CertiK
329,721 visningar
91 Inlägg
Rekommenderas
Senaste
CertiK Uncovers High-Risk Vulnerability in Telegram Desktop App
CertiK, a blockchain security company, recently revealed a significant security flaw within the #Telegram messaging app that puts users at risk of cyber-attacks. The announcement was made on April 9 via the social media site X, where CertiK Alert highlighted a dangerous vulnerability that could enable attackers to carry out remote code execution (RCE) attacks by exploiting Telegram’s media processing capabilities.
The vulnerability, identified in the media processing functions of the Telegram Desktop application, can be triggered by attackers using maliciously crafted media files, including images and videos. CertiK's investigation pinpointed a specific RCE attack vector within these processes, signaling a direct threat to users.
A #CertiK spokesperson, in conversation with Cointelegraph, clarified that this vulnerability is unique to the desktop version of Telegram. The mobile version is safer in this regard since it doesn't execute executable files directly, a process that typically requires digital signatures for additional security. This information was shared in response to concerns raised within the security community.
For those using Telegram on desktop devices, CertiK advises reviewing and adjusting the application’s settings to mitigate the risk. Specifically, users should disable the auto-download feature to prevent the automatic processing of potentially dangerous files. This precaution can be taken by accessing the “Settings” menu, followed by the “Advanced” options, where the auto-download functionality can be turned off.
CertiK, a blockchain security company, recently revealed a significant security flaw within the #Telegram messaging app that puts users at risk of cyber-attacks. The announcement was made on April 9 via the social media site X, where CertiK Alert highlighted a dangerous vulnerability that could enable attackers to carry out remote code execution (RCE) attacks by exploiting Telegram’s media processing capabilities.
The vulnerability, identified in the media processing functions of the Telegram Desktop application, can be triggered by attackers using maliciously crafted media files, including images and videos. CertiK's investigation pinpointed a specific RCE attack vector within these processes, signaling a direct threat to users.
A #CertiK spokesperson, in conversation with Cointelegraph, clarified that this vulnerability is unique to the desktop version of Telegram. The mobile version is safer in this regard since it doesn't execute executable files directly, a process that typically requires digital signatures for additional security. This information was shared in response to concerns raised within the security community.
For those using Telegram on desktop devices, CertiK advises reviewing and adjusting the application’s settings to mitigate the risk. Specifically, users should disable the auto-download feature to prevent the automatic processing of potentially dangerous files. This precaution can be taken by accessing the “Settings” menu, followed by the “Advanced” options, where the auto-download functionality can be turned off.
Breaking: CertiK’s $3m Kraken spat: Hacker used the same bug to exploit other exchanges week before
There's a new twist in the CertiK white-hat hacking saga.Onchain records show that at an earlier date someone tried to exploit the same bug the auditor discovered in Kraken.
The bug that #Kraken said it patched had been used to exploit other centralised exchanges as early as last month, according to multiple crypto security experts.
That’s the latest development in the saga of two major crypto players, US-based exchange Kraken and auditor #CertiK .
On Wednesday, Kraken said it patched a “critical” bug that allowed millions of dollars in crypto to be erroneously withdrawn from the US-based exchange.
CertiK came under fire after it admitted to being behind the exploit of that bug. The firm withdrew $3 million from Kraken over several days in early June.
After a public back-and-forth, CertiK returned all the funds it took and called its actions a white-hat operation, meaning they ostensibly acted as ethical hackers with the intention of identifying and fixing security vulnerabilities rather than exploiting them for malicious purposes.
Onchain records first identified by security platform Hexagate, and confirmed to DL News by multiple other security researchers, show a hacker attempted to exploit other crypto exchanges — using the same bug as early as May 17.
Those attempts came three weeks before CertiK said it found the bug on Kraken on June 5.
“We have no evidence these exchanges have been impacted,” Hexagate posted on X. “We only traced onchain evidence for similar activity.”
Centralised crypto exchanges hold a gargantuan amount of crypto on their customers’ behalf. The top five crypto exchanges that have publicly disclosed their wallet addresses hold a combined $172 billion worth of crypto, per DefiLlama data.
CertiK didn’t immediately respond to DL News’ request for comment.
Attempted exploits
The records highlighted by Hexagate show a hacker attempted to use a so-called “revert” attack to trick centralised exchanges into letting them withdraw funds.
To do that, the hacker created a smart contract that contains a transaction to deposit funds to a centralised exchange. The contract is engineered so that the main transaction succeeds but the deposit reverts.
This tricks the exchange into thinking a user has deposited funds when they haven’t. The hacker then requests a withdrawal from the exchange, debiting the fake deposit amount.
nchain records show multiple attempts to use such a contract when depositing funds to Binance took place on BNB Chain on May 17.
Between May 29 and June 5, the same address, as well as another that was funded by it, made similar attempts on OKX, BingX and Gate.io on BNB Chain, Arbitrum, and Optimism.
Is CertiK involved?
Although CertiK first disclosed the revert attack publicly, there’s no proof it was involved in those earlier attacks.
Smart contracts functions each have a so-called signature hash they can be identified by.
In the case of the revert attack contract, the signature hash isn’t available, meaning the name of the function isn’t publicly known, a security researcher who wished to remain anonymous told DL News.
This means the function name for the revert attack is known onto CertiK or someone else has used exactly the same name as well, the researcher said.
The bug that #Kraken said it patched had been used to exploit other centralised exchanges as early as last month, according to multiple crypto security experts.
That’s the latest development in the saga of two major crypto players, US-based exchange Kraken and auditor #CertiK .
On Wednesday, Kraken said it patched a “critical” bug that allowed millions of dollars in crypto to be erroneously withdrawn from the US-based exchange.
CertiK came under fire after it admitted to being behind the exploit of that bug. The firm withdrew $3 million from Kraken over several days in early June.
After a public back-and-forth, CertiK returned all the funds it took and called its actions a white-hat operation, meaning they ostensibly acted as ethical hackers with the intention of identifying and fixing security vulnerabilities rather than exploiting them for malicious purposes.
Onchain records first identified by security platform Hexagate, and confirmed to DL News by multiple other security researchers, show a hacker attempted to exploit other crypto exchanges — using the same bug as early as May 17.
Those attempts came three weeks before CertiK said it found the bug on Kraken on June 5.
“We have no evidence these exchanges have been impacted,” Hexagate posted on X. “We only traced onchain evidence for similar activity.”
Centralised crypto exchanges hold a gargantuan amount of crypto on their customers’ behalf. The top five crypto exchanges that have publicly disclosed their wallet addresses hold a combined $172 billion worth of crypto, per DefiLlama data.
CertiK didn’t immediately respond to DL News’ request for comment.
Attempted exploits
The records highlighted by Hexagate show a hacker attempted to use a so-called “revert” attack to trick centralised exchanges into letting them withdraw funds.
To do that, the hacker created a smart contract that contains a transaction to deposit funds to a centralised exchange. The contract is engineered so that the main transaction succeeds but the deposit reverts.
This tricks the exchange into thinking a user has deposited funds when they haven’t. The hacker then requests a withdrawal from the exchange, debiting the fake deposit amount.
nchain records show multiple attempts to use such a contract when depositing funds to Binance took place on BNB Chain on May 17.
Between May 29 and June 5, the same address, as well as another that was funded by it, made similar attempts on OKX, BingX and Gate.io on BNB Chain, Arbitrum, and Optimism.
Is CertiK involved?
Although CertiK first disclosed the revert attack publicly, there’s no proof it was involved in those earlier attacks.
Smart contracts functions each have a so-called signature hash they can be identified by.
In the case of the revert attack contract, the signature hash isn’t available, meaning the name of the function isn’t publicly known, a security researcher who wished to remain anonymous told DL News.
This means the function name for the revert attack is known onto CertiK or someone else has used exactly the same name as well, the researcher said.
📢 @cronos_chain has partnered with @CertiK
#Cronos - The first blockchain that interoperates with both Ethereum and Cosmos ecosystems.
#CertiK provides a formal verification platform for smart contracts and blockchain ecosystems.
#Crypto #CryptoNews
#Cronos - The first blockchain that interoperates with both Ethereum and Cosmos ecosystems.
#CertiK provides a formal verification platform for smart contracts and blockchain ecosystems.
#Crypto #CryptoNews
Hey #CertiK did you know you can throw that $3m into Kim and take home a fat stack of rewards with some of the highest APRs in crypto rn?
Oh, and don’t forget to stake your $xKIM to boost it up.
Oh, and don’t forget to stake your $xKIM to boost it up.
$BNB #rwas
We did it!🎉
$pmt Public Meme Token has successfully passed the CertiK KYC Badge! 🔐🏆
This badge is a proof of trustworthiness and accountability for the team 🦾
skynet.certik.com/projects/publi…
Big thanks to the entire @CertiK team🙏
#CertiK #KYC
#BNBChain: public meme token
We did it!🎉
$pmt Public Meme Token has successfully passed the CertiK KYC Badge! 🔐🏆
This badge is a proof of trustworthiness and accountability for the team 🦾
skynet.certik.com/projects/publi…
Big thanks to the entire @CertiK team🙏
#CertiK #KYC
#BNBChain: public meme token
⚠️Hack/Phishing #Alerts 🚫
The official Twitter account of biggest Security & Smart Contracts Auditing company #CertiK has been compromised and phishing links are being posted to defraud users of their wallet funds.
The Discord on #Certik’s official website was also replaced and turned into a fake Discord with phishing links.
Just Beware from that, and don't try to click any links, until next official updates by #Cetrik.. 💯🎯🙏
The official Twitter account of biggest Security & Smart Contracts Auditing company #CertiK has been compromised and phishing links are being posted to defraud users of their wallet funds.
The Discord on #Certik’s official website was also replaced and turned into a fake Discord with phishing links.
Just Beware from that, and don't try to click any links, until next official updates by #Cetrik.. 💯🎯🙏
Хакеры взломали X-аккаунт аудиторов CertiK и опубликовали вредоносную ссылку с фейком о взломе Uniswap
Неизвестные взломали аккаунт аудиторской блокчейн-компании CertiK в X (ранее Twitter (NYSE:TWTR)) и разместили в нем фейковую новость об обнаружении уязвимости в контракте децентрализованной биржи (DEX) Uniswap. Злоумышленники от имени CertiK призвали подписчиков отозвать все разрешения на использование контракта с помощью инструмента Revoke Cash, прикрепив к посту фейковую вредоносную ссылку.
Источник: Twitter.com
#CertiK
Неизвестные взломали аккаунт аудиторской блокчейн-компании CertiK в X (ранее Twitter (NYSE:TWTR)) и разместили в нем фейковую новость об обнаружении уязвимости в контракте децентрализованной биржи (DEX) Uniswap. Злоумышленники от имени CertiK призвали подписчиков отозвать все разрешения на использование контракта с помощью инструмента Revoke Cash, прикрепив к посту фейковую вредоносную ссылку.
Источник: Twitter.com
#CertiK
CertiK unveils CertiK Ventures
#CertiK has unveiled #CertiKVentures , focusing on nurturing next-gen onchain platforms. With a focus on security-first projects, CertiK Ventures aims to foster pioneering technologies and cultivate vital ecosystem collaborations. Drawing from CertiK's deep-rooted expertise in blockchain security, the initiative is committed to offering unparalleled support and resources to its selected portfolio companies.
#CertiK has unveiled #CertiKVentures , focusing on nurturing next-gen onchain platforms. With a focus on security-first projects, CertiK Ventures aims to foster pioneering technologies and cultivate vital ecosystem collaborations. Drawing from CertiK's deep-rooted expertise in blockchain security, the initiative is committed to offering unparalleled support and resources to its selected portfolio companies.
Breaking 🔕🔕: The famous blockchain security firm #CertiK now returned to the #crypto Exchange Kraken $3 Million after a public dispute.
#cryptonews
#cryptonews
📢 Exciting update from MVC: CertiK has embarked on a security audit journey, set to conclude by April!
It's more than just a routine check; it's a mission to fortify MVC and potentially unveil new, innovative features. 🛠️🌟🗓️
Keep in mind, the public audit report's reveal might shift, but rest assured, CertiK is rigorously analyzing every corner of MVC's codebase.
They're on the prowl for anything from logic slip-ups to miner attack vulnerabilities. 🔍💡
For the tech-savvy, dive into MIP-23 for an in-depth look. MVC is stepping up its game in the crypto world! 🚀🔐
Stay in the loop!
#CertiK #Space #MicroVisionChain #TrendingTopic #Write2Earn
It's more than just a routine check; it's a mission to fortify MVC and potentially unveil new, innovative features. 🛠️🌟🗓️
Keep in mind, the public audit report's reveal might shift, but rest assured, CertiK is rigorously analyzing every corner of MVC's codebase.
They're on the prowl for anything from logic slip-ups to miner attack vulnerabilities. 🔍💡
For the tech-savvy, dive into MIP-23 for an in-depth look. MVC is stepping up its game in the crypto world! 🚀🔐
Stay in the loop!
#CertiK #Space #MicroVisionChain #TrendingTopic #Write2Earn
Certik joined CoreDAO Starter Program, supporting exceptional builders in the Core ecosystem with exclusive incentives for smart contract audits.
#CertiK #Write2Earn #CoreDAO #DAO
#CertiK #Write2Earn #CoreDAO #DAO
In the rapidly evolving landscape of blockchain technology, #ChainGPT emerged as a beacon of innovation, harnessing the power of AI to revolutionize the sector.
🚀ChainGPT's security architecture, now stronger than ever, showcases a 91.23 Security Score & top 10% market rank.
Key technical strides:
⚪️Flawless KYC Gold compliance🏅
⚪️Strategic bug bounty defenses💼
⚪️Enhanced operational resilience🚧
Testimonial:
“Certik is the best Web3 security company we've ever worked with at ChainGPT. They take security seriously, and their audits are the best we've ever seen, leaving no room for vulnerabilities. On top of that, SkyNet is a fantastic addition to track our live security parameters from on-chain & off-chain activity, exchanges health, website security, etc. Certik gives the ChainGPT team and community peace of mind." - Ilan Rakhmanov, CEO of ChainGPT.”
#CertiK #Launchpad
🚀ChainGPT's security architecture, now stronger than ever, showcases a 91.23 Security Score & top 10% market rank.
Key technical strides:
⚪️Flawless KYC Gold compliance🏅
⚪️Strategic bug bounty defenses💼
⚪️Enhanced operational resilience🚧
Testimonial:
“Certik is the best Web3 security company we've ever worked with at ChainGPT. They take security seriously, and their audits are the best we've ever seen, leaving no room for vulnerabilities. On top of that, SkyNet is a fantastic addition to track our live security parameters from on-chain & off-chain activity, exchanges health, website security, etc. Certik gives the ChainGPT team and community peace of mind." - Ilan Rakhmanov, CEO of ChainGPT.”
#CertiK #Launchpad
