Report ID
#32739
Report type
Websites and Applications
Has PoC?
Yes
Target
https://basin.exchange
Impacts
Persistent content spoofing / text injection issues
Description
This is a spoofing security vulnerability.
Proof Screenshot
Check out an attached screenshot clearly showing this vulnerability
Bug Description
A attacker is able to inject malicious arbitrary content through url and render on page.
Impact
Spoofing attack, users will lose funds, by considering as an official announcement.
Note
I have reported this issue to many programs, most of the programs fixed this issue. This is considered as high risk issue for web3 web apps.
Type
Spoofing
Severity
High
Fix
Don't render custom text from uri on a page.
Proof of concept
1. Visit https://basin.exchange/?utm_source=immunefi#/wells/Important%20Announcement%20We%20have%20launched%20a%20new%20domain%20if%20you%20want%20an%20access%20to%20new%20version%20please%20send%20the%20$5000%20to%20our%20developer%20wallet%20Address%200xAttackerAddress%20we%20will%20automatically%20verify%20the%20transaction%20and%20after%20that%20you%20can%20contact%20our%20telegram%20with%20username%20basinbeta%20and%20show%20the%20transaction%20hash%20to%20recieve%20the%20new%20domaina%20and%20its%20access
2. Wait for couple of seconds.
3. As you can see, the string "Important Announcement We have launched a new domain if you want an access to new version please send the $5000 to our developer wallet Address 0xAttackerAddress we will automatically verify the transaction and after that you can contact our telegram with username basinbeta and show the transaction hash to receive the new domain and its access"
4. Attackers can inject any malicious message and send it to the victims, it will look like an official announcement on this page.
5. Victim will get spoofed and finally lose the account too.