How I Hacked The Block and What They Did About It — Part 1 Yousef Follow Sep 6, 2019 · 4 min read

LEGAL DISCLAIMER: The sole purpose of this two-part blog post is to highlight the technical shortcomings of The Block which had been posing a giant risk to sensitive customer information as well as its site visitors. I am not looking for any compensation of any kind, and have not been paid by any entity to write this post. I did not misuse or exploit the described information in any way, shape or form. The title of this post is merely for clickbait purposes.

The Misconfigured Script

This story begins in the wee hours of Saturday 31/08 on Sunday 01/09. On occasion I test various sites for any potential vulnerabilities and notify site owners if I do find any bugs, sort of like a hobby. In the past I have helped various well-known companies with a number of minor bugs, but what I stumbled upon this night was appalling, to say the least.

I namely found the Jenkins dashboard (a tool to automate stuff for servers) of The Block; an up-and-coming news outlet for cryptocurrency news. Any half-competent person in IT would think it wise to secure access to this dashboard, but apparently the good people of The Block didn’t think so up until this morning, after finding out I was indeed going to release this blog post, and something they had stubbornly refused to do before that. This was mistake number 1.

The second, and far more severe, issue was that this dashboard displayed outputs of private Jenkins jobs. One of these jobs was displaying numerous sensitive details, as shown in the below image. (Note: any sensitive information has been hidden to protect The Block in the unlikely scenario that they haven’t changed these keys yet)

Mistake #2: Displaying mission-critical API keys in a publicly accessible environment

As you can see, this job was displaying API keys for a number of mission-critical aspects of The Block. This meant that, for a number of weeks, literally anyone could have seen and used these API keys to do irrevocable damage to The Block due to sheer negligence.

Highlighted in yellow are the most relevant API keys, namely for GitHub as well as a service called Terminus. I will get back on the Terminus key later, but let us first re-examine the image. From line 15 onward, we can namely see that the Jenkins job is pulling sensitive information from a repository hosted on GitHub in order to carry out its tasks. Yes, you’ve read that correctly: The Block is hosting extremely sensitive information in a GitHub repository, something which should NEVER be done, and the details of which could have been retrieved with only the GitHub API key found in line 30 of the output. This is mistake #3.

Back to the Terminus key. The Block currently utilizes a service known as Pantheon, which is a high performance hosting platform. Terminus is Pantheon’s CLI, used for “advanced interaction with Pantheon”. How advanced? Let’s take a look at the Terminus manual.

Based on the manual, we can see that is indeed possible to access Terminus with only an API key, and that we hypothetically speaking could have performed various, extremely dangerous, tasks. Here is a small list of things of things that, hypothetically speaking, could have been possible, should the API key have fallen in the wrong hands:

Could we have authenticated solely with the API key? Yes

Could we have retrieved connection information for the live environment? Yes

Could we have gotten and downloaded the latest backup of the site, which (I presume) includes sensitive customer information of Genesis subscribers? Yes

Could we have pushed a malicious version of the site to unsuspecting visitors? Wipe the entire site, files and databases? YES

The worst part of this all, is that there is no notification system of any kind I could find in the documentation/manual, so The Block staff wouldn’t know what happened in these scenarios until it was way too late. Cumulatively, this is mistake #4.

Summary

To sum up, we can conclude that The Block staff have been technically negligent in the running of their business, which — for a number of weeks — resulted in their site visitors, as well as member’s information, potentially being jeopardized.

Mistake 1: Allowing anyone to view their Jenkins Dashboard

Mistake 2: Displaying outputs of private Jenkins jobs, resulting in mission-critical API keys being visible

Mistake 3: Storing extremely sensitive information in a GitHub repository, accessible with just an API key

Mistake 4: Not having any logging or notification system of any kind, allowing the Terminus API key to perform dangerous actions such as dumping a database (with sensitive customer information) and pushing a malicious version of the site to the live environment (therefore affecting tens of thousands of unsuspecting visitors)

The Block’s CEO, Mike Dudas, described these details as “a moderate security issue” and subsequently as “the minor issue”. I will let you, the reader, be the judge of the severity of what has been described.

Given untruthful accusations by Mike Dudas, the repeated downplaying of the severity of the disclosure, the apparent intent to have swept this issue under the rug and the intentional contortion of the truth by both Mike Dudas as well as Jake McGaw, I will be posting the entire email transcripts in part 2, as well as a number of other relevant screenshots (including tweets Mike Dudas has since deleted).

Follow me on Twitter to be notified when part 2 is released!