We all have heard about blockchain fakes (in our case, blockchain.com), but have any of us mere mortals seen the implementation itself and what is a fake in general?
Buying a finished product on the market without knowing what it technically consists of is very risky. After all, over the past six months, or maybe a year, a lot of scammers have already been announced, which showed a fake demo and merged after receiving a large amount, but the article itself is not about that.
NON-STANDARD article contest - requires non-standard solutions)))
It was in the evening, there was nothing to do, and I decided to see how it is possible to implement a fake blockchain without having a general technical understanding of how others have implemented it, relying only on the description of the possibilities and documentation.
And so, for a moment, let's remember everything that we know about fakes.
In simple words, a fake is a full-fledged copy of the site with the only difference in the domain, where the main idea is that the visitor does not understand the substitution and enters the data we need.
And so, let's go!
First of all, we go to the site: https://login.blockc
hain.com
We notice the version data below and the link that leads to Github.
We go through it and see that the web interface sources are laid out in the repository!
Hmm... interesting, it turns out that it is possible to raise a copy of the web interface without any knowledge?
I couldn't believe my eyes, was it that easy? Who came up with the idea to lay out this stuff officially is not at all clear.
Next, read the instructions, try to install:
The result - well, "almost" a full-fledged fake
True, so far this fake does nothing in terms of sending data, which we will now do.
We need to find authorization in the files and try to add our own function.
We are looking for the keyword "login" in the files.
Find the main authorization file:
Open the file: packages/blockchain-wallet-v4-frontend/src/data/auth/sagas.js
Add a function for simple sending:
The most important thing left is to run it all on a test domain and see if it works.
Editing the hosts file:
Open http://login.blockchain.test and try to log in.
We look that nothing is happening, first of all we check the console:
Disappointment awaited me, it turns out that the API server does not allow making requests from outside due to CORS .
We think, we think, how is CORS solved? So after all, the usual reverse proxy at the web server level. Is not it so? Configuration file for Caddy's
simple reverse proxy web server :
What exactly does this config do - it simply proxies all requests to the blockchain.info domain and changes the response in which it allows CORS requests, you can do this on absolutely any web server - for ease of operation and clarity, Caddy was chosen as an excellent lightweight web server with automatic ssl support, which is written in Go.
Now we change the server API address in our web interface file, for this we open the config/env/production.js
file Change:
Meaning:
Let's try to log in again:
Hooray! Authorization was successful and a confirmation email was sent.
We just have to check the mail and open the letter:
Yes, but what the hell is my server IP doing here? ??
I thought for a moment, we only recently bypassed CORS, so this address is displayed, and then I remembered ... in all the topics where the fake was rented, it was written about such a feature as IP spoofing.
The point is that an ordinary user who finds himself on a fake when confirmed by mail will understand that this is someone else's IP address and simply will not confirm that it is not good. It turns out that without this feature, our fake is just a kind of powerful combine, this could be done on HTML + CSS.
We need to find some information about this spoof ... and so we remember:
After a little thought, after reading about IP spoofing again, I came to the conclusion that IP spoofing only works in UDP.
.
In an HTTP request, you cannot change the IP address, because HTTP works over the TCP protocol.
Is this the end? I was a little upset, brewed a cup of tea, and nevertheless decided once again to look at the site itself and the requests https://login.blockchain.comafter authorization:
Oh yes... very interesting sub-domain in the title x-original-host: wallet.prod.blockchain.info!
We need to know the details for all domains and IP addresses.
We make a request to find out where blockchain.info is located:
Now let's find out who owns the IP address:
It remains to find out where wallet.prod.blockchain.info is located:
Find out who owns the IP address again:
I froze for a moment: they use CloudFlare, but the main server to which requests are sent is in the Google cloud.
Trying to ping:
Opening the site itself:
404... hmm... something and the tea has already cooled down a lot - but oh well, because we found something very interesting here.
I was upset again, but for a moment I remembered that since the site is proxied through CloudFlare, and then transferred to Google Cloud, it means that they somehow transmit the necessary headers.
After all, anyone who has ever worked with CloudFlare knows that all requests to the server go: Visitor <-> CloudFlare <-> Server.
Therefore, to restore the visitor's real IP address, we need to read the documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs
And so, with the tea already cold, we continue our journey, the documentation says that in order to get the visitor's IP address, you need to get data from the CF-Connecting-IP headers, in our case, we need to send such a header, we try to start in a regular request:
Checking mail:
What I was extremely happy about, it remains to integrate this into our reverse proxy:
Authorization works, but for some reason the balance is not shown:
We open the console, then we see that the problem occurs due to the fact that /multiadd is available only to blockchain.info, and it simply does not exist in wallet.prod.blockchain.info:
It turns out that our reverse proxy is not quite universal. Add some logic to our reverse proxy:
Great! Now everything works great!
As a result, we already have: login and password capture + IP spoofing.
But this doesn’t give us anything, because we won’t be able to confirm by mail, and if the user still has two-factor authorization or blocking by IP address turned on, then it’s a real disaster.
We did something fake, but we won’t get any benefit from it if there is no permanent access to the account.
I decided to go back to basics and take another look at the web interface itself, we are interested in the security settings:
Interestingly, the secret recovery key allows anyone to access the account?! Sorry what? ?
I reread it a couple of times and only then it dawns that this secret key is something from the category of saints, if you lose it, you can lose money on your account.
And if it is shown in the web interface, then you can also send it to yourself, but first we need to check the capabilities of the secret key.
We enable two-factor verification + white list by IP address in the settings.
We just have to check, for this we connect through the second socks and follow the link where we enter the recovery key:
After entering the correct secret key, a form for changing the password appears:
We enter the password and click on Recover Funds and after that we get instantly into the account:
As a result, recovery through a secret key allows you to bypass any account restrictions: two-factor authorization + whitelisting by IP address.
It's just tinny, I thought for a minute ... so there's even no point in writing down the login password, you can just collect secret keys and restore accounts, and then turn off security settings, including changing the mailing address.
"So this is a feature, not a bug" - so the developers would say ... ?
Now it remains for us to add all the missing features to the fake itself.
1) Secret recovery key.
We look for " recovery " in the files, we find the only function " recoverySaga ", which displays the private recovery key:
We need to change it a bit, open the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts
Add a function to return the secret key in a format convenient for us:
You still need to send this data, add the send function:
2) Optional confirmation password aka second pass.
Looking in the files for "SecondPassword" we find an amazing function call:
Wonderful. This is exactly what we needed.
Open the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts
Add a function to send second password data:
We will call the function a little later.
3) Balance
If there is information about the balance of the wallet, it will be easier to understand which account needs to be restored instantly and in the future just add notifications.
Looking in the files for "balances", we find an equally amazing function call in the same file that we edited earlier:
Add a function to send balance data:
Now, after authorization, in order to send, we need to change the file packages/blockchain-wallet-v4-frontend/src/data/auth/sagas.js:
We are looking for a function:
Add after it
After that, we need to add a new function to the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts:
In the same file we are looking for:
Add after it
In file packages/blockchain-wallet-v4-frontend/src/data/goals/types.ts:
After " referral ", add " sendData ".
Ready! Our flawless fake with all the possibilities has been created.
For clarity, I would also like to post materials with detailed instructions for installing on the server:
- Fake (configs + scripts, vps-1 server)
- Reverse proxy (configs + scripts, vps-2 server)
- Simple admin panel (configs + scripts, server vps-3)
PS: it’s possible that abuses will fly that private goes to public, but no, friends - anyone could reach this and it shows exactly how the result was achieved, and not just a ready-made solution is laid out.
This article is a direct confirmation that nothing is impossible.
Just try and you will achieve everything and always.
"With great power comes great responsibility"
Buying a finished product on the market without knowing what it technically consists of is very risky. After all, over the past six months, or maybe a year, a lot of scammers have already been announced, which showed a fake demo and merged after receiving a large amount, but the article itself is not about that.
NON-STANDARD article contest - requires non-standard solutions)))
It was in the evening, there was nothing to do, and I decided to see how it is possible to implement a fake blockchain without having a general technical understanding of how others have implemented it, relying only on the description of the possibilities and documentation.
And so, for a moment, let's remember everything that we know about fakes.
In simple words, a fake is a full-fledged copy of the site with the only difference in the domain, where the main idea is that the visitor does not understand the substitution and enters the data we need.
And so, let's go!
First of all, we go to the site: https://login.blockc
hain.com
We notice the version data below and the link that leads to Github.
We go through it and see that the web interface sources are laid out in the repository!
Hmm... interesting, it turns out that it is possible to raise a copy of the web interface without any knowledge?
I couldn't believe my eyes, was it that easy? Who came up with the idea to lay out this stuff officially is not at all clear.
Next, read the instructions, try to install:
The result - well, "almost" a full-fledged fake
True, so far this fake does nothing in terms of sending data, which we will now do.
We need to find authorization in the files and try to add our own function.
We are looking for the keyword "login" in the files.
Find the main authorization file:
Open the file: packages/blockchain-wallet-v4-frontend/src/data/auth/sagas.js
Add a function for simple sending:
The most important thing left is to run it all on a test domain and see if it works.
Editing the hosts file:
Open http://login.blockchain.test and try to log in.
We look that nothing is happening, first of all we check the console:
Disappointment awaited me, it turns out that the API server does not allow making requests from outside due to CORS .
We think, we think, how is CORS solved? So after all, the usual reverse proxy at the web server level. Is not it so? Configuration file for Caddy's
simple reverse proxy web server :
What exactly does this config do - it simply proxies all requests to the blockchain.info domain and changes the response in which it allows CORS requests, you can do this on absolutely any web server - for ease of operation and clarity, Caddy was chosen as an excellent lightweight web server with automatic ssl support, which is written in Go.
Now we change the server API address in our web interface file, for this we open the config/env/production.js
file Change:
Meaning:
Let's try to log in again:
Hooray! Authorization was successful and a confirmation email was sent.
We just have to check the mail and open the letter:
Yes, but what the hell is my server IP doing here? ??
I thought for a moment, we only recently bypassed CORS, so this address is displayed, and then I remembered ... in all the topics where the fake was rented, it was written about such a feature as IP spoofing.
The point is that an ordinary user who finds himself on a fake when confirmed by mail will understand that this is someone else's IP address and simply will not confirm that it is not good. It turns out that without this feature, our fake is just a kind of powerful combine, this could be done on HTML + CSS.
We need to find some information about this spoof ... and so we remember:
After a little thought, after reading about IP spoofing again, I came to the conclusion that IP spoofing only works in UDP.
.
In an HTTP request, you cannot change the IP address, because HTTP works over the TCP protocol.
Is this the end? I was a little upset, brewed a cup of tea, and nevertheless decided once again to look at the site itself and the requests https://login.blockchain.comafter authorization:
Oh yes... very interesting sub-domain in the title x-original-host: wallet.prod.blockchain.info!
We need to know the details for all domains and IP addresses.
We make a request to find out where blockchain.info is located:
Now let's find out who owns the IP address:
It remains to find out where wallet.prod.blockchain.info is located:
Find out who owns the IP address again:
I froze for a moment: they use CloudFlare, but the main server to which requests are sent is in the Google cloud.
Trying to ping:
Opening the site itself:
404... hmm... something and the tea has already cooled down a lot - but oh well, because we found something very interesting here.
I was upset again, but for a moment I remembered that since the site is proxied through CloudFlare, and then transferred to Google Cloud, it means that they somehow transmit the necessary headers.
After all, anyone who has ever worked with CloudFlare knows that all requests to the server go: Visitor <-> CloudFlare <-> Server.
Therefore, to restore the visitor's real IP address, we need to read the documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs
And so, with the tea already cold, we continue our journey, the documentation says that in order to get the visitor's IP address, you need to get data from the CF-Connecting-IP headers, in our case, we need to send such a header, we try to start in a regular request:
Checking mail:
What I was extremely happy about, it remains to integrate this into our reverse proxy:
Authorization works, but for some reason the balance is not shown:
We open the console, then we see that the problem occurs due to the fact that /multiadd is available only to blockchain.info, and it simply does not exist in wallet.prod.blockchain.info:
It turns out that our reverse proxy is not quite universal. Add some logic to our reverse proxy:
Great! Now everything works great!
As a result, we already have: login and password capture + IP spoofing.
But this doesn’t give us anything, because we won’t be able to confirm by mail, and if the user still has two-factor authorization or blocking by IP address turned on, then it’s a real disaster.
We did something fake, but we won’t get any benefit from it if there is no permanent access to the account.
I decided to go back to basics and take another look at the web interface itself, we are interested in the security settings:
Interestingly, the secret recovery key allows anyone to access the account?! Sorry what? ?
I reread it a couple of times and only then it dawns that this secret key is something from the category of saints, if you lose it, you can lose money on your account.
And if it is shown in the web interface, then you can also send it to yourself, but first we need to check the capabilities of the secret key.
We enable two-factor verification + white list by IP address in the settings.
We just have to check, for this we connect through the second socks and follow the link where we enter the recovery key:
After entering the correct secret key, a form for changing the password appears:
We enter the password and click on Recover Funds and after that we get instantly into the account:
As a result, recovery through a secret key allows you to bypass any account restrictions: two-factor authorization + whitelisting by IP address.
It's just tinny, I thought for a minute ... so there's even no point in writing down the login password, you can just collect secret keys and restore accounts, and then turn off security settings, including changing the mailing address.
"So this is a feature, not a bug" - so the developers would say ... ?
Now it remains for us to add all the missing features to the fake itself.
1) Secret recovery key.
We look for " recovery " in the files, we find the only function " recoverySaga ", which displays the private recovery key:
We need to change it a bit, open the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts
Add a function to return the secret key in a format convenient for us:
You still need to send this data, add the send function:
2) Optional confirmation password aka second pass.
Looking in the files for "SecondPassword" we find an amazing function call:
Wonderful. This is exactly what we needed.
Open the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts
Add a function to send second password data:
We will call the function a little later.
3) Balance
If there is information about the balance of the wallet, it will be easier to understand which account needs to be restored instantly and in the future just add notifications.
Looking in the files for "balances", we find an equally amazing function call in the same file that we edited earlier:
Add a function to send balance data:
Now, after authorization, in order to send, we need to change the file packages/blockchain-wallet-v4-frontend/src/data/auth/sagas.js:
We are looking for a function:
Add after it
After that, we need to add a new function to the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts:
In the same file we are looking for:
Add after it
In file packages/blockchain-wallet-v4-frontend/src/data/goals/types.ts:
After " referral ", add " sendData ".
Ready! Our flawless fake with all the possibilities has been created.
For clarity, I would also like to post materials with detailed instructions for installing on the server:
- Fake (configs + scripts, vps-1 server)
- Reverse proxy (configs + scripts, vps-2 server)
- Simple admin panel (configs + scripts, server vps-3)
PS: it’s possible that abuses will fly that private goes to public, but no, friends - anyone could reach this and it shows exactly how the result was achieved, and not just a ready-made solution is laid out.
This article is a direct confirmation that nothing is impossible.
Just try and you will achieve everything and always.
"With great power comes great responsibility"
