coindrawer’s program since November 2013, some of the more recent submissions have been ignored despite my repeated requests for updates. I have heard from others in the information security community who have experienced similar issues.

Disclosure Timeline

Due to a lack of communication and resolution of security issues, in adherence with Responsible Disclosure, I advised Coindrawer of a staged disclosure timeline such that I would publicly disclose the vulnerabilities that remained unpatched. Coindrawer were advised that they were welcome to ask for a reasonable extension to any disclosure date if they needed extra time to fix the issue.

I feel that Coindrawer was given ample opportunity to fix the issues before I advised them of my intent to disclose, as well as ample opportunity afterwards to patch the issues or to request an extension to the disclosure date if they needed more time. As of today, the first of two advised disclosure dates, they have not taken these opportunities and have expressed to me that they do not object to the public disclosure of the issues. By disclosing responsibly, and in open communication with Coindrawer, I believe this will allow customers an opportunity to take mitigating measures to help ensure the security of their Coindrawer accounts and Bitcoin balances.

Update 1 May 2014 - as of today, the second of two advised disclosure dates, Coindrawer have resolved all outstanding issues.

As follows is the timeline of all my disclosures to Coindrawer. Actions taken by Coindrawer are in bold.

NB. Some submissions descriptions are listed as TBA. This is because the public disclosure date for them has not yet been reached. Update 1 May 2014 - added descriptions of JSEC1053 and JSEC1065 as their disclosure dates have been reached.

• 19 Nov 2013 - Submission of JSEC1046 (Persistent DOM XSS in Success/Cancel URL on paycoin page)
• 21 Nov 2013 - Coindrawer acknowledges receipt of JSEC1046 submission
• 26 Nov 2013 - Submission of JSEC1047 and JSEC1048 (CSRF and resultant account DoS attack)
• 28 Nov 2013 - Coindrawer acknowledges receipt of JSEC1047 and JSEC1048 submissions. Submission of JSEC1050 (Critical, race condition allowing theft of company’s BTC)
• 30 Nov 2013 - Multiple emails to and from Coindrawer regarding JSEC1050. Coindrawer disables Send BTC functionality pending a fix.
• 4 Dec 2013 - Coindrawer sends 1 BTC reward to cover JSEC1046, JSEC1047, JSEC1048, JSEC1050
• 28 Dec 2013 - Submission of JSEC1051 (Replay attack, create multiple merchant orders with one payment)
• 30 Dec 2013 - Coindrawer acknowledges receipt of JSEC1051 submission. Notification to Coindrawer that their fix for JSEC1046 was ineffective, and an attack vector outlined in my original report still worked. No response
• 6 Jan 2014 - Submission of JSEC1053 (Provide arbitrary buy/sell exchange rate)
• 8 Jan 2014 - Submission of additional information for JSEC1053
• 15 Jan 2014 - Request for acknowledgement of JSEC1053
• 20 Jan 2014 - Coindrawer acknowledges receipt of JSEC1053
• 10 Feb 2014 - Submission of JSEC1058 (Critical, multiple cancellations of a Sell Order allowing theft of company’s BTC)
• 11 Feb 2014 - Coindrawer patches JSEC1058
• 14 Feb 2014 - Coindrawer acknowledes JSEC1058 and promises an update on other submitted issues “by the end of the week”. This is the last I hear from Coindrawer for 2 months.
• 20 Feb 2014 - Request for an update on JSEC1051, JSEC1053. No response
• 24 Feb 2014 - Coindrawer sent 0.5 BTC reward for JSEC1058
• 27 Feb 2014 - Request for an update on JSEC1051, JSEC1053. No response.
• 4 Mar 2014 - Request for an update on JSEC1051, JSEC1053. Reminder to Coindrawer that JSEC1046 is still vulnerable. No response.
• 20 Mar 2014 - Request for an update on JSEC1051, JSEC1053. No response.
• 21 Mar 2014 - Request for an update on JSEC1051, JSEC1053. No response.
• 27 Mar 2014 - Request for an update on JSEC1051, JSEC1053. No response.
• 3 April 2014 - Notification to Coindrawer of disclosure dates (17 April 2014 and 1 May 2014). Submission of JSEC1065 (Non-persistent XSS in cancel_order param, buy/sell function) and notification of disclosure date (1 May 2014) due to lack of confidence in Coindrawer’s Bug Bounty program.
• 14 April 2014 - Mike Lucente, CTO of Coindrawer acknowledges disclosure dates.
• 15 April 2014 - Discussion back and forth regarding disclosure and Coindrawer’s Bug Bounty program I remind Coindrawer that they can ask for an extension to the disclosure dates if needed. No response.
• 17 April 2014 - Public disclosure of JSEC1046 and JSEC1051, both of which are still vulnerable.
• 26 April 2014 - Coindrawer resolves all outstanding issues (JSEC1046, JSEC1051, JSEC1053, JSEC1065)
• 1 May 2014 - Public disclosure of JSEC1053 and JSEC1065.

Coindrawer’s response to Responsible Disclosure notification

Mike Lucente, CTO of Coindrawer, said 13 April 2014:

Knock yourself out, dude

Some discussion between us followed, in which it was suggested that I had made threats. I explained:

I said, 15 April 2014:

I haven’t threatened you. If you’re referring to my intent to follow Responsible Disclosure, it’s a recognised and ethical procedure for handing security issues. It benefits users by allowing them to mitigate against vulnerabilities that they don’t know about, but that criminals may have developed in parallel to ethical security professionals.

Mr Lucente then asked me to resubmit my issues (which were clearly referred to in my disclosure notice email) and he would “have a look”. I did so, reminding him that Coindrawer can ask for an extension to the disclosure of any bug that they need reasonable extra time to fix. I have not heard from Coindrawer since.

The series of emails from Mr Lucente heavily suggest that Coindrawer do not intend to commit to their Bug Bounty program. Furthermore, the lack of remediation for known vulnerabilities leaves Coindrawer’s customers vulnerable to security flaws in the platform.

My request to Coindrawer

Coindrawer, with respect, I ask that you:

1. Make good with any Bug Bounty participant who has faithfully participated in your program. You publicly stated that you would reward submitters of valid security issues. It appears to me as though others have had similar experiences to mine - their submissions were ignored, and in some cases you even took action on their submissions without recognising their efforts. Do the right thing for the professionals who participated in the program, contributing their time and skills to securing your company’s services.
2. Fix the security issues that you have been notified of. By not addressing them, you leave your platform vulnerable, placing your customers’ funds at risk. They expect (and deserve) better than this, and Bitcoin has been troubled enough already by security issues and theft of funds. Update 1 May 2014 - Coindrawer have remediated all outstanding vulnerabilities that I have reported.
3. If you are no longer interested in operating a Bug Bounty program, please remove your Bug Bounty page. It isn’t fair to waste the time and ignore the efforts of honest security professionals, and I believe your program harms the credibility of Bug Bounty programs.

I have a series of posts regarding Coindrawer:

• Coindrawer Bug Bounty experience
• JSEC1046 - Coindrawer Persistent DOM XSS Disclosure (Paycoin Feature)
• JSEC1051 - Coindrawer Payment Replay Disclosure, Create Multiple Merchant Orders
• JSEC1053 - Coindrawer Provide Arbitrary Exchange Rate Disclosure
• JSEC1065 - Coindrawer Non-persistent XSS Disclosure (Buy/sell Orders Feature, Cancel_order Param)
• Coindrawer Bug Bounty finale