Gate.io is listed among the top 10 crypto exchanges according to CoinMarketCap. Since its founding in 2013, the company has remained committed to making the safety and security of its users its top priority, which requires strong safety measures to protect its traders from hackers and fraudsters.
To do this, Gate.io published a bug bounty on HackenProof with 6 in-scope assets:
Gate.io has set the bounty range from $50 to $5 000, depending on the severity:
HackenProof whitehats have identified 14 vulnerabilities so far.
This success story describes the top 3 vulnerabilities which the company has fixed:
A hacker could create a new Google Firebase user for the Android app.
They could create it without administration rights using API.
Google Firebase is an analytics tool for measuring user performance inside mobile apps. Creating an unauthorized account inside this tool would lead to system manipulation and data leakage.
The attacker could harm the infrastructure in 3 ways:
The attacker could use the data in 3 ways:
A hacker could inject a malicious script into the ranking page.
They could do this using a reflected XSS attack.
XSS injection is when an attacker can inject a malicious script into a website or app.
The script is triggered when a victim visits the infected page.
A reflected XSS is when the malicious part is added to the URL string.
A victim would still access the legitimate website, but their data would be compromised.
For example, this link can be safe – hackenproof.com.
While this link could be dangerous:
The attacker could harm Gate.io users in 3 ways:
Cookie data can be used for session hijacking or donation. Session hijacking is when an attacker can impersonate a victim inside an app. Session donation is when an attacker tricks the victim into performing actions inside the attacker’s account. For more cookie exploits, check out this source.
Stealing data from account information could include things like names, addresses, and finances.
Impersonating the account owner could have led to stealing the funds.
A hacker could inject a malicious script into the company server.
The attacker could do it remotely by using the /script command on Java.
Remote code execution is one of the most critical issues because it can compromise server data.
The attacker could harm Gate.io in 4 ways:
Once these vulnerabilities were identified, the Gate.io team expedited addressing them as quickly as possible to ensure the platform remains secure and users are protected from potentially malicious actors.
The company remains steadfast in its commitment to a safe and secure trading environment on its different platforms:
HackenProof is a bug bounty platform for crypto exchanges.
The platform connects crypto exchanges with ethical hackers.
Once whitehat hackers identify the exchange’s vulnerabilities, they deliver a report to the exchange.
Most of the reports are raw and need to be verified. For this reason, the HackenProof triage team takes on this responsibility and saves time for the exchanges. Then, the exchange developers fix these vulnerabilities.
Subscribe to our newsletter
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.