Nicehash is a very popular crypto-currency marketplace where people can use their computing device power for crypto currency mining and get paid in Bitcoins. The vulnerability was originally discovered by security researcher Ashutosh Barot from Deloitte and he wrote about it in this blog post on cyber world mirror.
Ashutosh explained how he used the vulnerability and found random cryptominers’ recent payment information, unpaid wallet balance, Bitcoin wallet address, workers information, Mining stats and more. Crypto miners are concerned about their privacy because some regions have banned cryptomining and they may be illegal.
Here’s the video proof of concept as published by the researcher.
Three vulnerabilities were found in NiceHash miner software v18.104.22.168, as explained here.
1. Username Enumeration through Error Message. [CVE-2019-6122]
The error message reveals if it is a valid email address associated with a NiceHash user.
2. Missing Rate Limit while adding a wallet. [CVE-2019-6120]
Attackers can try unlimited accounts until they hit a right one.
By chaining these vulnerabilities, attackers can identify large number of valid email addresses of nicehash users from a large dump.
3. Missing Authorization check after submitting email address. [CVE-2019-6121]
Once an attacker has identified NiceHash miner’s email address, he can just enter it in the software while adding the wallet. Before v22.214.171.124 NiceHash used to ask for BTC address here but after 126.96.36.199 NiceHash provided this option to start mining by adding their BTC wallet by email address.
So anyone who knows your email address can mine crypto currency on behalf of you! No issue till this point, But all the information regarding recent payments from NiceHash, Bitcoin wallet address, unpaid balance, old balance (Balance before the December 2017 breach) ,etc. is visible after clicking ‘View Online Stats button’! Miners information is all yours in a web browser with a URL like this.
This is because of a feature called ‘find miner’ in NiceHash, which helps identify buyers finding high performing crypto miners, but Ashutosh found a way to identify a Bitcoin wallet address associated with an email address.
To demonstrate the impact, researchers explained how easily he found some valid email addresses of NiceHash users from their twitter and linkedin profiles and successfully accessing information of their crypto mining activity. MITRE has assigned CVE-2019-6120, CVE-2019-6121, CVE-2019-6122 to these findings.
As of now, NiceHash users can’t change their emails and this vulnerability works in older versions. Crypto miners’ privacy is important to them as some countries, cities has banned crypto mining. Also crypto-mining activity clearly shows financial gain of crypto miners which makes them vulnerable to kidnappings.