Nick Percoco Profile picture
Jun 19 20 tweets 4 min read Read on X
Kraken Security Update:

On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
Everyday we receive fake bug bounty reports from people claiming to be “security researchers”. This is not new to anyone who runs a bug bounty program. However, we treated this seriously and quickly assembled a cross functional team to dig into this issue. Here is what we found.
Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.
To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.
We triaged this vulnerability as Critical and within an hour, 47 minutes to be exact, our team of experts had mitigated the issue. Within a few hours, the issue was completely fixed and could not reoccur again.
Our team found a flaw deriving from a recent UX change that would promptly credit client accounts before their assets cleared - allowing clients to effectively trade crypto markets in real time. This UX change was not thoroughly tested against this specific attack vector.
After patching the risk, we thoroughly investigated the situation and quickly discovered that 3 accounts had leveraged this flaw within a few days of each other. As we dug deeper, we noticed that one account was KYC’d to an individual who claimed to be a security researcher.
This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto. This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program.
Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.
The initial Bug Bounty report did not fully disclose this transaction information, so we contacted the security researchers to confirm some details to progress with rewarding them for successfully identifying a security flaw on our platform.
In turn, we requested a full account of their activities, a proof of concept used to create the on-chain activity, and to arrange the return of the funds that they had withdrawn. This is common practice for any Bug Bounty program. These security researchers refused.
Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!
We have had a Bug Bounty program in place at Kraken for nearly ten years. This program is run internally and is fully staffed by some of the brightest minds in the community. Our program, like many others, has clear rules of the road…

1. Do not exploit more than you need to in order to prove the vulnerability.
2. Show your work (i.e. provide a proof of concept)
3. What you extract you return immediately
We have never had issues with legitimate researchers in this way and are always responsive.
In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable.
As a security researcher, your license to “hack” a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your “license to hack”. It makes you, and your company, criminals.
We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends.
Our Bug Bounty program continues to be a vital shield in Kraken’s mission and a key part of our efforts to enhance the overall security of the crypto ecosystem. We look forward to working with good faith actors in the future and consider this as an isolated experience.
This is the last message this thread. If you want to read it from beginning start here:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nick Percoco

Nick Percoco Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @c7five

Jun 8, 2019
ATTN: There is an organized crime group actively targeting members of the #cryptocurrency industry. You MUST remove mobile phone numbers from your personal email, work email & exchange/bank account recovery processes NOW! 1/ #crypto #bitcoin
They are visiting US-based phone carrier stores with fake IDs and personal information (likely from other data breaches). 2/
They are telling the stores they lost their phones and are obtaining a new SIM for the victims / targets phone numbers. These accounts even have “extra security” enabled. 3/
Read 8 tweets
Feb 7, 2018
Big spike in chatter about #bugbounty programs over the last 48 hours. That’s a very good thing. I would like to share my thoughts on this topic from the experience I’ve had leading security at a company with ~500 software engineers.
First, thanks to folks like @k8em0 & @caseyjohnellis and companies like @Hacker0x01 & @Bugcrowd - #bugbounty programs can built and managed much easier than they could 5 years ago. But if you are someone who is in a position that can implement a program...
the first question you should ask is: Are we mature enough to do this? That question should not be taken lightly as we saw from the @Uber situation even they were not prepare for the types of situations you will have to deal with.
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(