CVE-2023-41693

Cross-Site Request Forgery CSRF vulnerability in edwardplainview MyCryptoCheckout plugin = 2.125 versions...

49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets

Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. The 49 browser add-ons, potentially the work of Russian threat actors, were identified fi...

MyCrypto: The twitter accounts are linked on page but unclaimed.

Hey team! There is two unclaimed social media account on "https://about.mycrypto.com" Accounts https://twitter.com/rikasukenik https://twitter.com/sharonmanriquej Proof Of Concept POC For account one: F562323 For account two: F562307 F562308 F562310 Note Yes you noticed that like "Social...

MyCrypto: HTML Injection on https://www.mycrypto.com/

A vulnerability was reported by t-pwn that allowed arbitrary HTML injection via the notifier functionality. After a keystore file was uploaded, the filename would be shown without first sanitizing it. MyCrypto has since fixed our notification to no longer display the unsanitized filename...

MyCrypto: Content Spoofing or Text Injection support.mycrypto.com

w2w reported a text injection attack where the user could be shown arbitrary text injected via query parameters. The MyCrypto team worked with w2w to resolve these issues, and appreciate the responsible disclosure. We look forward to continuing to work with the security community to triage and...

MyCrypto: Missing SPF record for the in scope domain

nli@nlistation:$ dig mycrypto.com txt ; DiG 9.10.3-P4-Ubuntu mycrypto.com txt ;; global options: +cmd ;; Got answer: ;; -HEADER DiG 9.10.3-P4-Ubuntu gmail.com txt ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 19223 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1,...

MyCrypto: DOM Based XSS in mycrypto.com

Description & PoC The "connected successfully" message is printed out without any output sanitation: F271357 This is how it's being printedthis code snippet is taken from mycrypto-master.js, line 4072: F271359 An attacker can simply put his payload at the link and it'll be embedded within the pag...

MyCrypto: Reflected XSS { support.mycrypto.com }

A reflected XSS was reported by sup3r-b0y that was activated by displaying unsanitized values of query parameters. The MyCrypto team worked with sup3r-b0y to identify and verify the fix, and are happy to confirm that the vulnerability described in the report has now been fixed. We are happy to...