Reddit Email Vulnerability results in Bitcoin Cash Embezzlement
The investigation of stolen Bitcoin Cash (BCH) from the hot wallets of community members of r/btc, a Reddit group that advocates bitcoin rival bitcoin cash, has concluded. The progress made in the inspection revealed that the hack was accomplished using the Tippr bot.
The hacker used the defenseless third-party email functionality that Reddit uses for point of access. The malicious attack turned up as a reset from Reddit in the form of an email. Straightaway the password change was authorized using another email. Even users with 2FA (two-factor authentication) suffered from Reddit’s email vulnerability. Additionally, users reported no suspicious activity in their official emails. Hackers were available reset passwords without opening the actual email of the individual.
How does Tippr work?
The tipper first sends the bot the deposit along with a comment. The Tippr bot will recognize the donation and confirm the tip. In return, the receiver has to send a message to the bot with their BCH wallet address and the amount. Once the bot verifies the information, it will allow the recipient to access the money.
Reddit blames Mailgun for BCH hacks
Reddit confirmed Mailgun, a third-party service to send automated emails, as the Achilles heel. According to Reddit, only a few emails were compromised. The social news aggregation site, owned by Advance Publications, assured that “less than twenty” emails were hacked.
Reddit has blamed Mailgun for the email vulnerability that cost many BCH supporters their coins. The automated email subcontractor had accepted the occurrence of the event but asserted “customer payment information was not compromised.” The company claims around one percent were affected by the attack vector.
Josh Odom, Mailgun CTO, guaranteed that the point of access the hackers exploited has been closed. Additionally, he confirmed that more security measures have been put into place to safeguard users data.
Odom said, “Mailgun has now completed its diagnostic of accounts that were affected and has notified each of the affected users. At this time, we believe less than one percent of our customer base was potentially affected.”
Tippr is the reason for the attack
The reasons why the hacker targeted Reddit users was due to the incentive that users can gain via Tippr bot, allowing the hackers to make some quick money. Tippr is generally used to award funny comments on the website. Once a donor tags and sets the desired amount for donation, Tippr will withdraw from the BCH hot wallet of the giver and transfer the amount to the recipient.
Creator of Tippr, Rob Danielson, is convinced that the wrongdoer is “someone [who] realized they had an opportunity to make a quick buck.” According to him, the culprit may have made around $2,000 to $4,000 worth of BCH utilizing the compromised accounts to request donations from Tippr via Reddit private message. The bot was temporarily disabled on Reddit after the incident went public. Although, Tippr has not reactivated on the news aggregation site. In December, Tippr had witnessed a flow of around $50,000 in BCH.
Reddit confirms BCH hacks
The hacker has not gained access to Reddit accounts as well as user’s personal accounts. Reddit engineer gooeyblob confirmed:
“A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails. The nature of the exploit meant that an unauthorized person was able to access the contents of the reset email. This individual did not have access to either Reddit’s system or to a Redditor’s email account. As an immediate precautionary measure, we moved reset emails to an in-house mail server.”
Reddit is one of the most ten most visited websites on the web. Initially many predicted it to be an inside job by a Reddit administrator. The discussion board r/btc’s users were hacked and even for a period of 30 minutes the subreddit was pointed to r/bitcoin. Also, several BCH forum users were hacked during the same time, specifically the ones that use similar tipping bots.
Initial allegations of hacks
Earlier, allegations were made against Bitcoin supporters that could not see the growing BCH market. Over the past week, the social media has witnessed arguments between the followers of Bitcoin and Bitcoin cash.
Hackers exploited using the third-party functionality on Reddit to steal thousands of dollars of BCH from the r/btc users. A Reddit moderator’s account was first compromised on December 20, 2017. According to Jessquit, the user, administrative privileges were misused, and the r/btc subreddit was redirected to the rival r/bitcoin. More reports followed up in the next couple of weeks.
On December 31, Jessquit said: “My account was just hacked a few hours ago and the password changed […] The attacker was able to change my password by sending a password recovery email then clicking the link in the email to reset the password, even though I have activated [two-factor authentication] on my Reddit account, and my email was not compromised. This is a very dangerous turn of events.”
Reddi, Tippr, and Mailgun are back in action
Reddit and Mailgun have claimed that the breach issue is resolved. Reddit engineer gooeyblob assured:
“We are continuing to work with Mailgun to make sure we have identified all impacted accounts. At this time, the overall number of confirmed impacted users is less than twenty. For those affected, we have resolved the issue and assisted in account recovery.”
What is your take on the Bitcoin Cash hack that occurred on Reddit? Let us know your opinion in the comments section.