It has been a rough year so far for the world of cryptocurrency.
First it was the collapse of Mt. Gox; now two more bitcoin exchanges say they have been hit by hackers.
According to officials at Poloniex and Flexcoin, attackers recently hit the exchanges and made off with a substantial amount of Bitcoins. As a result of the theft, Flexcoin announced it was shutting down, while Poloniex vowed to recover from the incident and take steps to improve security.
At Flexcoin, officials said that on March 2, hackers stole 896 bitcoins valued at more than $600,000 from its “hot wallet.” To pull of the heist, the attacker created a Flexcoin account. After depositing some bitcoins into it, the attacker exploited a vulnerability in the code that allows transfers between users.
“By sending thousands of simultaneous requests, the attacker was able to ‘move’ coins from one user account to another until the sending account was overdrawn, before balances were updated,” according to the company. “This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.”
“[The hack of] Flexcoin reminds me of vulnerabilities I used to see in online banking applications 10 years ago,” Amichai Shulman, Imperva’s CTO, said in a statement. “I think that the story here is not the individual incident or the individual vulnerability but the fact that this has been a repetitive pattern over the past few months.”
“I think that what Bitcoin users are learning now, the hard way, is that there are some benefits to the existing ‘centralized’, regulated financial infrastructure (like supervision and insurance for example),” he said.
Over at Poloniex, the company said an attack March 4 cost users 12.3 percent of their bitcoins. In this case, the attacker took advantage of a vulnerability in the code that takes withdrawals.
“The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time,” the company explained in a post on a Bitcoin forum. “This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.”
“The major problem here is that the auditing and security features were not explicitly looking for negative balances,” according to the company. “They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8. Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.”
Still, the company noted that it discovered the activity because an existing security feature noticed unusual withdrawal activity and stopped it.
Poloniex said it is committed to repaying the stolen money, and added that the withdrawal daemon now checks for negative balances before processing withdrawals and will freeze any account with a negative balance.
“The next thing that will be done–before markets are unfrozen–is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance,” according to the company. “After that, markets can be unfrozen and withdrawals resumed. Immediately following that, a daemon that will run automated audits on every account will be created, which will alert me of any strange activity and freeze any account with an overage of a balance.”
John Miller, security research manager at Trustwave, told SecurityWeek that attacks against exchanges and other commercial users of cryptocoins such as Bitcoin are expected to rise.
“Since most of the exchanges and other third party services underlying the crypto currency economy do not function as financial institutions, there is little recourse for users of defunct services,” he said. “Any organization that deals with crypto currency needs to implement security controls on par with other payment methods and take care to address specific concerns brought about by their use of alternative currency. Penetration testing and application assessments are standard testing procedures for companies dealing with payment card information. Companies accepting Bitcoin should be under no less scrutiny.”
