Default avatar
adam 1 year ago
Hi folks we've been experiencing some disruptions over the past couple days as we've been working to mitigate against an attacker who found and exploited a vulnerability in our system that allowed them to get password reset codes for accounts that didn't belong to them. Using this exploit they were able to gain access to a number of accounts that they shouldn't have had access to and withdraw funds. We've patched the issue and believe we've revoked the attacker's access to the compromised accounts by invalidating their JWT authentication tokens and NWC secrets. We've instituted system-wide withdrawal limits as a precautionary measure while we work to fully restore and migrate the payment records of affected accounts. If you are seeing a blank screen when you visit the Coinos site, you may need to visit https://coinos.io/logout or clear your browser cache. If you have Coinos installed as a PWA you may need to uninstall it and re-add it to your homescreen. About 80 accounts had their passwords reset by the attacker but only a handful were actively stolen from. If your account was compromised you may be missing some recent transactions. We do have backups and will be writing scripts to find and restore those payment records over the coming days. If you were using Coinos via NWC your NWC connection string secret may have changed in which case you will need to re-connect Coinos to your Nostr apps. We'll be reverting unsolicited withdrawals and covering all losses ourselves to make all our users whole. Thankfully we caught the attack relatively quickly and managed to take corrective action before the attacker had time to fully drain our wallets. Coinos is essentially a volunteer effort and one-man show on the tech front so please be patient as it's going to take me a few days to restore everything back to normal. This incident has not shaken my resolve, only strengthened it. Sincerely, Adam Soltys

Replies (75)

Thanks for the transparency on the issue. I feel sorry for the stress you are having. I am always impressed how many people / merchants you onboarded in western Canada. Keep going!
HalloBitcoin's avatar
HalloBitcoin 1 year ago
Are there problems with your channel management? I have problems to send 5000 sats. Great to see ecash tho! Thanks for the Service! 🧡
This is such a shame. didn't use your services for over a year because of instability. Came back a week ago, put all my incoming donation and zap stuff on coinos. and now this. Hope you get things under control.
I’m sorry you’re going through that, as a fellow dev who’s gone through hacks you have all my sympathies. You’re providing a great service, I’ve gotten a bunch of family members onto lightning with you, and you’re my daily wallet for zaps.
It’s common practice to either have a bug bounty program as a product, or as a white hat hacker ask for reasonable compensation during disclosure. Unsurprisingly there’s also a lot of scamming. I had a customer who got conned and paid 3.5 ETH for fake vulnerability disclosures.
Oh no not at all. The scammers tried to extort him for more money, and meanwhile I was told to engage this guy on Telegram to get more information on how to reproduce the error. He tried to get me to buy his “vulnerability detection kit” or whatever, which I’m sure was a virus of some kind. I forgot to mention that the entire company, including the customer’s non technical CFO, tried to convince him not to post the ransom in the first place.
VENATOR's avatar
VENATOR 1 year ago
Parabéns. "Na guerra é que se forja o verdadeiro caráter". Avante!
🤔 I can't remember the last time a hunk of metal was hacked...
Default avatar
adam 1 year ago
No they were able to change some account passwords but would not have learned anyone's existing password.
Default avatar
adam 1 year ago
Please check again, we're still restoring some accounts
Thank you!! You're doing a tremendous service. I'm patient. I know this stuff can happen, I signed up for it with full knowledge of the tradeoffs in security vs full self custody. These things happen.
Default avatar
nobody 1 year ago
Damn it. I was one of the 80 accounts. 5k sats gone. Thank god I look at lightning as the medium of exchange and not the store of value. Sucks though.
Well, that sucks. Literally switched three days ago 👀 Yikes. Bad actors man! What a shame. But I guess exposing vulnerabilities is a good thing when you have 1000 sats instead of a lot more.
Default avatar
adam 1 year ago
Looking better now? Sorry for the scare, we're still restoring some accounts.
ForrestHODL's avatar
ForrestHODL 1 year ago
will the transactions be automatically re-added? my history of transactions are gone
Default avatar
nobody 1 year ago
Incredible! Thank you! May the zaps continue to flow! ⚡️⚡️⚡️🫡
Default avatar
adam 1 year ago
Yes, we'll get them back please hang tight as we're still reviewing accounts one by one
Default avatar
adam 1 year ago
Ok should be looking better now.
Default avatar
adam 1 year ago
Hi sorry we just reset your account. Can you try again?
Cheers to the transparency, and thank you for the work that you do. To those who don’t know, Coinos does have a self custody option to be able to pull down your sats on-chain which should be resistant to these kind of attack.
Default avatar
adam 1 year ago
Hi you should be whitelisted for withdrawals now, sorry for the delay
Default avatar
adam 1 year ago
We banned some IP addresses that the attacker was using. You may be using the same VPN as them. Please DM or send your IP to support@coinos.io and we'll look at unblocking it for you.
Default avatar
adam 1 year ago
Please DM your IP or send to support@coinos.io
Default avatar
adam 1 year ago
We might have run low on liquidity. Can you try again?
Sorry to hear this, I’m a penetration tester and happy to work with you to validate that the fix you’ve implemented has worked?
Thanks for this report... seconding @EVAN KALOUDIS request for an incident report... would be useful for @Nostr Wallet Connect implementors especially. My main question is this: Is there anything NWC-specific about this vulnerability? From what I see in your post, it looks like a more vanilla-flavored attack on your auth/login mechanism, which THEN allowed the attacker to mess with the NWC codes. But if you're learned anything NWC-specific that would be very useful for others to learn from...