Security specialists announced that they discovered numerous vulnerabilities in the open-source libraries used by various crypto exchanges and financial institutions – which could be exploited by hackers looking for a way into users’ wallets.
At a recent Black Hat cybersecurity conference, experts said that some of the issues that affected exchanges have now been fixed – but insisted that others still pose a threat to their owners.
Jean-Philippe Aumasson, the co-founder of crypto exchange technology firm Taurus Group and Vice President at Kudelski Security, made a note of the vulnerabilities discovered by Omer Shlomovits, co-founder of mobile wallet maker ZenGo, into three categories of attacks, reported Wired.
The first type of attack needs hackers to use an insider at one of the markets to exploit a vulnerability in an open-source library made by an advance transfer that the researchers chose not to name.
Using a defect in the library’s mechanism for refreshing keys, hackers could manipulate the process to change critical components – while omitting all other elements intact. As an outcome, the attackers could intercept the exchange from accessing crypto on its platform.
The researchers notified the library developer of the bug’s presence one week after the code went live. But, since it was found in an open-source library, other exchanges may still be using it in their operations.
The second scenario involves hackers exploiting a flaw in the essential rotation process. Here, a failure to validate all of the statements that users and exchanges make to each other could allow a rogue exchange to extract its users’ private keys over multiple key refreshes, seizing control of their crypto assets.
The bug was discovered in an open-source library developed by a major management firm whose name was not disclosed by the researchers.
The third category of attacks could transpire when trusted parties basically derive their segments of a key, generating random numbers that are then publicly verified and tested for later use.
As part of this method, the researchers found a protocol is an open-source library developed by crypto exchange Binance failed to check these random numbers.
This issue could allow a rogue party in the necessary generation procedure to capitalize on the failure to extract other parties’ segments of the key.