Wormable Stored Cross-Site Scripting (XSS) in Alpha (New Bitcoin City)
A vulnerability in Alpha SocialFi app existed that could result in draining user wallets, performing unauthorised transactions with the possibility to easily spread across the whole platform.
What is Alpha by New Bitcoin City ?
According to New Bitcoin City website Alpha is simply described as ‘the friend.tech of Bitcoin’:
Similar to friend.tech users can buy other users keys to access private chat rooms to interact with them. In this case it’s more like a private Twitter/X feed where users can add comments and like posts created by the channel owner.
Bug description
After setting up the account I decided to create my post with the following content - <b>Hi!</b>
which resulted in the following post displayed in the Alpha app:
To my surprise the post content was indeed marked as bold meaning the HTML tags worked.
After I verified a couple more examples with HTML payloads I was certain I’m allowed to inject any HTML content to the app. I had to be sneaky with this and not inject any obvious payloads because I already had someone in the private chat room that has sniped my keys so the actual test for executing JavaScript payload was coordinated with the Alpha team.
Based on my previous testing it looked like there were filtering implement so first attempt was to simply try one of the classic non harmful payloads displaying the domain context in which the script was executed:
Which resulted in JavaScript code being executed in the context of alpha.newbitcoincity.com:
Screenshots are from the desktop for my convenience version but of course the issue also exists on mobile:
While the proof of concept may seem harmful - displaying an alert to every user viewing the post feed, the actual impact of such vulnerability in a crypto app, especially the type where a custodial wallet is used are critical.
Attack scenario
There are multiple possible attack scenarios from stealing user data, performing actions on his/her behalf e.g. buying or selling keys to fully draining the user wallet and spreading the malicious payload across the application in other to ‘infect’ and drain other users.
Sample scenario step by step:
An attacker creates a post or comment in a channel he is a member of or the owner with a malicious JavaScript payload.
An unsuspecting user visits the chanel, he does not have to perform any interaction, viewing the page is enough.
The malicious payload contained in the post replicates the original malicious content from step 1 using the account of the infected user as post in his own channel and comments in all other channels he is in.
Sells all of the infected user keys.
Finally withdraws all the funds to an attacker controlled external wallet.
Steps 3-5 are repeated for all other users that view posts / comments with the malicious JavaScript making it an XSS worm spreading across the application.
All of this will be done without any user interactions due to the fact that wallets used in SocialFi apps like Alpha or Friend.Tech are custodial and managed by a 3rd party for better user experience. Most famous case of such a wormable bug was described on now defunct MySpace social media app - XSS worm by Samy Kamkar. In general even if some level of interaction is required, XSS vulnerabilities have critical severity in the decentralised applications - e.g. you can also see this description of XSS on Rarible NFT marketplace for reference.
Fix
I reached out to the Alpha dev team immediately after I found the possibility to inject HTML. The reason being I wanted to test a possible stored XSS scenario with their presence so they can react immediately if it turns out to be vulnerable due to critical severity of this issue. I reached out via Twitter and Discord dm’s and in a few minutes we had a private channel set up where I passed the information about the bug.
13:10 GMT+2 24 Sep 2023 - reached out to one of the Alpha / New Bitcoin City via Twitter
13:19 GMT+2 24 Sep 2023 - private Discord chat with the dev team has been set up
13:23 GMT+2 24 Sep 2023 - verified and reported the stored XSS vulnerability
14:29 GMT+2 24 Sep 2023 - the team confirmed and all the details have been passed on further
16:38 GMT+2 24 Sep 2023 - confirmed that a patch for the XSS part has been implemented and sent some additional recommendations addressing HTML injection
09:15 GMT+2 25 Sep 2023 - the team informed that the current patch is a temporary fix and they are in the process of implementing a proper thorough solution to the issue
It is worth mentioning that the dev team was easily reachable, treated the report very seriously and addressed the issue very quickly as can be seen in the timeline.
Conclusion
SocialFi apps are the current trend in the fast moving crypto space. The main difference compared to traditional blockchain apps / frontends is they all have custodial wallets in use for better user experience and they are more than just a web interface to a smart contract. but allow users to post content viewed by many other people. General rule is that all user incoming input may be malicious and here’s no difference and attacks like this will happen if there’s enough money at stake. Web3 applications are getting more complex as well as the infrastructure on which they are running. More features/complexity means larger attack surface. With the current shift in user experience within SocialFi apps we might see more and more classical security issues in addition to bugs in smart contracts.