Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman ECDH key exchanges, aka an "invalid curve attack."...

Monero: Locked_Transfer functional burning

Summary: Using the lockedtransfer command in the monero-wallet-cli users can send outputs with high lock times like 1,000,000 blocks. A vendor will accept these transactions with no warnings and credit a user balance. The user can now withdrawal or sell this balance and the vendor is left with...

TradingView Cross-Site Scripting Vulnerability

TradingView Charting Library is an open source and free K chart analysis tool, with a comprehensive API. support for ordinary json data UDF, there is also support for websocket JSAPI, most of the digital currency exchanges use this component library as a K line analysis tool. TradingView has a...

Lazarus Group’s AppleJeus MacOS malware targeting cryptocurrency exchanges

By Waqas Lazarus Group is believed to be backed by the North Korean government and now it is using AppleJeus MacOS Malware. Security researchers from the Global Research and Analysis Team at Kaspersky Lab have discovered the first-ever Lazarus deployed malware for MacOS. It is reported that Lazar...

Google Chrome < 63.0.3239.84 Multiple Vulnerabilities

Binary data 700351.pasl...

Watch: An Account Takeover Attack Using Credential Stuffing, and How to Protect Against It [Video]

As cryptocurrencies continue to grow in diversity, so too do the threats they face, specifically those targeting the cryptocurrency exchange. Now, more than ever, cryptocurrency exchanges are facing security threats in the form of volumetric and application layer DDoS and account takeover ATO...

Safe as houses: 5 security measures adopted by cryptocurrency exchanges

By Waqas Cryptocurrencies rely on the blockchain, a decentralized ledger that records all transactions ever made within it. The blockchain network consists of multiple nodes that maintain it. To gain control over the network and tamper with transaction data a hacker should compromise most of the...

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

Introduction Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and...

Full Disclosure of Highly-Manipulatable, tradeTrap-Affected ERC20 Tokens in Multiple Top Exchanges(CVE-2018-11446)

Update: 2018-06-12 The BMB BMB contract 0x0e935e976a47342a4aee5e32ecf2e7b59195e82f is NOT affected by tradeTrap. We sincerely apology for mistakenly listing it as a vulnerable ERC20 token. Quoted from our last blog 1, “publicly tradable ERC-20 tokens have considerable high market value. Various...

New evilReflex Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-12702, CVE-2018-12703)

Update: 2018-06-24 With swift, coordinated response from Huobi.pro, we appreciate the announcement 11 on suspending the deposits and withdrawals of affected tokens! Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow...

Monero: A bug in the Monero wallet balance can enable theft from exchanges

Summary: A Monero bug already fixed in master allows theft from exchanges. This has been exploited again a Monero-derived coin, so the exploit may be underway currently. Description: fluffypony: Also please mention you spoke to me and I recommended you put it on HackerOne PR 3985 fixed a wallet...

traffic-exchanges-monsoon.de XSS vulnerability

Open Bug Bounty ID: OBB-640758 Description| Value ---|--- Affected Website:| traffic-exchanges-monsoon.de Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

In the New “Wild West” Even “Small” Cryptocurrency Theft is Costing Billions

Over the weekend, another cryptocurrency exchange was breached. This time it was “only” $40 million” in cryptocurrency. However, as a result cryptocurrencies overall lost more than $40 billion in value following the attack. That’s not a typo - a $40 million heist cost the market more than $40...

Regulating Bitcoin

Ross Anderson has a new paper on cryptocurrency exchanges. From his blog: Bitcoin Redux explains what's going wrong in the world of cryptocurrencies. The bitcoin exchanges are developing into a shadow banking system, which do not give their customers actual bitcoin but rather display a "balance"...

New allowAnyone Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11397, CVE-2018-11398)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow1, proxyOverflow2, transferFlaw3, ownerAnyone4, multiOverflow5, burnOverflow6, ceoAnyone7. Some of them could be used by attackers to generate tokens out of nowhere ...

Bitcoin Gold loses over $18 million after hack attack

By Waqas Hackers are conducting Double Spend attack on cryptocurrency exchanges and the This is a post from HackRead.com Read the original post: Bitcoin Gold loses over $18 million after hack attack...

Panda Banking Trojan Diversifies into Cryptocurrency, Porn, Other Targets

The Panda banking trojan, a spin-off from the infamous Zeus malware, is widening its net to attack more than just financial services targets, as seen in three ongoing campaigns discovered in May. The Windows-focused Panda is far from the cuddly thing its name would suggest. It has a full arsenal ...

New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018-10376)

On 4/24/2018, 01:17:50 p.m. UTC, PeckShield again detected an unusual MESH token transaction shown in Figure 1. In this particular transaction, someone transferred a large amount of MESH token — 0x8fff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff 63 f’s to herself...

Cybercriminals vs financial institutions in 2018: what to expect

Introduction – key events in 2017 2017 was a year of great changes in the world of cyberthreats facing financial organizations. Firstly, in 2017 we witnessed a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world's financial ecosystem. Attackers were able...

Security vulnerabilities fixed in Firefox ESR 52.4 — Mozilla

A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications ARIA elements...