Hardcoded Support System Signing Secret Enables Customer Impersonation
The Risk
A cryptocurrency exchange's Android app contained a secret key that could be used to impersonate any customer in their support system. An attacker could read every support conversation, download identity verification documents, and send messages pretending to be any customer. Victim identifiers were publicly available on the exchange's copy trading leaderboard, meaning no prior access to the target was needed. Testing found that 20% of randomly sampled users had accessible support data.
The Vulnerability
The app stored the support system's signing secret encrypted with a key and initialization vector that were both hardcoded in the same code files. This made the encryption effectively useless. Recovering the signing secret allowed the creation of valid authentication tokens for any user.
The Attack
After extracting the signing secret from the app, the attacker created authentication tokens using victim identifiers harvested from the public trading leaderboard (no login required). Each forged token granted full access to that user's support record, including reading all conversations, downloading attachments (identity documents, screenshots), and sending messages as the victim.
The Impact
Real IP addresses, device details, internal risk scores, VIP levels, and email addresses were exposed through support metadata. Identity verification documents submitted during account setup were downloadable.
Messages could be sent as the victim to manipulate ongoing support cases, request changes, or social-engineer support agents. 20% of randomly sampled public leaderboard users had accessible data.
Remediation
- Rotate the support system signing key immediately.
- Move token signing to the server side.
- Remove the encrypted secret from the app.
- Rotate the encryption key used to protect other secrets in the same app.