The company is one of India's leading cryptocurrency wallet providers, with over 10,000 daily transactions. They have over 200,000 registered users and process digital currency transactions worth over $30 million.
Perform the test in a live environment during peak cryptocurrency transaction times.
Preventing the misuse and public disclosure of user data.
Keeping the app from being hacked by cryptocurrency criminals.
Over 2,00,000 Plus Registered users
Operates around 57 countries
10,000 Plus transactions in a day
The organization approached Kratikal's security testing department to identify any technical or logical flaws in its clients' e-wallets. To get recommendations on how to mitigate the dangers of exploiting those vulnerabilities.
The test was carried out in a dummy environment
The test was conducted as a Grey Box exercise.
Various hacks were attempted to test their web and mobile application.
The tests were conducted in accordance with the best practices available in the industry, such as Open Web Application Security Project (OWASP), SANS 25, NIST and more.
It was revealed that the settings relating to "add value" into wallet may be changed, allowing an attacker to add up to $5000 per transaction by simply subtracting $1.
Brute force attacks were possible with two-factor authentication via email or SMS.
Some configuration files containing sensitive information were exposed to the public.
Because the wallet amount parameters may be modified with, attackers might add as much money as a cryptocurrency wallet.
The server could be hijacked if sensitive information is leaked.
A hacker might take over user’s accounts and transfer all their cryptocurrency to his own wallet. Millions of dollars could be lost because of this.
They might use two-factor authentication to obtain access to their accounts.
By changing the pricing parameter, it was possible to buy currencies for free, resulting in daily losses of approximately $ 1.2 million.
The firm could face large financial losses, potential lawsuits, and a damage to their brand image if their application's accounts are hacked.
If sensitive client information regarding their clients and users is leaked from their application, they may be subject to large fines under various compliances and local Cyber laws in the countries where they work.
E Hijacking of their app's accounts could result in a full loss of funds in their consumers' wallets.
To address the issue of parameter tampering, we recommended to the company that parameters be checked at the server and the server's response matched the request received by the application.
We recommended significant changes to the architecture and authentication mechanism of the application.
For database security and server design, we advised the company on advanced controls and cryptographic techniques (such as obfuscation techniques).
We recommended that they change their application processes to avoid wallet leaks and account takeovers.
Detailed documentation of the application’s vulnerabilities was provided, outlining the problem, its cause, and how to fix it.