Major crypto exchange Huobi has silently resolved a massive vulnerability that allegedly exposed user assets for two years.
Per white hat hacker and researcher Aaron Phillips, Huobi accidentally published a file containing Amazon Web Services (AWS) credentials in June 2021, that leaked contact and account information for 4,960 “crypto whales” and internal documents.
The data breach could have easily been “the largest crypto theft in history,” if it were exploited by an attacker, Phillips wrote in his blog.
“Anyone could have used the credentials to modify content on the huobi.com and hbfile.net domains, among others,” Phillips added. “I had full control over data from almost every aspect of Huobi’s business.”
Phillips first notified Huobi of the leak in June 2022, and it took five months to receive a response from the exchange to act on the leak, before Huobi revoked its credentials in June 2023.
The most “dangerous” aspect of the breach involved access to write privileges to Huobi’s content delivery networks (CDNs) and websites.
“Once an attacker can write to a CDN, it’s trivial to find an opportunity to inject malicious scripts. And once a CDN is compromised, all the sites that link to it are potentially compromised too.”
Huobi finally deleted the compromised account, thus securing its cold storage on June 20.
Phillips also claimed that Huobi’s leak exposed a database of over-the-counter (OTC) trades since 2017. The database had details of user accounts, transaction details, and the IP address of traders in a 2TB downloadable file.
Additionally, the breach revealed the inner workings of Huobi’s production infrastructure and gave access to alter JSON files of the firm’s NFT project – Utopo.
Huobi said in a response on June 1,
Read more on cryptonews.com