Content Spoofing on https://basin.exchange/ Main page.
Report ID
#29242
Report type
Websites and Applications
Has PoC?
Yes
Target
Impacts
Persistent content spoofing / text injection issues
Description
I would like to report a modifying static content by modifying or injecting customised text . I found out that i'm able to replace the text on https://basin.exchange/#/wells/ with any customised text.
Vulnerability Details
Notice that if you visit :Â https://basin.exchange/#/wells/please%20visit%20www.evil.com%20and%20connect%20your%20wallet
A normal page will show with no coin. However, after waiting for approximately 5 seconds it will redirect you to an OOPS page where you see the text injected after /wells/.
The fact that the page shows a normal page and then it redirect users to the oops page and show the injected text make the danger higher, as the victim will most likely fall for it because he will think that this is a part of the page and the error is caused by the website it self.
Impact Details
As an attack scenario, malicious hackers can share this on telegram and discord channels, pretending to be an admin and as the text is injected on the https://basin.exchange main body page domain.
The ability to modify and inject customised text and the LOCATION of the text replaced in the page beside founding this vulnerability on a services related to financial matter dealing with sensitive users information and money, it made me came to the conclusion that this is a HIGH severity issue and it need to be solved as many hackers and specially in crypto world will use this different methods to trick the beanstalk users .
Proof of concept
- Go to https://basin.exchange/#/wells/
- Insert any text after /wells/ and wait for 5 seconds
- You will be redirected to and Oops page where the text is injected.
BIC Response
We have closed this report and marked it as spam for the following reason:
Extremely low quality