Stolen Bitcoins using API Key

[masalinas]

Hello,

Yesterday my 100$ in bitcoins was stolen from my BTC Wallet in Bittrex. I was using your nodejs library to connect to my account and make some tests. I have my account with 2FA to have my API tokens and connect to Bittrex API. I sent a ticket to Bittrex support and the response that:

"I'm sorry that your account has been hacked. Unfortunately, there is nothing we can do to recover your funds. For your protection, we ask traders to set unique complex passwords and enable 2FA to protect their accounts from being hacked in this manner.

This withdrawal was made with your API key, at some point leaked your API key in order for someone to be able to make this withdrawal without having to log into your account. "

How is possible stolen my API tokens from your library???

Regards.

[dparlevliet]

It's not. Someone got your API keys, the fact you use this library is a coincidence. You should use the whitelist IP feature in the Bittrex settings to ensure the API can only be accessed from servers you control and don't allow withdraw via the API.

[masalinas]

Of course somebody stolen my API keys of course. I created yesterday the API tokens to test bittrex with your library, beleave me. The question is how is possible stolen these tokens.

When you listen to the websocket you must pass the apikey and the apisecret to connect. This is the code that I used for that

// bittrex secret tokens
bittrex.options({
    'apikey' : API_KEY,
    'apisecret' : API_SECRET
});

    // listen to Bittrex WebSocket
    var websocketsclient = bittrex.websockets.listen( function( data ) {
        if (data.M === 'updateSummaryState') {
            data.A.forEach(function(data_for) {
                ...
            });
        }
    });

I was using this code during one hour, and during this time somebody stole my api tokens, I don't know how, and make a bitcoins withdrawaled from my account to a remote address.

That you see, the time interval between create the tokens and test my test api is short coincidence with the stolen.

How is possible that??

[dparlevliet]

The websocket does not send API keys to connect. The API keys are only used for private actions like purchase/sale. My guess is someone has access to your server/pc. You can review the code in this library and see that it does nothing with your API keys except send them to Bittrex for the API calls that Bittrex needs them for. I'm sorry, but this is a coincidence - you should review the system you used because clearly they have access to the code you were testing with or the system you used to generate the API keys via the browser.

[dparlevliet]

Next time you generate API keys make sure the WITHDRAW is set to Off.

[masalinas]

My server is my personal PC inside my router, inside my house. Is impossible that anybody have access to my PC, my account in Bittrex have 2pf configured, and I don't understand why any withdraw from site you must write 6 code confirmation, and if you use the API not exist any check about me.

The problem is that i was active the withdraw, but if exist this posibility why not, I know now that better disable ;(

One question:

What is the difference between:

Read INFO: ? Trade limit: ? Trade market: ? Withdraw: ?

[dparlevliet]

The API bypasses the 2FA and all credentials, that's the point of an API - it's to allows scripts to automate the processes without human intervention. I'm sorry to say but if someone got your API keys and stole your Bitcoin using API keys that were generated and stored on your computer then your computer and network are not safe. It's clearly not impossible because .. it happened.

I'm sorry you lost your bitcoin, but you must now go and secure your computer and your network because it's compromised and if you buy more Bitcoin and try use the API they will steal it again. But, more than that, all of your credentials for all of your other sites are now at risk. Also be sure to delete that API key from Bittrex you created.

Read INFO - Allows you to read private details such as open orders, order history, balances, etc Trade Limit - Allows you to create/cancel trade limit buy/sell orders Trade Market - allows you to create/cancel market buy/sell orders Withdraw - Allows you to withdraw to another address (this is the one they used)

[dparlevliet]

OK, I found the issue. You committed your API key to the program you are creating

https://github.com/masalinas/coin-machine/blob/master/common/models/Bittrex.js

You must protect your API keys, you cannot distribute them otherwise people will exploit them.

[masalinas]

Ohhh what stupid I am, I made a big mistake with this ;(, thanks for that, this was the problem ...

[dparlevliet]

No problem. Sorry you lost your coins :(

[dparlevliet]

Bittrex has an IP whitelist - this will stop anyone but you being able to perform actions, I suggest you find it and set it to your IP. Even if your IP changes, it's still better to have the hassel of having to keep updating it than to risk losing everything.

[n0mad01]

hi, i'm also sorry for your lost coins, you got to be very careful with this kind of things.

@dparlevliet thanks!

[dparlevliet]

@n0mad01 I think scenarios like this might be quite common now and in the future so it might be worth including a copy of the recommended API permissions screenshot that I included above and mentioning the IP whitelisting. Although it's not our responsibility, it still wouldn't hurt to give some guidance.

[n0mad01]

@dparlevliet you're right, i've also thought of that and was about to ask if i can use the screen you've already uploaded (and also the description of the API permissions).

[dparlevliet]

Sure, no problem

[masalinas]

I'll go further, the API from Bittrex and suppose from other Traider platforms must keep the 2FA security ...

[dparlevliet]

That's not how trading APIs work. They're intended to be used by bots or third-parties - if the 2FA was enforced then automated trading bots could not exist.

[n0mad01]

i think he meant the withdrawals only, an extra email confirmation could make sense in this case - on the other hand, it would make automated arbitrage impossible.

[dparlevliet]

Yep. Firefly bots I like to call them

[n0mad01]

[n0mad01]

ok, i've added this infos to the readme, i hope it helps to avoid such incidents in the future.

[3photons]

I know this is an old posting, but can you tell me is it safe to send API and secret key to third party with read info, trade limit, and trade market set to ON and withdraw set to OFF?

[dparlevliet]

if you're worried about them being able to take the money out of your account, you're safe - you would only have to worry about them selling all your assets. Also, ensure not to use an email address on that third-party system that is the same as your bittrex account.

[3photons]

Thank you!

Sent by PHOTONS

On Nov 7, 2017, at 3:03 PM, David Parlevliet notifications@github.com<mailto:notifications@github.com> wrote:

if you're worried about them being able to take the money out of your account, you're safe - you would only have to worry about them selling all your assets. Also, ensure not to use an email address on that third-party system that is the same as your bittrex account.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/n0mad01/node.bittrex.api/issues/57#issuecomment-342637726, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ARH8Wum5A8NR1DgynIF2A4LalHjliHe_ks5s0NOvgaJpZM4O_w5t.