As a researcher with extensive experience in the cybersecurity field, I find the recent incident involving Kraken and the security researchers who allegedly crossed the line into extortion to be both troubling and disappointing. It’s disheartening when individuals who are supposed to act ethically and responsibly in the pursuit of uncovering vulnerabilities instead exploit those weaknesses for personal gain, causing harm to innocent parties.
Recently, cryptocurrency exchange Kraken encountered a complex issue when certain self-proclaimed security researchers were accused of going beyond acceptable bounds and engaging in extortion attempts. Kraken’s Chief Security Officer, Nick Percoco, shared insights into this situation via the social media platform X.
Based on Percoco’s account, a security researcher reported to Kraken on June 9 about a weakness that permitted users to exaggerate their balance figures. This imperfection enabled a harmful actor to instigate deposits and secure funds without finishing the procedure.
On June 9, 2024, we received a notification from a security researcher through our Bug Bounty program. At first, no details were given about the issue, but they claimed to have discovered a “highly critical” flaw that enabled them to falsely boost their account balance on our system.
— Nick Percoco (@c7five) June 19, 2024
The Kraken team quickly resolved the problem without any impact on users’ funds. Nevertheless, the revelation from the security report sparked significant apprehensions. It is said that the researcher disclosed the vulnerability to two other parties.
These people took advantage of a vulnerability in the system, managing to withdraw approximately $3 million from Kraken’s own funds instead of those belonging to other clients. The initial bug report failed to disclose these unlawful transactions, and when Kraken requested more information, the researchers chose not to provide it.
I analyzed the situation and instead of engaging in further discussions, the investors insisted on a face-to-face conversation with Kraken’s business development team. They refused to release the funds until Kraken provided an estimation of the potential financial repercussions if the discovered bug had been concealed. In their perspective, this request was considered extortion rather than ethical hacking as labeled by Percoco.
White hat hackers, who are security experts hired by companies like Kraken and Coinbase through their bug bounty programs, are encouraged to identify and disclose vulnerabilities in return for rewards. The rules of these initiatives dictate that the least intrusive method be used to expose the flaw, all acquired assets must be returned, and comprehensive details about the weakness should be shared.
As a crypto investor, I’ve been impressed by Kraken’s ability to weather recent challenges. Their Chief Security Officer, Nick Percoco, recently stated in a blog post, “We won’t name the research firm involved as they don’t merit recognition for their actions. We are treating this situation as a criminal case and collaborating with law enforcement agencies. We’re grateful that this issue was brought to our attention, but beyond that, our focus remains on addressing the matter at hand.”
Read More
Sorry. No data so far.
2024-06-19 20:04