How i tricked Crypto Trading Site into sending Dangerous email to it’s Users

Exploiting Crypto trading website to sending Malicious emails to its users

Cryptocurrency is a digital or virtual currency that can be converted into real-world money, making cryptocurrency trading platforms lucrative targets for scammers and malicious hackers. These platforms allow users to buy, sell, and trade popular cryptocurrencies like Bitcoin, Ethereum, Ripple, and others. Due to the high value of cryptocurrencies and the sensitive nature of user data involved, these platforms are particularly vulnerable to attacks aimed at gaining unauthorized access to funds or personal information.

The vulnerability I discovered allowed me to perform several malicious activities, such as:

Tricking users into giving up their passwords, security codes, or other sensitive information.Redirecting users to malicious websites designed to steal data or deliver malware.Injecting false information into legitimate emails, leading users to make bad decisions based on incorrect data.Tracking email activity, allowing me to determine if and when a user opened an email, potentially for further exploitation.Damaging the reputation of the targeted website by exploiting their email communication system

The flaw I discovered was an HTML and CSS injection vulnerability within the "Forgot Password" email functionality. Specifically, when a user initiated the password recovery process, the platform sent an email to the user with details such as:

The User-Agent string of the browser/device that initiated the password reset request.The IP address of the device from which the request originated.

I found that the User-Agent string was not properly sanitized or validated before being reflected back in the email body. This allowed me to manipulate the User-Agent string by injecting malicious code directly into the email.

By modifying the User-Agent string during the password reset process, I was able to inject malicious HTML and CSS code into the email sent to the user. This opened the door to several attack vectors:

Phishing Attacks: I crafted emails that appeared legitimate but contained links to phishing sites where users could unknowingly enter their credentials or personal data.Injected formContent Injection: I could modify the content of the email to display false or misleading information, such as fake security warnings or instructions that trick users into performing dangerous actions.Content injected

Email Tracking: By embedding tracking elements within the injected code, I could track whether a user had opened the email, allowing for further targeted exploitation.

Redirection to Malicious Sites: By injecting hidden redirects or malicious links, I could guide users to compromised websites designed to steal their data or deliver malware.

Tricking user into clicking link

The platform had implemented anti-phishing mechanisms, such as displaying an anti-phishing code in emails to help users verify the authenticity of communications. However, by exploiting the lack of proper sanitization on the User-Agent string, I was able to bypass these protections. This allowed me to inject malicious code that overrode the security measures and delivered the attack payload to the user’s inbox.

The impact of this vulnerability was significant:

Account Takeover: Users could be tricked into revealing their login credentials, leading to unauthorized access to their accounts and funds.Reputation Damage: The platform's trustworthiness could be undermined, as users would associate the malicious emails with the legitimate site.Malware Delivery: Redirecting users to malicious websites or inserting harmful scripts into the emails could compromise user devices.Phishing and Fraud: The vulnerability could be used to conduct sophisticated phishing attacks, harvesting sensitive information like passwords, two-factor authentication codes, and private keys.

Follow on Instagram

https://www.instagram.com/rahulkrishnan_r_panicker/