Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Code Leak. Show all posts

Cryptocurrency Chaos: El Salvador's Bitcoin Wallet Code Leaked, Privacy at Risk

 


There was a security breach with El Salvador's state Bitcoin wallet, Chivo, after hackers from the group CiberInteligenciaSV leaked a part of its source code to a hacking forum. In the earlier leak of personal data belonging to nearly all of El Salvador's adults, the code from Chivo Wallet ATMs as well as VPN credentials had been exposed. According to the wallet administration, there has been no compromise with the security of the wallet's data. 

Chivo Wallet had several challenges since it was revealed that it would be the official Bitcoin storage tool after its launch, so this event has become another blight on the Chivo Wallet. President Nayib Bukele set Bitcoin (BTC) as legal tender in El Salvador in 2021 to make digital payments more convenient. However, security breaches and technical issues have made the adoption of Bitcoin (BTC) difficult. 

The Chivo Wallet has been criticized by consumers for its slow operation, app crashes, vulnerabilities to exploitation, and lack of official backing, despite its official backing. The Chivo Wallet company has responded to allegations that it was linked to a data breach in which over 5 million Salvadorans' personal information was allegedly exposed. 

In addition to full names, unique identifiers, dates of birth, addresses, phone numbers, emails, and photographs, all of this data was leaked. The data had been rumoured to be related to the KYC processes that the Salvadoran government required its citizens to complete before they could be offered incentives, such as $30 in Bitcoin at the wallet’s launch, by the Salvadoran government. 

On April 6, the hacker group CiberInteligenciaSV compromised 5.1 million Salvadoran data. Recently, the same hackers leaked the source code for Chivo Wallet and the VPN credentials for the ATM network. The Chuvo Bitcoin wallet, backed by the government, has caused controversy among peer-to-peer money enthusiasts and crypto punks alike for its custodial status. 

In a press release published on X (formerly Twitter) on April 24, the company commented on the matter, describing it as “fake news.” Furthermore, a group of individuals from the Salvadoran community who downloaded the wallet have released over 144 GB of data containing their personal information. Even though it was available for purchase on various channels since August, it was only leaked for download on April 5. 

This data includes a user's full name, unique identifier, date of birth, address, and a high-definition picture of their face, as well as their full name, unique identifier, and date of birth. Also included in this week's leaked information was the file Codigo.rar, which contained information on El Salvador's Chivo ATM network, including the code and VPN credentials for the network.

Government officials have yet to come out with a formal statement regarding either of the hacks that took place this month. As a result of the leak of the code and VPN details of the source, the Chivo wallet system is at risk of being compromised, making hackers able to gain access to users' accounts or control them unauthorizedly. 

The particularity of the data exposed previously affects almost the entire adult population of El Salvador, which makes them fear identity theft and fraud as a result of the exposure of personal data previously exposed. In light of these breaches, security experts advise users to be vigilant and to monitor their accounts for any suspicious behaviour if they see anything strange. 

El Salvador is a country where incompetence is prevalent and there is a good chance that this will have a significant impact on the financial ecosystem as well, as trust in the government's digital solutions might wane as a result. In the beginning, the Chivo software was plagued with numerous software bugs and technical glitches as users reported numerous problems with the software. 

Despite the President's promise to give them $30 for downloading the Chivo wallet, some people were not able to withdraw money from Chivo because some had trouble getting it. The Salvadoran government announced last year that over 100 ATMs across the country will be equipped with lightning network technology in Q4 2024. 

Over 100 ATMs across the country will be equipped with this technology. In theory, this technology could allow Salvadorians to withdraw and deposit Bitcoins in an easier and faster manner with a lower fee. It was reported in October by a Salvadoran newspaper that only about 2% of the Salvadoran population was making remittance payments through the wallet, which had been its main selling point for a long time. 

It has yet to be decided whether or not the Salvadoran government will declare a policy on this issue or formally address the issue. The state of El Salvador has become the first in the world to adopt Bitcoin as a legal tender in 2021, promoting the Chivo wallet as one of the official mediums used to engage with Bitcoin by its citizens. 

The fact that these security issues exist in addition to the absence of communication from the authorities leaves the Salvadorans with an uncomfortable sense of uncertainty as to whether or not their personal information is safe and if this digital wallet offered by the state is reliable.

Room for Error: Hotel Check-In Terminal Flaw Leads to Access Code Leak

 


Ibis Budget hotels in Germany were found to leak hotel room key codes through self-service check-in terminals, and a researcher behind the discovery claims the problem could potentially affect hotels around the world. It would be very easy for anyone to abuse the terminal's security flaw without any technical knowledge or specialized tools, as it is a security flaw that can be exploited by anyone. 

In actuality, an attacker can aggregate a whole lot of room keycodes in just a few minutes as long as a regular customer uses the same machine to check into their room, as long as the attacker is persistent. In addition to speaking with staff at the front desk, hotel guests can also take advantage of self-service check-in terminals. Front desk staff can be unavailable at times for guests to interact with them. 

These terminals offer guests the ability to not only check into their rooms, but they can also search for information about existing bookings as well, which is what Ibis Budget is all about. Based on the company's website, 600 Ibis Budget hotels are operating in 20 different countries around the world. This is an Ibis Budget hotel chain owned by Accor. 

They believe the vulnerability likely affected other hotels as well, as they discovered in late 2023 a security flaw in the self-check-in terminal that was installed at an Ibis Budget hotel in Germany.  Ibis Budget hotel customers can use these kiosks to check in their rooms when there is no staff at the hotel. 

When Accor was notified, Pentagrid was informed that the company had issued patches to the affected devices within a month. Upon entering the booking ID, the terminal displays the associated room number as well as the keypad code that can be used to access the room when the customer is not present. 

The customer then has to enter the keypad code to access the room.    It was discovered by Pentagrid that a list of current bookings could be displayed on the terminal if he entered a series of dashes instead of the booking ID. Pentagrid believes that tapping on a booking will display the room number as well as the keypad access code of the hotel, which remains unchanged during the guest's stay at the hotel, according to Pentagrid. 

There was a chance that an attacker would have been able to gain access to rooms using the exposed access codes. Upon entering the dashes, the booking information displayed the amount of the booking, the room number and the valid room entry code, along with the cost of the booking. The researchers also found a timestamp in the data, which the researchers assumed was the check-in date, which could indicate the length of the guest's stay.

Schobert discovered the issue unintentionally after attending a cybersecurity convention in Hamburg, where he was using a terminal at the Altona Ibis Budget Hotel. The bug is not clear as to whether or not 87 bookings were valid at the time of the audit, as there are 180 rooms at the hotel. It is unclear if it was only 87 bookings that were valid at that time or if the bug was limited to returning less than the entire number of bookings. 

Schobert said the booking references could still be found on discarded printouts even without the exploit by using a series of dashes, which necessitated that greater security controls be placed on the terminals to prevent this. If this issue falls into the wrong hands, the consequences could be quite serious.

Understandably, retrieving keycodes could lead to theft, but being able to target rooms by price may allow an attacker to target the wealthiest guests for the best possible rewards as they may be able to target rooms by price. Aside from theft, there is also the danger of stalking and other creeps abusing guests, which may put their safety at risk. As a result, researchers note that an attacker would have needed to be physically close to the targeted terminal to exploit the vulnerability, as the affected device would have had to be set up to allow self-service, which would be most likely during the nighttime, researchers stated.