CoinDesk CMS Vulnerability Let Hackers Trade on Nonpublic Info
February 4, 2022A vulnerability in the content management system, or CMS, of leading cryptocurrency news site CoinDesk allowed hackers “to trade on nonpublic information ahead of the publication of at least one article,” according to the publication.
CoinDesk disclosed the breach in an article on Friday.
“CoinDesk has fixed an issue that exposed the headlines of articles saved as drafts in the crypto news publication’s content management system (CMS). The exploit, which was brought to CoinDesk’s attention by a white-hat hacker, may have allowed unidentified actors to profit from nonpublic information by making trades ahead of the publication of at least one article,” CoinDesk’s CEO Kevin Worth wrote in the article.
“The issue is now fixed and added safeguards have been put in place. We regret this unintended deviation from our commitment to level playing fields in crypto markets,” Worth added.
CoinDesk is one of the longest-running and most prominent news sources that focuses specifically on cryptocurrency and blockchain technology. It's also a trade publication that frequently posts industry news such as investment rounds. The company says its mission is to build “the most influential, trusted information platform for a global community engaged in the transformation of the financial system and the emerging crypto economy.”
Clearly, hackers thought it was important enough to break into its backend system to see what headlines were coming.
Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com
CoinDesk did not immediately respond to a request for comment sent via email.
A former CoinDesk reporter, who asked to remain anonymous to avoid retaliation, said that he wasn’t surprised about the hack.
“[The CMS] broke all the time after they launched it, like pages wouldn't load and stuff,” he told Motherboard in an online chat. “They had this ridiculous thing with a green ball bouncing before a page loaded for a while. The place is…uh.”
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.