White hat disclosure: Huobi leaked OTC trading information, big account information, customer information, internal technical architecture, etc. on a large scale in 2021.

Huobi leaked confidential information such as OTC trading, big account details, customer information, and technical architecture on a large scale in 2021.

Author | Aaron Phillips

Compiled By | Wu Shuo Blockchain (Huobi response indicates no actual leakage occurred, only downloaded by white hat)

Recently, some users received a white hat email, which said:

Hi, my name is Aaron. I’m writing to tell you that some of your personal information has been publicly exposed on the Internet. I reported the problem and made sure it was fixed. Your information is no longer online. (Editor’s note: Unable to confirm whether this information has been downloaded or even bought by others)

• Deep analysis of the latest vulnerability “Hamster Wheel” in Sui blockchain
• Analysis of the technical details and in-depth of the latest Sui vulnerability “Hamster Wheel”
• How to determine the quality of an X to Earn project’s economic model?

Cryptocurrency exchange Huobi accidentally leaked “Whale Report” in a recent data leak. These reports contain the name, phone number, address and email address you provided to Huobi when you registered. They also have information about your wallet balance and assets.

The original text is as follows, and the content of the article has been confirmed by SlowMist to be “responsible disclosure by white hats”:

https://phillips.technology/blog/huobi-crypto-aws/

phillips.technology is the personal website of white hat hacker, citizen journalist and consumer advocate Aaron Phillips. Aaron Phillips is a US professional with 4 years of experience in the field of network security and 20 years of IT experience. His work is mainly to protect consumers from the impact of data leaks and security vulnerabilities, and his work has been reported on some of the most popular technology news websites in the world. His areas of focus include mobile and web application security, cloud security, and network penetration testing.

Huobi’s response:

The incident occurred on June 22, 2021, when some personnel in the Japanese station’s test environment S3 bucket did not operate in accordance with regulations, and relevant user information was completely isolated on October 8, 2022. After the incident was discovered by the white hat team, Huobi’s security team first processed it on June 21, 2023 (10 days ago), immediately closed the access permission to relevant files, the current vulnerability has been fixed, and all relevant user information has been deleted. Thanks to the white hat team for their contribution to Huobi’s security.

The full text is as follows:

Huobi quietly fixed a data leak that could have given access to the company’s cloud storage. Huobi inadvertently shared a set of credentials that granted write permission to all of its Amazon Web Services S3 storage buckets.

The company uses S3 buckets to host its CDN and website. Anyone who has access to these credentials can modify content on domains such as huobi.com and hbfile.net. The Huobi credential leak also resulted in the exposure of user data and internal files.

Attackers taking advantage of Huobi’s mistake would have had the opportunity to carry out the largest cryptocurrency theft in history.

If Huobi had not taken action, this vulnerability could have been used to steal user accounts and assets. The company has removed the affected accounts, and their users are no longer at risk.

While examining open Amazon Web Services (AWS) S3 buckets, I discovered a sensitive file containing AWS credentials. After some investigation, I found that the credentials were genuine, and the account belonged to Huobi.

Although Huobi has removed the exposed accounts from the leak, the company has not yet removed the file. These credentials are still available online for anyone to download:

According to metadata assigned by Amazon, Huobi accidentally released the file in June 2021.

This means that the company has been sharing production AWS credentials for about two years.

Anyone who downloads the credentials will have full access to Huobi’s cloud storage bucket. I was able to upload and delete files in all of Huobi’s S3 buckets. This is particularly dangerous because Huobi uses buckets extensively.

These credentials could be used to modify and control many of Huobi’s domains. Attackers could use Huobi’s infrastructure to steal user accounts and assets, spread malware, and infect mobile devices.

There is no evidence that anyone has used this vulnerability to attack Huobi.

Write access to critical S3 buckets

To assess the impact of this breach, I first listed everything that could be listed. I found a total of 315, many of which were private.

Some of these buckets share names with websites and CDNs operated by Huobi. For example, is a CDN that hosts content used by many Huobi websites and applications.

Next, I tried to write to the storage bucket. I was able to write and delete files in all 315 storage buckets. In the screenshot below, I uploaded a file to Huobi’s CDN used for storing and distributing Android applications.

Malicious users may have uploaded modified versions of Huobi’s Android application.

Amazon uses IAM roles to control access to its cloud services. For large companies like Huobi, it is not uncommon to create a single role to manage their cloud storage. However, this approach is a poor one.

Sharing a single role across multiple teams can provide attackers with a lot of access. In this case, I could read confidential reports, download database backups, and modify content on the CDN and website. I had complete control over almost every aspect of Huobi’s business data.

It can be said that the most dangerous aspect of this violation is that it granted write access to Huobi’s CDN and website. The company spent a lot of money testing to ensure that black hat hackers could not gain write access to the infrastructure. It is frustrating that Huobi has leaked the same access.

Once an attacker can write to the CDN, it is easy to find opportunities to inject malicious scripts. Once the CDN is compromised, all websites linked to it may also be compromised. Take Huobi’s login portal as an example.

Huobi’s US login page loads resources from at least five different CDNs. Let’s focus on the red part above. One of these five is obviously a storage bucket, huobicfg.s3.amazonaws.com, because the URL contains the string “s3.amazonaws.com”.

But the other four also correspond to compromised storage buckets. I was able to get Cloudfront to generate detailed response headers for invalid requests. The headers show that part of the content of the hbfile.net domain is served by AmazonS3 through Cloudfront.

In this case, Cloudfront acts as a middleman, redirecting hbfile.com requests to S3 storage buckets. I found four of the five CDNs in the list of compromised storage buckets.

I can write and delete files on all CDNs.

Generally, it is difficult for consumers to detect damaged CDNs and websites. From the user’s perspective, they are accessing a trusted website. Users cannot determine whether the files stored on the CDN have been altered.

For anti-malware, certain malicious scripts may be allowed to run because they are provided from the correct source. For black hat hackers, breaking the CDN is one of the most effective ways to inject code or malware into a website.

Huobi makes it easy for malicious users to take over their CDNs and websites. As far as I know, every login page operated by the company is affected by this vulnerability.

For two years, every user who logs into the Huobi website or application may face the risk of losing their account.

This violation also involves privacy issues. Using the credentials leaked by Huobi, I was able to access CRM reports containing user information.

I found contact information and account balances for “whales” in the report. Whales are wealthy users with large amounts of cryptocurrency, and Huobi is clearly interested in building relationships with them.

The company seems to rank these users based on their ability level. Users with a greater ability to influence the market will receive a higher ranking.

Huobi leaked the contact and account information of a total of 4,960 users.

Huobi also leaked another set of data. It is the database of over-the-counter (OTC) transactions.

After decompression, the database backup is more than 2TB and appears to contain every OTC transaction that Huobi has processed since 2017. This may be a concern for many traders, as one of the advantages of OTC transactions is increased privacy.

The following focuses on some OTC transactions. Anyone who has conducted OTC transactions on Huobi since 2017 has encountered such information leaks.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!