By CCN.com: Turkish crypto exchange Sistemkoin had done $68 million in volume over the 24-hour period at time of writing. However, according to a report from a user and security researcher, there are significant security problems with the exchange.
There are two aspects to our anonymous tipster’s report. First, anyone with a program called Burpsuite and a Sistemkoin account to compromise the support tickets of other users. Our tipster has spent well over a week trying to notify the exchange of the problem, with no response.
Some might wonder what the problem actually is if others can see your support ticket. Big deal, right? Well, imagine if someone posing as support staff requests you to disable two-factor authentication. Or, reveal private information to “verify your account.” There are many imaginable attack vectors that become possible when has the ability to pose as staff.
The other aspect of the vulnerability is that most of the tickets our source saw were related to problems with withdrawals. This should be cause for concern for obvious reasons.
1) Basic security practices are not followed.
2) Users are veritably having problems making withdrawals.
Withdrawals are perhaps the single most important aspect of crypto exchanges. Any well-made scam can process a deposit. Only legitimate exchanges can reliably and consistently process withdrawals. An annual event called “Proof of Keys” tests the validity of exchanges by creating what amounts to a bank run.
Legitimate exchanges like Binance have literally no problem on days like this. When the business model is sound and the software is properly written, its only potential effect is a temporary drop in trading volume.
Today Sistemkoin tweets:
In any case, the majority of the tickets also seem to go ignored, as have the numerous inquiries by our source. As our source said:
While browsing sistemkoin.com, I found a few critical vulnerabilities where I was able to view and comment on support tickets of any user of the exchange. […] As they didn't respond i went through few support tickets and found that most of support tickets are about users complaining as they weren't able to withdraw tokens.
The process involves a Sistemkoin user simply replacing the ticket number with the number of another support ticket. The author is not enough of a network hacker to understand the full process involved, but the source later revealed his process in the form of screenshots for us:
While viewing the support ticket attacker intercepts the request to the server and changes the support ticket id parameter to victims support ticket using any tool like burp suite.
The attacker is able to see other users support tickets.
Sistemkoin has been contacted for comment. We will update this article with anything we receive in kind.