investigative opinion

Reddit internal security threat: Evidence suggests Reddit employees may use their Reddit database access privileges to engage in tribal attacks and hack users Without Fear Follow Jan 3, 2018 · 6 min read

Several Reddit users active in the r/btc subreddit were hacked in December 2017. Among the victims are a moderator of r/btc (victim 1) and a user that works in anti-malware for a living (victim 2). As result of the victim 1 hack the entire subreddit r/btc was compromised for 15–30 min. showing visitors a message redirecting them to the rival subreddit r/bitcoin. Other victims include recipients of bitcoin cash tips on reddit through tippr (victim 3, 4, 5, 6 and 7).

What is Tippr?

Tippr is a Reddit bot that allows anyone to tip any other user in bitcoin cash. To use tippr, you have to send the bot a private message to make a deposit in a wallet controlled by tippr. Then to tip a user, you simply answer one of recipient’s comments on reddit by mentioning u/tippr and including the amount you want to tip. So if you want to tip user Alice $5, you reply to one of Alice’s comments with “u/tippr $5”. The tippr bot will then answer the comment telling alice that she has received $5 in bitcoin cash (example). Now Alice must create a bitcoin cash wallet and can withdraw these $5 in bitcoin cash by sending the tippr bot a private message including the amount she wants to withdraw and her bitcoin cash wallet address. The bot has proven extremely successful in increasing the adoption of bitcoin cash, as victim 4 states over $50k have been spent through the tippr bot in the last month alone. Since the bot alerts recipients in public when they receive tips, the attacker can easily pick victims simply by checking the recent posts by tippr on Reddit. The developer has temporarily disabled tippr as he await a Reddit investigation about these hacks.

BTC vs BCH Civil War

Another piece of information that may be crucial to explain the forces behind these attacks is the competition between bitcoin legacy (btc) and bitcoin cash (bch). Bitcoin cash is a bitcoin fork created in August 2017 which constitutes an existential threat to btc. Bitcoin cash is technically superior to the other bitcoin because it allows for much faster transactions (<10 min) and subcent transaction fees, while bitcoin legacy (also known as btc, bitcoin core or segwitcoin) transactions take days to go through and cost $15. The subreddit /r/btc (140k subscribers) is the only major bitcoin community on reddit where discussions on both bitcoin legacy and bitcoin cash are allowed. The other subreddit /r/bitcoin (over 600k subscribers) is much more conservative and bans users discussing bitcoin cash or pointing out advantages of using bitcoin cash or complaining about the flaws of bitcoin core. /r/btc (open) has been subject to multiple attacks from r/bitcoin (conservative) which culminated in an upvote manipulation attack. It has been proven that r/bitcoin mods and Greg Maxwell (head developer of bitcoin core) were involved. It is also worth pointing out that Victim 1 was attacked the same day and hour as bitcoin cash was making an all time high at $4500+ per coin and an all time high against bitcoin core at 0.27.

Attack Properties

Each of the victims first received a password reset email from Reddit, then few minutes later an email confirming that the password had been changed even though the email was never opened.

my email provider is a very large provider with a name we all know. Logging is provided and there was no suspicious activity on my email account. My email account also has 2FA. The emails sent by reddit (first one “click here to change your password” second one “your password has been changed) were unopened in my inbox. — victim 3

This report alone rules out the possibility that the attack used a compromised email as vector. Moreover, I personally searched all public posts done by victim 3 on reddit and he never mentions his email anywhere. Reddit also gives no hints about the associated email when you request a password reset for a certain username. Victim 3 has posted links to his store but the platform he uses also gives no hints about the associated email when you request a password reset.

Conclusion 1: none of the user emails were compromised.

Another possibility is that hackers may have resorted to malware. Successive victims though included an anti-malware expert (victim 2). Still, what really proves in my opinion that a malware was not involved is this report from victim 7 where he states that the attack occurred only 2 hours after he had received a tip in bitcoin cash through a bitcoin cash reddit bot tippr.

I found a comment from yesterday where someone had tipped me in r/creepy and the hack happened within 2 hours of the tip!! — victim 7

Considering that malware attacks take time and require the victim to take a bait, this proves that no malware was involved. This statement also strongly suggests that recipients of bitcoin cash become targets.

Conclusion 2: no malware was used because hacks were too rapid for a malware to be involved. One randomly tipped user (victim 7) was hacked within 2 hours from the moment he received the bitcoin cash tip.

The last scenario to consider with this evidence at hand is that there might be a Reddit exploit which allows 3rd parties to intercept emails sent from Reddit’s server to users. Considering the gravity of such security flaw, if it were to exist, it is unlikely that whoever has knowledge of it is using the exploit to go after bitcoin cash balances of less than $10. Moreover, this also doesn’t explain how all victims are either directly involved with bitcoin cash or are early adopters recruited through the Tippr bot.

Conclusion 3: All victims are either directly involved with bitcoin cash or are early adopters recruited through the Tippr bot.

Last but not least, there is the possibility that the software/algorithm Reddit is using to generate password reset links is outdated and its output values can be predicted. In other words, the hacker might be able to know the password reset link reddit is going to create for a username in advance. After looking into the algorithm in github though several coders on reddit ruled out this possibility.

Diagnosis

After ruling out all these scenarios, we can conclude that the hacker sends a password reset request to reddit on behalf of the victim and then uses the link Reddit generates to reset the password. Considering that the hacker couldn’t have learned the reset link neither by lurking into the victims’ emails (no malware involved, no emails compromised) nor by intercepting the Reddit emails, there is only one other place where such information is contained and can be accessed: Reddit’s outbound emails. In other words, this is Reddit’s outbox, where all emails sent from Reddit’s servers are saved. Only few people have access to these emails. Now again, 2 options are left. Either someone with access to Reddit’s database has been hacked and is not aware that his credentials are being used to hack users’ accounts. Or a Reddit employee is directly involved in this and is breaking the law by using his access privileges to engage in turf wars. If the rogue player was an anonymous, external 3rd party then they would definitely find much better use for such access than to go after tippr deposits of less than $1. Therefore the only explanation left for what is going on is that a Reddit employee that sympathises with bitcoin core (btc) is using his access privileges to attack bitcoin cash users/supporters.

After several posts and complaints on Reddit about these hacks and the accumulated evidence which proves unequivocally that a Reddit employee is breaking the law, there has been no action or comment whatsoever from Reddit’s on this issue.

Update 1: Following this article, Reddit admins finally chime in on user password security exploit saying that they have “been investigating” it.

Update 2: http://blog.mailgun.com/mailgun-security-incident-and-important-customer-information/

BCH: 1AsXFv29DNMLGctzhhwjpHNt1dqaqe7pe