A researcher at Doyensec, security research, and development company source: revealed to the decentralized payment processor team for bitcoin BTCPay the discovery of a potential vulnerability on its server. It could have caused a malicious merchant to access the platform and filter an infected page.
In information published in its corporate blog this August 15, the BTCPay team explains the characteristics of the vulnerability detected on August 7 by Kevin Joensen. He adds that it was corrected the next day, through the development of a new version of the server. Consequently, it recommends users to update to version 126.96.36.199.
The BTCPay team highlights the importance of users performing the update as soon as possible, although so far there is no evidence that the vulnerability has been exploited in practice.
However, some users may be affected in some way, mainly hosts or administrators. These are clients that allow registration for other users, who could be “hosting your server to an unknown and potentially malicious actor.” In that sense, there are no risks for regular instances automatically hosted, whose users do not allow the registration of unknown actors.
In this regard, the differences between the three types of BTCPay server users are explained: host (administrator), merchant (users) and customers (users who pay a merchant).
If you host the BTCPay server yourself, then you are both a host and a merchant. If you are an external host provider, the host and merchant are not the same user, as it allows other users to register and use your instance.
The information reiterates that the vulnerability only affects third-party hosts, which have enabled the registration of untrusted users. For this reason, registration for other users was disabled by default during BTCPay Server deployment.
In relation to the vulnerability detected, the team states that among the problems present on the server were failures in cross-site scripting (XSS). These would have allowed attackers to inject client-side scripts into web pages viewed by other users.
In this way, some hacker could have created a page that would filter the SSH or Secure Shell key. It is an administration protocol that allows users to control and modify their remote servers over the Internet. Thus, the vulnerability could be exploited by a malicious merchant, affecting the third-party host and its users.
If a malicious third party goes to a third-party host and the host clicks on the malicious link, the host could reveal the SSH key of its server, allowing a malicious third party to control it. This could be used progressively and gain control of the server and steal Lightning Network funds.
The update sought to correct this problem, preventing the SSH key from being retrieved with an ajax request (asynchronous communication with the main server).
Add the informative note that with the update new functions are also added to the server, in order to improve the user experience. Among them, they mention the launch of labels and portfolio comments. This function offers the labeling option while allowing you to add personalized comments to each transaction that is executed with the portfolio.
BTCPay emerged in 2017 as a decentralized alternative to BitPay, the most popular platform for payment processing bitcoins. According to its directors, at the end of 2018 it had more than 1600 commitments in Github and support for ten altcoins; In addition to the addition of several solutions for electronic commerce. In March last year, he joined with Lightning Network.