In the of all kinds and safe accident of area piece catenary, as add close money the digital asset of current room trades platform is heavy disaster area all the time, API interface is given by the safe incident frequency such as pilfer by account of hacker attack, user. This, the hacker stares at the tripartite component that went up to reveal prices.
Yesterday, early-warning of platform of safety of catenary of many area piece, name of existence of component of a tripartite is the flaw of XSS 0day. The demonstrate when early-warning of Jiang Weian complete lab, this component is TradingView, for trading platform reveals prices to use.
Make public information to show, asset of much home number trades platform used this component, install to include money, this kind of large and famous platform such as Pro of money of Bitfinex, fire and Bithumb.
Early-warning of slow mist science and technology says, if this flaw is used by ill will, the attributive of user Zhang date that can bring about the platform such as digital money exchange is operated to wait for capital loss by pilfer, ill will.
Be Ied hope, early-warning of this one flaw already by the area piece catenary grants TradingView the company below safe platform with a few exchange that involve. But safe personnel discloses, still there is no lack of force is larger trade platform despised this flaw.
Civil | Su Yong
Editor | Wen Dao
Exchange prices reveals package to conceal flaw
If you are opened more a few trade the prices page of platform, you can discover, many prices reveal the left metropolis playing role of the area to show, prices data and form come from TradingView.
According to making public information to show, tradingView itself is the whole world the biggest chart technology analysis communicates community, development of cause TradingView company becomes prices to reveal tool of tripartite component after, not only major figure asset trades platform is being used, these traditional banking trade even negotiable securities and futures the user that platform also is it.
After honeycomb finance and economics inquires, discover, trade in day in the bourse of before the quantity is ranked 10, use TradingView reveals prices install to include money, the well-known figure asset such as money of Bitfinex, fire and Bithumb trades platform.
This, by the area piece catenary security company is inspected " Gao Wei flaw " in the tool that XSS 0day is in this to meet every day with the user with respect to Tibet. And this one flaw by qualitative for " Gao Wei " , experience the time of nearly half month.
According to message of slow mist science and technology, around had hacker of two white hats to feedback XSS 0day flaw. On September 4, hacker of the first white hat feedbacks to slow mist science and technology this flaw, it is definition of grade of this flaw harm " low danger " . After rehabilitate of relevant bourse platform, slow mist science and technology also is done not have special care about, till September 18, hacker of the 2nd white hat and they alluded again after this flaw, they begin to allot XSS flaw early-warning to all users.
"Jiang Weian also pays close attention to this flaw before two chapel completely, and carry in-house announcement technological process, inform collaboration of square rehabilitate in succession. " the operation controller Sun Yue of Jiang Weian complete lab accepts honeycomb finance and economics to interview express, already white hat hacker sent this flaw to TradingView government newspaper on Github, all current use this component and the JS file that was not aimed at existence flaw (JavaScript language is written file) become the exchange that revamps an operation, put in this flaw. Put in this flaw..
The Frozen that pursues development of technology of area piece catenary expresses, XSS flaw is a flaw that cross region, once user discharge is hijacked very dangerous, the hacker replaces the JS document of the user what had revised into oneself, can do as one wants.
Complete lab of slow mist science and technology and Jiang Weian is mentioned, once XSS flaw is used by ill will, the disembarkation that the hacker can acquire an user attributive, ill will operates will bring capital loss.
Already appeared user Zhang date is hijacked circumstance
XSS flaw is so serious, why in the TradingView component of bourse of chairman period consist in?
To this, sun Yue explains, main reason depends on TradingView belonging to frame of front of a tripartite all the time, below general requirement, its safe not quite fetching attention. But once use the system that it is need safeguard high security, existence flaw can cause massive harm.
"At present we were not received be atttacked because of XSS directly and cause belongings losing case, but already much origin hijacks user account for this flaw the case that hand-in-hand travel handles happens. " Sun Yue says, inchoate also similar loophole happens, but first time still is in setting of exchange of money of number of such large-scale consist in.
Sun Yue emphasizes, this the responsibility of safe incident basically just is in TradingView company, but bourse also should notice its security when choosing tripartite library, the safe announce that needs to pay close attention to the government in time and the safe early-warning that tripartite releases.
At present already partial exchange had repair to this flaw, jiang Weian complete lab also is in for a short while urgent push for its client sent repair plan, "But still many bourse underestimate this problem, there is no lack of among them have the exchange with a few larger force. " to specific include what big exchange, sun Yue states inconvenience discloses.
Earlier time discovered the igneous money Pro of use TradingView this one problem, relevant personnel tells honeycomb finance and economics, they discovered this flaw when August, had had repair.
The user wants nurturance to alter the habit of the password regularly
In every case is computer program, metropolis existence BUG, problem of safety of area piece catenary never culminating settle way. To how be on guard similar safe accident happens, sun Yue thinks, tripartite company, trade the product that platform and user should be him severally, client and asset safety keep vigilant.
Sun Yue says, tradingView company should do perfect code audit as far as possible before code is released, avoid this kind of elementary mistake recurrent.
And trade platform should choose tripartite library cautiously, hold the attention of safe to tripartite library incident, want to have good communication with safe company at the same time, know these news in time. Besides, trade of platform safety mechanism strengthen user of the protection on OK also and certain level, alleviate flaw harm.
To trading broadly the use person of platform, sun Yue reminds, the user should choose those platform that have flaw repair actively to do business, the safety with good nurturance is used to, "Amend a code regularly, in leave trade after platform website, should move from bourse website hand get offline, when necessary the hand moves clear empty Cookie, this also can alleviate on certain level the risk that is atttacked by the hacker. This also can alleviate on certain level the risk that is atttacked by the hacker..
Frozen of developer of technology of area piece catenary also hints, the user does not join easily unidentified WiFi, the net of certain and alleged official that does not believe to search engine to give easily is linked, should not nod the link that other gives easily more.
