Security issues on ArtChain


One of the problems with the BlockChain goldrush is that it attracts a lot of people who don't necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem.

I'd like to discuss ArtChain.info - "Certifying Art Using the Bitcoin Blockchain" - and the some of the security issues I found there.

XSS

This is one of those simple bugs which every web developer should be aware of and be able to defend against. A site should properly escape untrusted content.

ArtChain allowed anyone to register on the site and set their name to some JavaScript code. This meant visitors to the website would automatically run an attacker's code.

Here's a simple demo. A user registers with the name <script>alert("xss");</script>. Every visitor to the site now receives this pop-up.

A website with a popup notification.

It could be a lot worse. This simple demonstration is not malicious. An attacker could craft a script which phished for user credentials, tried to hijack the administrators' cookies, or mined cryptocurrency. In short, a user or administrator could not trust the content on the page.

This was the site owner's response to my investigation.

Now you try to hack our website? Really? Terence the hacker? Sitting in your underwear? Trying to hack our site? Trust me... there is nothing to hack. Our database is backed up every day and stored off-line. Even in the 1 in trillion chance you could hack our off-line backups... it still wouldn't matter!!!! Our platform is based on the bitcoin blockchain. You would have to hack the bitcoin blockchain to make a difference in what we are doing. You fucking idiot.

What Howard fails to realise is that it doesn't matter that his platform is based on the BitCoin BlockChain. If an attacker can add malicious JavaScript to his site, then steal his credentials, it's game over. The indelible nature of the BlockChain means that malicious or incorrect content stays there forever - losing control of your keys is a disaster.

There's also the issue of trust in the website. If an attacker can rewrite the page - even temporarily - they could convince users to transfer money, ownership, or attention elsewhere.

When you view content on ArtChain, you have no way of knowing whether it is official or hacked. When the site displays a BitCoin address, it could be ArtChain's - or it could be an attacker's.

Error Messages

Again, it is basic security to make sure that your error messages don't leak sensitive information. Going to an invalid URL should result in a user-friendly message.
Lots of PHP errors.
In this case, we can see that the site is written in PHP, the username of the account, and the structure of the codebase. Not critical problems, but it points to an underlying problem with the quality of the code.

The owner's response was succinct.
There you go again. Trying to break shit no matter what. Maybe you got the PHP errors because your registration was invalid... you are not an artists... you are a nobody... a poor idiot? Do ya think?

I don't think it is sensible for a site owner to blame users for problems on the site. The ArtChain site was broken - simply mistyping a URl allows anyone to see that.

When dealing with millions of dollars worth of assets, your code has to be rock solid.
If basic errors like this occur on the website, it is only natural to wonder about the code used to write information to the BlockChain.

What is securing ArtChain's private keys? If it is code of this quality, then it is hard to trust the data which they sign.

Other issues

A quick look around the site shows that it loaded JavaScript and CSS from an external CDN. But it didn't use SubResource Integrity.

While there are some slight speed advantages in using a CDN, it means that the website owner has to trust the CDN provider. Without SRI, it's impossible for a user to know if the external scripts have been modified.

Effectively, this means if an attacker can compromise the CDN, they can completely control the page. SRI is a simple way to prevent that. The recent MageCart vulnerability shows the danger of relying on external JavaScript.

Outdated libraries. The site had an older version of BootStrap which has a known vulnerability.

Directory listing was enabled. This means users can see the list of files present on the webserver. Using this, we can see that which resources have been uploaded to the server.

Trust but verify

It is hard to know who to trust online. Whenever a new market emerges, it attracts a large number of people.

Users have to critically evaluate the tools they use online. It's easy for us to see a beautiful looking website and assume that it is built on solid engineering foundations - but that's rarely the case. It's hard to educate users to be able to spot sites with dangerous flaws.

As a community, we have to do a better job of making good security the default user experience.

Play nicely

Civility and respect are sometimes the best weapons we have in convincing others of our arguments. I try to stay calm and polite when discussing contentious issues online - and I appreciate it when people tell me I could do better.

No one deserves a verbal assault for pointing out security vulnerabilities.

Support this blog

Enjoyed this blog post? You can say thanks to the author in the following ways:

Donate to charity
Give to charity.
Buy me a birthday present
Amazon Wishlist
Get me a coffee
Donate on Ko-Fi.

4 thoughts on “Security issues on ArtChain

  1. I think they've got this covered. ArtChain's "Terms of Use" page says:

    "ArtChain.info assumes no responsibility for any incorrect information published on the website, including any incorrect or invalid registration of any art piece... ArtChain.info is not responsible for lost private keys associated with a current owner of an art piece... ArtChain.info is not a perfect, fail-safe system for authentication"

    https://artchain.info/termsofuse

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.