[PHISHING] Banned IP page allows for PHISHING ATTACK on wallet.btc.com

Question

[PHISHING] Banned IP page allows for PHISHING ATTACK on wallet.btc.com

Closed this issue 3 years ago · 7 comments

Attack description: A malicious actor can insert any text into the bannedIp parameter for the banned notification. This allows for several phishing strategies to be used.

Proposal: Regex check if bannedIp is either IPv4 or IPv6 address

Example malicious link:
https://wallet.btc.com/#/bannedip?bannedIp=%0A%0AYOUR%20WALLET%20IS%20LOCKED%20BY%20THE%20FBI.%0A%0ASEND%20ALL%20YOUR%20MONEY%20TO%0A1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa.%0A%0ATHIS%20IS%20A%20PHISHING%20MESSAGE%20TO%20ROB%20YOU!

Looks like this:

Answer 1 · 2019-07-09T02:38:40.000Z

Thanks for posting this, I will fix this ASAP.

Answer 2 · 2019-10-04T08:57:44.000Z

Still not fixed, @lsgrep any update?

Answer 3 · 2019-10-04T09:00:05.000Z

bannedIp param has to be limited to only show valid IPv4 and IPv6 IPs.

Use a regex to check the input, otherwise don't display the text.
This regex seems suitable: https://www.regextester.com/104038

Answer 4 · 2019-10-05T07:46:23.000Z

hi @lacksfish, I left the team, and @jiangjinyuan is in charge of the wallet service now.

Answer 5 · 2020-07-01T22:47:07.000Z

@jiangjinyuan Please give this another look. Thank you

Answer 6 · 2020-07-02T02:35:39.000Z

@lacksfish Thanks for your kind remind, I will have a look about it.

Answer 7 · 2021-10-09T10:08:33.000Z

fixed it and close the issue.