Be warned! Hackers are abusing API keys and stealing your funds
One of the biggest threats facing cryptocurrency and blockchain assets is the abuse of APIs. If an API key is used improperly, it is possible that an attacker could obtain access to a legitimate digital wallet address and the funds stored there. In this guide, we will show you how to secure your keys and prevent hackers from stealing your hard-earned funds.
Coinbase is one of the world’s most popular bitcoin exchanges, and it is used by millions of bitcoin traders around the world. However, the company has recently been hit by a series of hacks, which have led to the suspension of its API keys.
Cybercriminals will always find a way to exploit the loopholes in the crypto currency market. As the blockchain space continues to gain interest and popularity, the technology is evolving at an incredible rate, resulting in increasing complexity and error rates. We have seen founders build backdoors to steal all the money available in the liquidity pools by disconnecting them. We’ve seen hackers exploit DeFi projects by exploiting their vulnerabilities, such as. B. The manipulation of Oracle and the reintroduction of smart contracts. But one thing seems to have been forgotten: dealing with API keys. The demand for reliable trading is now so great that dozens of companies are developing their own applications to provide traders with a seamless experience. But when they use these third-party application services, they give up control of their personal data through API keys. This means that the exchange or trading application executes all transactions on behalf of the user without connecting to the exchange. Hacking crypto-currencies with API keys is frightening because the attacker does not need to have withdrawal privileges or manipulate the markets to have a significant impact. They use multiple exploitative techniques to steal funds, and it seems that they artificially manipulate the market. In this article, we’ll take a closer look at the exploitation of API keys and how hackers try to steal millions without being noticed. What is an API exchange? API keys are typically used to verify a user’s identity in an automated or programmed manner. In the Exchange API, users programmatically access their accounts and perform the required actions or policies. APIs can handle arbitrary requests because they use a secret or private key to sign on behalf of the merchant. API integration and the use of third-party software solutions are advantageous for traders trying to access their accounts connected to multiple exchanges. Common functions for using the Exchange API include placing orders, collecting account information, and accessing market data. What API permissions have been granted to traders Exchanges require traders to enable certain parameters to access public and private keys. In most cases, exchanges divide approvals into three groups: Data – the API can be used to read users’ account information, giving you access to their open orders, balances and transaction history. (Note: He cannot make changes) Trade – This authorization is primarily for traders to automatically place open and close orders. In programming language, these are called write operations. These processes result in changes to the account data. Revocation is probably the most important permission related to API keys. It allows the API to make withdrawals and send money to another wallet without the need for permission from the actual account holder. Never enable withdrawal authorization – if a trading app asks you to do so, stop immediately and consider more reliable services. Why do people lose their API keys When users generate API keys through their exchange account, they must go through a process that requires them to provide the required data and permissions. During this process, the exchange displays its public and private API keys. The public key is now displayed in the exchange, but in the case of the private key it is only displayed once. So if a user does not keep their private key in a safe and private place, they officially lose control of their API key. Keys can also be lost in the event of a system failure, leaving the user with no means of recovering them. It is also important to note that digital disclosure of private keys is equivalent to loss of control over private keys. The public key infrastructure is used to enhance security, implement authentication methods and apply digital signatures. However, if users accidentally publish their private key on a digital platform, they have effectively placed themselves in a vulnerable position because they have no control over the API key. How do cybercriminals gain access to these stolen API keys? One would think that hackers would install malware or dangerous spyware to gain access to stolen API keys, but that’s not the case with exploits like this one. Cybercriminals use this online platform to their advantage, which is not surprising since most API keys are processed digitally. Public repositories like Github are a goldmine for hackers, as they are more or less likely to contain leaked information on thousands of accounts. Another similar platform that includes authentication tokens is a web application that uses ENV files to store frame parameters and, in most cases, includes API keys. For this reason, API keys should never appear on sites like Gitlab or Github. Instead, consider pulling them directly from the application and creating a new file to add to Gitignore, says Aaron Jones, an expert lecturer in cybernetics at the University of Advanced Technology. Another way for some hackers to gain access to stolen keys is to guess the value of the addresses stored in them. The blockchain bandit was able to find weak and easily guessed private keys, and it was recorded that he was able to find 732 guessable keys. It may never happen again, but it’s worth knowing. How to use these API keys – two methods According to an investigation by cybernews, the bills handed over to public vaults contained coins worth between $5,000 and $155,000. The investigation also found that 90% of the accounts contained trading rights. This brings us to the main question: how do hackers use trading rights to wreak havoc on their victims’ trading accounts? Cybercriminals mainly use two abusive techniques: buying up walls for sale and increasing the price. These methods artificially manipulate currency prices, orders and the entire trading process. Purchase Sale Walls Building a wall of sales in the cryptocurrency market results in huge losses to the accounts of compromised traders, but at the same time allows market manipulators to accumulate funds at a much lower cost. The complexity of buying and selling walls is that everything happens in a split second. Mass sales orders are placed from the victim’s account and, at the same time, the hackers place buy orders to grab all the coins at low prices. The situation only gets worse, as each sell order results in an even greater loss for the victim than the previous sale. Price increase The second method used to exploit stolen API keys is to increase the price of the key. There are also no withdrawals and only trading privileges are used. The principle is simple: Pirates make worthless shitcoins and inflate their price by placing large buy orders. They choose unworthy projects because they are easy to handle, given the small size of the trade in these parts. Once the purchase order is placed, the attacker uses his intermediary account to sell the same coin to the victim at an inflated price. The victim is left with a pile of worthless coins that he will never be able to resell at a reasonable price. How to protect your funds without compromising API keys As mentioned earlier, once your API keys are available in digital form, you no longer have full control over your trading account. Therefore, you should be careful and follow some simple steps to protect your API keys from misuse. Here are some good practices to follow: Never keep unencrypted secrets in .git repositories Many people assume that private vaults are secure enough to store secrets like API keys, but they are in fact some of the most valuable targets for cybercriminals. It is easier for an experienced developer to have access to the entire history of the project, so all the existing secrets are available to everyone. Never use messaging systems to send API keys. Digital mining and extracting data can happen in any form, so stay away from messaging platforms like Slack and use secrets as a service solutions instead. Don’t let the API take complete control of your account. It is always recommended that access control to the API be kept to a minimum and only allowed when necessary. If possible, try to whitelist IP addresses so that hackers cannot gain control of your trading bot’s control panel. While these methods can help you prevent the use of API keys, they can’t do anything to get them back. To recover the private keys and regain ownership, we need to experiment with different recovery mechanisms and see which one is the most accurate. Research has shown that it is possible to retrieve the ownership of assets on the blockchain using a symmetric key generated from the owner’s fingerprint and a distributed private key retrieval system using a biometric-assisted secret information sharing system. These methods may not have worked as well as expected, but perhaps in the future we will see better solutions for tracking API keys and securing our trading accounts. Final considerations In the world of cryptocurrencies, we must always be prepared for the unexpected and be aware of all the scenarios that may occur. Tampering with API keys is a real threat these days, and we need to verify that we are working with a trusted third-party service. We also need to make sure that we follow some of the best practices mentioned in the previous sections, because we never know how hackers can misuse API keys. Ultimately, you are responsible for your actions, so be careful and attentive when exchanging API keys. Kartikeya Gutta, born and raised in India, is a cryptocurrency journalist and freelance writer for the website itsBlockchain. It covers various aspects of the industry through in-depth analysis and research. His passion for blockchain and the crypto-ecosystem is largely because he believes it can truly change the world and help millions of people.