Author：Knownsec 404 Blockchain Security Research Team
Date：2018/9/13
Chinese version：https://paper.seebug.org/700/

1.Background

At about 1:00 am on September 7, 2018, a token transfer in/out message called blockwell.ai KYC Casper Token was received from lots of Ethereum wallet accounts:

Strangely enough, these accounts indicate that they had "nothing to know" about this Token. The users did not actually receive the 100 tokens that were prompted, and those who prompted for the 100 tokens to be transferred did not have the tokens before. All these seem "unexplained"! What makes some people even more strange and worried is that these transfer in/out operations do not require any password or private key input from the wallet owner, so many users who do not know the truth are worried about whether their wallet is maliciously attacked.

2.Event Tracking

First from the Transaction page blockwell.ai KYC Casper Token we can see the history of 100 tokens is all transfer out records, without any records of transfer in.

https://etherscan.io/token/0x212d95fccdf0366343350f486bda1ceafc0c2d63

In the transaction information actually transferred to the account, we can see that by calling this contract, a token transfer is initiated, and the actual transaction can be seen in the event logs.

https://etherscan.io/token/0x212d95fccdf0366343350f486bda1ceafc0c2d63?a=0xa3fe2b9c37e5865371e7d64482a3e1a347d03acd

https://etherscan.io/tx/0x3230f7326ab739d9055e86778a2fbb9af2591ca44467e40f7cd2c7ba2d7e5d35

6.Summary

Combining past events, the attackers have shown amazing "creatives" at the "malicious" attack or utilization level compared to the various limited application scenarios of the blockchain. The event takes advantage of the "exchange/platform blindly trust contracts that meet ERC20 standards" feature, using the "bug" implemented by the Ethereum platform itself and using the least "advertising fee" to achieve the promotion of user advertising accurately.

Another point worthy of our attention is that the points that are used for message push are customizable, so the risks that may be caused are very worthwhile to consider: For example, pushing phishing website information and pushing other illegal types of small advertisements and speeches will cause users of platform users such as wallets to generate other unpredictable risks! We also remind all major wallets, exchanges and other platforms to be alert to such risks. Relevant identification and filtering of these customizable points if necessary.

Besides: An interesting clicking hijacking vulnerability

In the process of recurring the above vulnerabilities, we found an interesting vulnerability. In the area where the above contract tokens are used to make small advertisements, there is very little intelligent contract attribute that we can control.

So suppose the contract display platform like etherscan does not deal with this reasonably, is there any vulnerability such as xss? After testing, we found that Etherscan has such a clicking hijacking vulnerability.

Let's deploy the following code first.

pragma solidity ^0.4.24;

contract MyTest {

uint256 public totalSupply;

string public name;

string public symbol;

uint8 public decimals = 18;

function MyTest() {

name = "<a href=http://baidu.com>12321</a>";

symbol = 'ok<img src=/ onerror=alert(1)> ';

totalSupply = 100000000000000000000000000000000000;

}

Transfer(arg0, arg1, arg2);

}

}

After deployment, we use the contract to initiate a transaction.

Then look at the erasescan page and you can see the label a that was successfully set to another address in the very important place to view the contract information.

When the developer or user wants to view the contract information, clicking the button will jump to another place for further use.

This is a potential clicking hijacking vulnerability that can be used by attackers to entice developers or users to incorrect contracts, or even forge etherscan to cause greater harm.

The vulnerability has been reported to the erasescan official and fixed.

Welcome to scan a QR Code for help. This article was issued by Seebug Paper. Please indicates the source if reprinted.