On 8th of August, Kevin Joensen, a researcher at Doyensec, contacted our core contributors and responsibly disclosed a vulnerability found in BTCPay Server.
Impacted – Third-party hosts. Users that enabled registration for other users and are hosting their server to an unknown, potentially malicious actor.
Not impacted – Regular, self-hosted instances. Users that don’t allow registration to unknown, potentially malicious actors.
How to fix it
There is no evidence that the vulnerability has been exploited in practice. However, we encourage the impacted users to update their servers.
Several XSS issues were present in BTCPay Server where a malicious merchant could create a page which would leak the private SSH key of the host if the host was browsing the infected page.
BTCPay Server has three types of users:
- Host (Admin)
- Merchant (Users)
- Customers (Users paying to a merchant)
If you self-host BTCPay Server, then you are at the same time a host and a merchant. If you are a third party host provider, host and merchant are not the same user, because you’re allowing other users to register and use your instance.
The vulnerability influences only third-party hosts, that enabled registration for the untrusted users in Server Settings > Policies and their users. The registration for other users is disabled by default when BTCPay Server is deployed.
This vulnerability can only be leveraged by a malicious merchant
Third-Party hosts – If a malicious third-party target a third-party host, and the host clicked on the malicious link, the host could potentially reveal the SSH key of their server allowing a malicious third-party to control it. This could be used in an escalating manner and get control of the server and steal the funds from the Lightning Network
Third-party host users – Merchants of third party hosts could potentially get their information xpub and email address exposed to an untrusted party if the third party host clicked on a malicious link.
How did it happen:
<script>var name = “@Model.Name”;</script>
Kevin Joensen of Doyensec provided a proof of concept that showed us how the attack can be executed.
- 2019-08-07 – Kevin Joensen disclosed the vulnerability.
- 2019-08-08 – Kevin Joensen provided the proof of concept.
- 2019-08-09 – Vulnerability has been patched and pull request submitted
- 2019-08-09 – Pull request reviewed and merged, making sure no breaking changes are made.
- 2019-08-09 – we reached out to publicly known third-party hosts and notified them about the issue, those who we reached out to updated their instances.
- 2019-08-10 – 22.214.171.124 released
- 2019-08-11 – We acknowledged the vulnerability and wrote a blog post, urging affected users to update.
What we will do:
To mitigate the escalation in case a bug is discovered in the future, we will make sure that the SSH key can’t be retrieve with an ajax request.
You don’t need to do anything if:
- You are self-hosted (ie. not sharing your instance with merchants (users) you don’t trust)
- If you have not clicked onto any link made by a merchant using your server
If you do not fall in those category, and believe you may be affected, besides updating, our recommendation is:
- Edit ~/.ssh/authorized_keys on the host, and remove the ssh key of BTCP
aand review that there is no key you do not recognize
- Remove ~/.ssh/id_rsa_btcpay
This SSH key is used by the “Update” button in BTCPay Server.
Regenerate keys and commit the changes:
ssh-keygen -t rsa -f /root/.ssh/id_rsa_btcpay -q -P “” echo “# Key used by BTCPay Server” >> /root/.ssh/authorized_keys cat /root/.ssh/id_rsa_btcpay.pub >> /root/.ssh/authorized_keys . btcpay-setup.sh -i
If BTCPay Server gets enough funding in the future, we will definitively consider hiring Doyensec to perform a deeper security audit of our software.
We would like to thank Doyensec team for disclosing the vulnerability in a professional manner and making sure our users stay safe throught the process. We would like to invite other security researchers interested in reviewing the code of an open-source project, to take a look at our GitHub.