Bitcoin Casino Accounts Exposed
Trading at about $420 each right now, Bitcoins are a hot commodity. It would be bad if a bunch of Bitcoin-holding accounts, and corresponding passwords, were to be exposed to the public.
Well, that’s exactly what happened with gambling site Coinroll.com. In March, I discovered a MongoDB, configured for public access, containing details (including password hashes) for 4,610 “accounts” and 9,668 “addresses”.
The passwords are hashed using the sha256 algorithm, so they are fairly strong from a security perspective. However, I see no indication of salting (adding random data to further strengthen the hashes).
Without salts on these hashes, many passwords could potentially be uncloaked through comparing the sha256 hash of a common password to the hash present in the database. Please note that I purposely did not crack any of the hashes found in this breach.
Through a PR representative, Juan-Samuel Codina-Fauteux, my breach notification was acknowledged by Coinroll on Wednesday, March 30th, 2016. Then an explanation email arrived on March 31st. Snippets from this communication are pasted below:
Well the admins are working on issues. There had been reports of some users getting their balance stolen. Another possible vulnerability was suspected, although nothing definitive. A few users had already been refunded.
The password are hashed with sha256, so it seems unlikely some accounts were compromised from those hashes alone, if at all. Other patched vulnerability remains the prime suspect.
The issue seems to have arisen with a ubuntu update that overwrote ufw rules from admin, leaving port open. Combined with no password being set for MongoDB, this had disastrous results. This owner that does the sysadmin/dev work admitted he was at fault for such security oversight. Now that this has been closed, he plans moving from Ubuntu to Fedora, converting to docker and audit for other possible oversights.
Marketing & Affiliate Manager
I have no concrete clues as to what the “Other patched vulnerability” could be. I have some theories though, such as the type of MongoDB injection outlined here: http://www.technopy.com/mongodb-injection---how-to-hack-mongodb.html ... But that’s just speculation on my part.
I believe that the most likely scenario behind any heist of Coinroll Bitcoins is one of two possibilities: Either (1) someone else found that exposed database before I did and compared the sha256 hashes to common passwords; or (2) someone else found the database and used the knowledge of its structure to successfully manipulate login data via MongoDB injection attacks.
Whatever the case, it looks like some Coinroll account holders may be out of luck on their digital currency. Once Bitcoins are transferred to a hacker’s wallet, it is likely impossible to recover them. You may be able to track the receiving address and maybe guess at where the funds are going by watching the Bitcoin blockchain. However, any competent attacker will have ways of quickly anonymizing the coins.
It’s somewhat amusing to realize that users of Bitcoin casinos are gambling in two different ways. First off, as expected, they are gambling on a roll of the dice. However, without realizing it, they are also gambling on whether or not the site’s security protocols are sufficient to thwart any would-be attackers.
To their credit, Coinroll did put up a news post on April 11th announcing potential security concerns and a game plan for dealing with the situation. It can be viewed here: https://coinroll.com/news .
Follow the latest security news and stay up-to-date with information about security breaches with MacKeeper Security Research Center.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher: Chris Vickery.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org