A month ago I reported a bug within the Cryptsy API. They have acknowledge the bug and originally promised to implement a fix.
Cryptsy have still not implemented any fix and as such I think it is appropriate to make other community users aware of this.
Other Exchanges have appropriate API implementations which are protected by using hash and API Key values. Each packet is signed and is made unique by using a 'nonce value' - this is an incremental number. This is used to ensure the recieved packet is unique. This is to prevent potential replay attacks ie; reusing messages/packets sent to the API.
Duplicate / non-unique packets should be ignored/dropped by the API. What Crypsty allow is the ability for a malicious user to replay the same message to the API. This would require a malicious user to obtain a copy of your API Key and also the ability to packet capture from your local computer.
It is a relatively low risk attack vector but it's important that Cryptsy address a fix. We have seen other data leakage caused by bugs/vulnerabilities within OpenSSL which could contain sensitive data such as an API Key! If a malicious user was capable of exploiting this they would perform repeated actions using a replay attack.
Cryptsy have still not implemented any fix and as such I think it is appropriate to make other community users aware of this.
Other Exchanges have appropriate API implementations which are protected by using hash and API Key values. Each packet is signed and is made unique by using a 'nonce value' - this is an incremental number. This is used to ensure the recieved packet is unique. This is to prevent potential replay attacks ie; reusing messages/packets sent to the API.
Duplicate / non-unique packets should be ignored/dropped by the API. What Crypsty allow is the ability for a malicious user to replay the same message to the API. This would require a malicious user to obtain a copy of your API Key and also the ability to packet capture from your local computer.
It is a relatively low risk attack vector but it's important that Cryptsy address a fix. We have seen other data leakage caused by bugs/vulnerabilities within OpenSSL which could contain sensitive data such as an API Key! If a malicious user was capable of exploiting this they would perform repeated actions using a replay attack.
Cryptsy really should have built in some sort of mechanism that would prevent any type of replay attacks. An avoidance as simple as something like expiring tokens, hases values, or anything that invalidates after each process is finished. This would also work with HTTP and not just HTTPS which it's not even using.
I'm glad you made this post IGHOR, like I said earlier, somebody over at cryptsy needs a swift kick in the ass.
