One of the problems with the BlockChain goldrush is that it attracts a lot of people who don’t necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem.
I’d like to discuss ArtChain.info – “Certifying Art Using the Bitcoin Blockchain” – and the some of the security issues I found there.
This is one of those simple bugs which every web developer should be aware of and be able to defend against. A site should properly escape untrusted content.
Here’s a simple demo. A user registers with the name
<script>alert("xss");</script>. Every visitor to the site now receives this pop-up.
It could be a lot worse. This simple demonstration is not malicious. An attacker could craft a script which phished for user credentials, tried to hijack the administrators’ cookies, or mined cryptocurrency. In short, a user or administrator could not trust the content on the page.
This was the site owner’s response to my investigation.
There’s also the issue of trust in the website. If an attacker can rewrite the page – even temporarily – they could convince users to transfer money, ownership, or attention elsewhere.
When you view content on ArtChain, you have no way of knowing whether it is official or hacked. When the site displays a BitCoin address, it could be ArtChain’s – or it could be an attacker’s.
Again, it is basic security to make sure that your error messages don’t leak sensitive information. Going to an invalid URL should result in a user-friendly message.
In this case, we can see that the site is written in PHP, the username of the account, and the structure of the codebase. Not critical problems, but it points to an underlying problem with the quality of the code.
The owner’s response was succinct.
I don’t think it is sensible for a site owner to blame users for problems on the site. The ArtChain site was broken – simply mistyping a URl allows anyone to see that.
When dealing with millions of dollars worth of assets, your code has to be rock solid.
If basic errors like this occur on the website, it is only natural to wonder about the code used to write information to the BlockChain.
What is securing ArtChain’s private keys? If it is code of this quality, then it is hard to trust the data which they sign.
While there are some slight speed advantages in using a CDN, it means that the website owner has to trust the CDN provider. Without SRI, it’s impossible for a user to know if the external scripts have been modified.
Outdated libraries. The site had an older version of BootStrap which has a known vulnerability.
Directory listing was enabled. This means users can see the list of files present on the webserver. Using this, we can see that which resources have been uploaded to the server.
Trust but verify
It is hard to know who to trust online. Whenever a new market emerges, it attracts a large number of people.
Users have to critically evaluate the tools they use online. It’s easy for us to see a beautiful looking website and assume that it is built on solid engineering foundations – but that’s rarely the case. It’s hard to educate users to be able to spot sites with dangerous flaws.
As a community, we have to do a better job of making good security the default user experience.
Civility and respect are sometimes the best weapons we have in convincing others of our arguments. I try to stay calm and polite when discussing contentious issues online – and I appreciate it when people tell me I could do better.
No one deserves a verbal assault for pointing out security vulnerabilities.