📄

Report #29242

Report Date
March 11, 2024
Status
Closed
Payout

Content Spoofing on https://basin.exchange/ Main page.

Report Info

Report ID

#29242

Report type

Websites and Applications

Has PoC?

Yes

Target

Impacts

Persistent content spoofing / text injection issues

Description

I would like to report a modifying static content by modifying or injecting customised text . I found out that i'm able to replace the text on https://basin.exchange/#/wells/ with any customised text.

Vulnerability Details

A normal page will show with no coin. However, after waiting for approximately 5 seconds it will redirect you to an OOPS page where you see the text injected after /wells/.

The fact that the page shows a normal page and then it redirect users to the oops page and show the injected text make the danger higher, as the victim will most likely fall for it because he will think that this is a part of the page and the error is caused by the website it self.

Impact Details

As an attack scenario, malicious hackers can share this on telegram and discord channels, pretending to be an admin and as the text is injected on the https://basin.exchange main body page domain.

The ability to modify and inject customised text and the LOCATION of the text replaced in the page beside founding this vulnerability on a services related to financial matter dealing with sensitive users information and money, it made me came to the conclusion that this is a HIGH severity issue and it need to be solved as many hackers and specially in crypto world will use this different methods to trick the beanstalk users .

Proof of concept

  • Go to https://basin.exchange/#/wells/
  • Insert any text after /wells/ and wait for 5 seconds
  • You will be redirected to and Oops page where the text is injected.

BIC Response

We have closed this report and marked it as spam for the following reason:

Extremely low quality