Security issues on ArtChain
One of the problems with the BlockChain goldrush is that it attracts a lot of people who don't necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem.
I'd like to discuss ArtChain.info - "Certifying Art Using the Bitcoin Blockchain" - and the some of the security issues I found there.
XSS
This is one of those simple bugs which every web developer should be aware of and be able to defend against. A site should properly escape untrusted content.
ArtChain allowed anyone to register on the site and set their name to some JavaScript code. This meant visitors to the website would automatically run an attacker's code.
Here's a simple demo. A user registers with the name <script>alert("xss");</script>
. Every visitor to the site now receives this pop-up.
It could be a lot worse. This simple demonstration is not malicious. An attacker could craft a script which phished for user credentials, tried to hijack the administrators' cookies, or mined cryptocurrency. In short, a user or administrator could not trust the content on the page.
This was the site owner's response to my investigation.
What Howard fails to realise is that it doesn't matter that his platform is based on the BitCoin BlockChain. If an attacker can add malicious JavaScript to his site, then steal his credentials, it's game over. The indelible nature of the BlockChain means that malicious or incorrect content stays there forever - losing control of your keys is a disaster.
There's also the issue of trust in the website. If an attacker can rewrite the page - even temporarily - they could convince users to transfer money, ownership, or attention elsewhere.
When you view content on ArtChain, you have no way of knowing whether it is official or hacked. When the site displays a BitCoin address, it could be ArtChain's - or it could be an attacker's.
Error Messages
Again, it is basic security to make sure that your error messages don't leak sensitive information. Going to an invalid URL should result in a user-friendly message. In this case, we can see that the site is written in PHP, the username of the account, and the structure of the codebase. Not critical problems, but it points to an underlying problem with the quality of the code.
The owner's response was succinct.
I don't think it is sensible for a site owner to blame users for problems on the site. The ArtChain site was broken - simply mistyping a URl allows anyone to see that.
When dealing with millions of dollars worth of assets, your code has to be rock solid. If basic errors like this occur on the website, it is only natural to wonder about the code used to write information to the BlockChain.
What is securing ArtChain's private keys? If it is code of this quality, then it is hard to trust the data which they sign.
Other issues
A quick look around the site shows that it loaded JavaScript and CSS from an external CDN. But it didn't use SubResource Integrity.
While there are some slight speed advantages in using a CDN, it means that the website owner has to trust the CDN provider. Without SRI, it's impossible for a user to know if the external scripts have been modified.
Effectively, this means if an attacker can compromise the CDN, they can completely control the page. SRI is a simple way to prevent that. The recent MageCart vulnerability shows the danger of relying on external JavaScript.
Outdated libraries. The site had an older version of BootStrap which has a known vulnerability.
Directory listing was enabled. This means users can see the list of files present on the webserver. Using this, we can see that which resources have been uploaded to the server.
Trust but verify
It is hard to know who to trust online. Whenever a new market emerges, it attracts a large number of people.
Users have to critically evaluate the tools they use online. It's easy for us to see a beautiful looking website and assume that it is built on solid engineering foundations - but that's rarely the case. It's hard to educate users to be able to spot sites with dangerous flaws.
As a community, we have to do a better job of making good security the default user experience.
Play nicely
Civility and respect are sometimes the best weapons we have in convincing others of our arguments. I try to stay calm and polite when discussing contentious issues online - and I appreciate it when people tell me I could do better.
No one deserves a verbal assault for pointing out security vulnerabilities.
Mike says:
Anyone wanting to read more of Harold Sherrin's thoughts about how great Artchain.info is and what an idiot Terence is, check out the comments on https://shkspr.mobi/blog/2018/06/how-i-became-leonardo-da-vinci-on-the-blockchain/ I wonder if Harold Sherrin know people can see stuff he posts on the Internet.
Mike says:
🤦 s/Harold/Howard/
Andy Mabbett says:
I think they've got this covered. ArtChain's "Terms of Use" page says:
"ArtChain.info assumes no responsibility for any incorrect information published on the website, including any incorrect or invalid registration of any art piece... ArtChain.info is not responsible for lost private keys associated with a current owner of an art piece... ArtChain.info is not a perfect, fail-safe system for authentication"
https://artchain.info/termsofuse
Mike says:
artchain.info - "the ArtChain website that matters". Not to be confused with artchain.world https://www.artmarket.guru/le-journal/interviews/artchain-kay-sprague/ (see comments)