Episode Transcript
[00:00:00] Out of cycle update, a secure cryptocurrency exchange or just a bunch of script kiddies? Cryptotalk FM. My name is Lyster. I'm your host, Kraken. The cryptocurrency exchange that bowed down to the SEC a little while ago has been making changes to their interface. They changed away from the legacy, actually user friendly interface that have been increasingly moving people to a more, quote, pro user interface, which I called out when I did my initial review and then follow on review of Crackit overall. And I said, at the end of the day, I don't think these are good changes. In my opinion, there's nothing wrong with the exchange. I thought it was a decent exchange, at least till now, but I was not a fan of the changes per se. Turns out they just recently lost $3 million. I'll repeat, they just recently lost $3 million. Turns out that they lost $3 million by way of some security investigators. Here's the story. Apparently they had some researchers they hired to do an assessment on the site and everything else with some of the recent interface. The front end, what you see changes to the site. These people were able to identify that because of what I can only describe as childish code. And I'll tell you a story about that here in a second. They were able to essentially print money out of thin air that didn't exist. They were able to affect their own balances, make changes to the balance that were actually committed live back to the back. End quote. Our team. So this is now this organization, our team identified a flaw in the change that credited accounts prematurely, allowing users to trade in real time before asset clearance. This change was not adequately tested against this specific vulnerability. So a malicious attacker effectively print assets in their Kraken account. Turns down, now they fixed it. Three accounts were still in money. These security researchers, $3 million from this situation.
[00:02:02] As a security researcher, this is now a different company. Security researcher. Your license to hack a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your license to hack and makes you and your company criminals. So the security researcher comes in as part of what's referred to as a bug bounty. The bug bounty is put out by companies all the time. The intent is for them to actually find issues. What you're not supposed to do is actually exploit those issues to your advantage. So these guys came in with Kraken saying there's a bounty, probably $10,000 for some small amount they found this breach, which I'll tell you about in a second, and they exploited it to the tuna. $3 million. Let's talk about the breach, the so called hack, the so called vulnerability. And I'm going to go back to an old story. That's why I laughed a little bit. There used to be a real big surge in web based games, and kabam was one that was putting on a lot of these web based games, you know, so you go to a website and it's got a game. There's like a godfather, five families, or whatever that was. And there was one for the Lord of the Rings, there's one for all these different movies, but they're just web based games.
[00:03:13] Depending on how you write the code for the website, for the game, what would happen is there's a communication that has to happen from what you see back to the back end. So databases, servers, etcetera, and then back to you. So, for example, you get more gold after you did something or whatnot. And people were able to find. And when I say, when I tell this story, I'm talking as far back as like 2013, I'm pretty sure it's the first time I was seeing some of this. People were able to find that by manipulating some of the code on the front end that you see, you were able to override what was sent back to the server and commit it as if it was legit. So if you think of a game, you're essentially cheating to give yourself, you know, hundreds of thousands of dollars of gold in game assets or free to play games, right? You. You hack yourself to get more gems, think candy crush or something. You hack yourself to give yourself more currency, but you're doing it in the web code that's designed to communicate to the back end. You're not supposed to be able to do that, though. What should happen is there should be some sort of a synchronization back end that always tracks how much was issued by the server at any given time and then only allow edits on the backend, never on the front end. In this case with Kraken, what's being described is that the front end was allowing edits when it was not supposed to. And that's childish in how simple it is to do so. I chuckled a little bit because this is, again, the same company that bowed down to the SEC, the same company that's been making these changes. I wasn't really a fan of. I said that it was fine to trade, but I saw fundamental flaws in what was going on. This seems to be one of them. So if you're in Kraken, your assets are not harmed. They are going after the people who stole money, got their token took from these folks. They're going after them as a criminal situation because it's essentially a form of theft in what they did, especially because they didn't report the issue, they didn't report the bug. They just took the money, got enriched off of it. And I know it's kind of difficult to envision how this could happen.
[00:05:21] All I can tell you is this was as stated in the quote here, this was not tested adequately, what's called security based testing. You gotta. You gotta test to make sure it's hard.
[00:05:34] The bug bounty was designed to find it, but you as a company, you still have to do your own internal testing against basic interaction things and basic exposure things. You should do something. If Kraken just handed it off to the security researchers, having done no internal security testing, that's an indictment on them. And I would say, not that anybody trading deserves this, because you don't, but Kraken deserves to get slapped in the face leadership. Somebody should lose their job inside Kraken, frankly, for putting code out that allows such a breach of utilis. Tokens get took in this manner.