[PHISHING] Banned IP page allows for PHISHING ATTACK on wallet.btc.com
Closed this issue · 7 comments
Attack description: A malicious actor can insert any text into the bannedIp
parameter for the banned notification. This allows for several phishing strategies to be used.
Proposal: Regex check if bannedIp
is either IPv4 or IPv6 address
Example malicious link:
https://wallet.btc.com/#/bannedip?bannedIp=%0A%0AYOUR%20WALLET%20IS%20LOCKED%20BY%20THE%20FBI.%0A%0ASEND%20ALL%20YOUR%20MONEY%20TO%0A1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa.%0A%0ATHIS%20IS%20A%20PHISHING%20MESSAGE%20TO%20ROB%20YOU!
Looks like this:
Thanks for posting this, I will fix this ASAP.
bannedIp
param has to be limited to only show valid IPv4 and IPv6 IPs.
Use a regex to check the input, otherwise don't display the text.
This regex seems suitable: https://www.regextester.com/104038
hi @lacksfish, I left the team, and @jiangjinyuan is in charge of the wallet service now.
@jiangjinyuan Please give this another look. Thank you
@lacksfish Thanks for your kind remind, I will have a look about it.
fixed it and close the issue.