Binance Code and Internal Passwords Exposed on GitHub for Months (404media.co) 12
A highly sensitive cache of code, infrastructure diagrams, internal passwords, and other technical information belonging to cryptocurrency giant Binance has been sitting on a publicly accessible GitHub repository for months, 404 Media has learned. From a report: Binance only managed to have GitHub remove the data under a copyright takedown request last week, but not before 404 Media and other people managed to view it. Although there is no public evidence this data was accessed or used by malicious parties, the cache contained a wealth of information that could be useful to hackers looking to compromise Binance's systems.
"This account is using our client's internal code which poses significant risk to Binancec. and causes severe financial harm to Binance and user's confusion/harm," a section of the takedown request, available on GitHub, reads. Another section says the GitHub repository is "hosting and distributing leaks of internal code which poses significant risk to BINANCE." For example, one diagram included in a folder called "binance-infra-2.0" shows the interlocking between different parts of Binance's various dependencies. The cache also contains a wealth of scripts and code. Some of that code appears to relate to how Binance implements passwords and multi-factor authentication. The code includes comments in both English and Chinese.
"This account is using our client's internal code which poses significant risk to Binancec. and causes severe financial harm to Binance and user's confusion/harm," a section of the takedown request, available on GitHub, reads. Another section says the GitHub repository is "hosting and distributing leaks of internal code which poses significant risk to BINANCE." For example, one diagram included in a folder called "binance-infra-2.0" shows the interlocking between different parts of Binance's various dependencies. The cache also contains a wealth of scripts and code. Some of that code appears to relate to how Binance implements passwords and multi-factor authentication. The code includes comments in both English and Chinese.
Imagine if this was a bank (Score:2)
It's kind of amazing that Binance hasn't been completely cleared out by North Korea or the first bored hacker to run across that info. If this was a bank, customers would be pulling everything out and there would be congressional hearings and they'd probably lose their license to operate one way or another.
Why? (Score:3)
Re:Why? (Score:4, Interesting)
I think it speaks to the mentality and general quality of crypto projects.
Re:Why? (Score:4, Insightful)
I don't think they put it there.
Re: Why? (Score:2)
Re: (Score:2)
Well, the usual response is that the private company refuses to set up a GitHub or GitLab server insisting on using the "free" options.
The other response is that a contractor needs access to work on the code, the company refuses to give contractor VPN access, so they set up a GitHub account to mirror their local repository so the contractor could do their work.
The crypto trainwreck keep derailing (Score:2)
Not only are they all scammers, they're not even very competent scammers.
Re:The crypto trainwreck keep derailing (Score:4, Insightful)
You think mega-frauds like Binance don't practice incompetence by design?
Pretty sure 99% of the crypto-(exchange|mixer|banking|DiFi) bros absolutely WANT to be pwnd at least after they reach a critical mass. What better way to embezzle a bunch of customer funds, get away with it.
You get to say (multiple|Unknown) threat actors compromised our systems and tooks the funds. There will be actual forensic evidence to support those claims, maybe even some patsies to point at, nobody would ever guess or be able prove conclusively how much was already missing.
Whew! (Score:2)
Nice to see some crypto news involving simple incompetence rather than malfeasance.
Re: (Score:1)
Maybe. Who put the data there? Why? Where did they get it if they aren't an employee? The company had to file a take down notice; it wasn't their account.