On April 11, Coinroll.com issued the following statement on their site:
11 Apr 2016 Security Audit
Dear players, lately some users claimed theft of their balance on Coinroll. We are aware of that and we’re running full audit and trying to determine if users were compromised or if there was a breach at Coinroll. We are now taking measures to increase security and taking all precautions necessary.
For users with an account created before 7 Apr 2016, we strongly recommend you to contact [email protected] and request password change and support will help you to change it. To proceed with a password change, you need sign with the first address you’ve made a transaction with to your CoinRoll deposit address. For anyone without a balance, we recommend you use a new account in the future.
We took some basic security checks, going with OWASP top ten guide and securing Coinroll to prevent future thefts and we will be adding two factor authentication option in the future to Coinroll for withdrawals as well. We will update once we know more about what happened. In any case, we wish security to be at its best both server side and user side. No users funds are compromised other than the few claims of stolen balance. We will keep withdrawals and deposits disabled until investigation is done to be sure all balances remain safe.
Regards, Coinroll’s Staff
Was it from a vulnerability they subsequently discovered or was it from leaving their database exposed without any login required?
In March, MacKeeper security researcher Chris Vickery discovered that a MongoDB database of theirs with 4,610 “accounts” and 9,668 “addresses” was leaking. The exposed details included password hashes using the sha256 algorithm, Vickery reports.
Vickery contacted Coinroll, who acknowledged the leak on March 30, 2016. In a follow-up communication, Coinroll spokesperson Juan-Samuel Codina-Fauteux informed Vickery that they had had reports of some users getting their balances stolen, but that another (unspecified) vulnerability was suspected as the cause:
Another possible vulnerability was suspected, although nothing definitive. A few users had already been refunded. …. The password are hashed with sha256, so it seems unlikely some accounts were compromised from those hashes alone, if at all. Other patched vulnerability remains the prime suspect.
As to how the problems occurred, Coinroll’s explanation was:
The issue seems to have arisen with a ubuntu update that overwrote ufw rules from admin, leaving port open. Combined with no password being set for MongoDB, this had disastrous results. This owner that does the sysadmin/dev work admitted he was at fault for such security oversight. Now that this has been closed, he plans moving from Ubuntu to Fedora, converting to docker and audit for other possible oversights.
While admittedly speculating, Vickery suggests:
the most likely scenario behind any heist of Coinroll Bitcoins is one of two possibilities: Either (1) someone else found that exposed database before I did and compared the sha256 hashes to common passwords; or (2) someone else found the database and used the knowledge of its structure to successfully manipulate login data via MongoDB injection attacks.
Vickery notes, “To their credit, Coinroll did put up a news post on April 11th announcing potential security concerns,” but this site would point out that the announcement never disclosed that they had left their database without any login required. Perhaps they’re hoping that an audit will reveal that there were no accesses other than Vickery’s and that they wouldn’t need to disclose that error on their part, but oops, that cat is out of the bag now, isn’t it?
You can read Vickery’s post on MacKeeper’s Security Blog.