White hat disclosure: Huobi has leaked OTC transaction information, large account information, customer information, internal technical structure, etc. on a large scale in 2021

Recently, a user received a white hat email, which stated:

Hi, my name is Aaron. I'm writing to let you know that some of your personal information has been made public on the Internet. I reported the issue and made sure it was fixed. Your information is no longer online.

Cryptocurrency exchange Huobi accidentally leaked a "whale report" in a recent data breach. These reports contain the name, phone number, address and email address you provided to Huobi when you registered. They also have wallet balances and information about your assets.

phillips.technology is the personal website of white hat hacker, citizen journalist, and consumer advocate Aaron Phillips. Aaron Phillips is an American professional with 4 years of experience in the cybersecurity field and 20 years of IT experience. His work focuses on protecting consumers from data breaches and security breaches, and his work has been featured on some of the most popular technology news sites in the world. His areas of focus include mobile and web application security, cloud security, and network penetration testing.

Huobi responded:

The incident occurred on June 22, 2021 due to irregular operations by relevant personnel of the S3 bucket in the Japanese site's test environment. The relevant user information was completely isolated on October 8, 2022. After this incident was discovered by the white hat team, the Huobi security team dealt with it as soon as possible on June 21, 2023 (10 days ago) and immediately closed access to the relevant files. The current vulnerability has been repaired and all relevant user information has been deleted. . Thanks to the white hat team for their contribution to Huobi security.

The full text is as follows:

Huobi has quietly fixed a data breach that could have allowed the company’s cloud storage to be accessed. Huobi inadvertently shared a set of credentials granting write access to all of its Amazon Web Services S3 buckets.

The company uses S3 buckets to host its CDN and website. Anyone can use these credentials to modify content on the huobi.com and hbfile.net domains, among others. The leak of Huobi credentials also led to the exposure of user data and internal documents.

Attackers who exploit Huobi's bug will have the opportunity to conduct the largest cryptocurrency theft in history.

If Huobi had not taken action, this vulnerability could have been exploited to steal user accounts and assets. The company removed the compromised account and its users are no longer at risk.

When I checked an open Amazon Web Services (AWS) S3 bucket, I discovered a sensitive file containing AWS credentials. After some research, I found out that the credentials were genuine and the account belonged to Huobi.

Although Huobi deleted the accounts exposed in the breach, the company has not yet deleted the file. The credentials are still available online for anyone to download:

Huobi accidentally released the document in June 2021, according to metadata distributed by Amazon.

This means the company has been sharing production AWS credentials for about two years.

Everyone who downloads the credentials has full access to Huobi’s cloud storage bucket. I am able to upload and delete files in all S3 buckets of Huobi. This is particularly dangerous because Huobi makes heavy use of buckets.

These credentials may be used to modify and control Huobi’s many domains. Attackers may exploit Huobi's infrastructure to steal user accounts and assets, spread malware, and infect mobile devices.

There is no indication that anyone exploited this vulnerability to attack Huobi.

Write access to critical S3 buckets

To assess the impact of this breach, I first listed everything I could. I found there were 315 in total, many of them private.

Some of these buckets share names with websites and CDNs operated by Huobi. For example, is a CDN that hosts content used by many Huobi websites and apps.

Next, I try to write to the bucket. I am able to write and delete files in all 315 buckets. In the screenshot below, I uploaded a file to the CDN used by Huobi to store and distribute Android apps.

A malicious user may have uploaded a modified version of the Huobi Android app.

Amazon uses IAM roles to control access to its cloud services. It’s not uncommon for large companies like Huobi to create a single role to manage their cloud storage. But this approach is a bad approach.

Sharing a role across multiple teams can provide attackers with significant access. In this case, I can read confidential reports, download database backups, and modify content on the CDN and website. I have complete control over data on almost every aspect of Huobi’s business.

Arguably, the most dangerous aspect of this breach is the write access it granted to Huobi’s CDN and website. The company spends a lot of money on testing to ensure that black hat hackers cannot gain write access to the infrastructure. It’s frustrating that Huobi would leak the same access.

Once an attacker can write to a CDN, it is easy to find opportunities to inject malicious scripts. Once a CDN is compromised, all websites linked to it may also be compromised. Take Huobi’s login portal as an example.

Huobi’s US login page loads resources from at least five different CDNs. Let’s focus on the red part above. One of the five is obviously a bucket, huobicfg.s3.amazonaws, because the URL contains the string "s3.amazonaws".

But the other four also correspond to compromised buckets. I was able to get Cloudfront to generate verbose response headers for invalid requests. The header shows that part of the hbfile.net domain is served by Cloudfront through AmazonS3.

In this case, Cloudfront acts as a middleman, redirecting hbfile.com requests to the S3 bucket. I found four of the five CDNs in the list of compromised buckets.

I can write and delete files on all CDNs.

Generally, compromised CDNs and websites are difficult for consumers to detect. From the user's perspective, they are visiting a trustworthy website. Users cannot tell whether files stored on a CDN have been changed.

With anti-malware software, certain malicious scripts may be allowed to run because they are served from the correct source. For black hat hackers, compromising a CDN is one of the most effective ways to inject code or malware into a website.

Huobi made it easy for malicious users to take over their CDN and website. As far as I know, every login page operated by the company is affected by this vulnerability.

For two years, every user who logs into Huobi’s website or app risks losing their account.

The breach also raises privacy concerns. Using Huobi’s leaked credentials, I was able to access customer relationship management (CRM) reports containing user information.

The reports I found had contact information and account balances for “crypto whales.” Whales are wealthy users with large amounts of cryptocurrency, and Huobi is clearly interested in building relationships with them.

The company appears to rank these users based on their ability level. Users with greater market influence will be ranked higher.

In total, Huobi leaked the contact information and account information of 4,960 users.

Another set of data exposed by Huobi leak. Is a database for over-the-counter (OTC) transactions.

When unzipped, the database backup exceeds 2TB and appears to contain every OTC transaction Huobi has processed since 2017. This may be a concern for many traders, as one of the benefits of OTC trading is increased privacy.

Some OTC trades are highlighted below. Anyone doing OTC trading on Huobi has experienced such information leaks since 2017.

In the screenshot above, you can see the user account, transaction details, and the trader’s IP address. The complete database contains tens of millions of such transactions.

There are also notes in the database that give us some insight into how Huobi manages its OTC platform behind the scenes.

Document details Huobi’s infrastructure

Huobi leaked information about itself. The attachment shows the inner workings of its production infrastructure. Software stacks, cloud services, on-premises servers and other sensitive details are listed.

These files, like other data leaked from Huobi, are now safe.

One of the most unique CDNs affected by the Huobi breach is the Utopo Blockchain NFT. A malicious user could alter the JSON file on the CDN to edit the NFT.

NFTs are links to JSON files on the blockchain. When JSON files are modified, they change the characteristics of the NFT. In this case, all NFTs are editable, even though I didn't make any changes.

The security risks surrounding NFTs are still being explored. In some cases, modified NFTs may be used to inject malicious code into browsers, applications, or games. There's nothing to suggest that happened here.

timeline

Here's the full timeline of events:

Ultimately, Huobi revoked the credentials and secured their cloud storage.

Huobi users narrowly escaped.

Unfortunately, in this case, I can't conclude that Huobi has done their job well. It was bad enough to leak its own Amazon credentials, but it took months to get a response, and even then, Huobi chose to leave the credentials online.