Minor DogeAPI Security Flaw [Disclosed and Fixed]


As part of my "National Hack The Government" win, I was awarded 100 DogeCoin!

Although not my first foray into the exciting world of CryptoCurrencies, I'd never received DogeCoin before. I decided to set up an online wallet to temporarily store my loot while investigating more secure options.

More or less at random, I went with DogeAPI.com. After registering, I received this email.

DogeAPI Screenshot-fs8

Let's take a look at the code behind it...

<h1>Thanks for registering with DogeAPI.com, edent!</h1>
<p>You are almost done registering!</p>
<p>
 <a href='http://www.dogeapi.com/log_in?validate=zR1ag4ALNLkOz&user_name=edent'>Click here to verify your email and log in!</a>
</p>

Ah... Yeah, so anyone sat listening to your connection can see you making contact with DogeAPI, grab your username, cookies and - potentially - impersonate you.

12 hours after reporting the issue, the emails were fixed - and all connections were made over https.

Lessons

In this case, I was able to successfully connect to DogeAPI via an unencrypted connection. That should never be the case for a "secure" site.

If you are running a site which relies on trust - you must always make sure every connection is secure and that every link you send out starts with https://


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">