Minor DogeAPI Security Flaw [Disclosed and Fixed]

by @edent | # # | Read ~209 times.

As part of my "National Hack The Government" win, I was awarded 100 DogeCoin!

Although not my first foray into the exciting world of CryptoCurrencies, I'd never received DogeCoin before. I decided to set up an online wallet to temporarily store my loot while investigating more secure options.

More or less at random, I went with DogeAPI.com. After registering, I received this email.

DogeAPI Screenshot-fs8

Let's take a look at the code behind it...

<h1>Thanks for registering with DogeAPI.com, edent!</h1>
<p>You are almost done registering!</p>
<p>
 <a href='http://www.dogeapi.com/log_in?validate=zR1ag4ALNLkOz&user_name=edent'>Click here to verify your email and log in!</a>
</p>

Ah... Yeah, so anyone sat listening to your connection can see you making contact with DogeAPI, grab your username, cookies and - potentially - impersonate you.

12 hours after reporting the issue, the emails were fixed - and all connections were made over https.

Lessons

In this case, I was able to successfully connect to DogeAPI via an unencrypted connection. That should never be the case for a "secure" site.

If you are running a site which relies on trust - you must always make sure every connection is secure and that every link you send out starts with https://

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.