In August 2020, ELLIPAL got contacted by Towo Labs regarding vulnerabilities found in ELLIPAL’s website (www.ellipal.com) and ELLIPAL wallet’s XRP application. ELLIPAL had addressed the issue and fixed accordingly and rewarded Towo Labs with bounty prize. We would like to thank Towo Labs for keeping the crypto community secure and allow us to improve our wallet’s security even further.
Vulnerabilities were found in both the ELLIPAL website and ELLIPAL’s XRP application thanks to Towo Labs. ELLIPAL has accordingly fixed the vulnerabilities to ensure the security of every user.
1) Vulnerability of the ELLIPAL’s website
|
Vulnerability |
ELLIPAL’s Response |
|
In the vulnerability submission form and customized DIY ELLIPAL submission from, users can upload a wide range of files that should instead be forbidden.
|
We have fixed and now only allow limited type of files that can be uploaded.
|
|
Cross-site scripting vulnerability is detected at one particular endpoint.
|
This endpoint is now removed.
|
|
Host header injection vulnerability found at a few endpoints.
|
Fixed issue at this few endpoints.
|
|
Open redirection and link manipulation vulnerability at a few endpoints.
|
Fixed issue at this few endpoints.
|
|
ELLIPAL’s alternate website URL does not redirect to HTTPS automatically from HTTP and does not contain security header on HTTPS version.
|
Now all HTTP access is redirected to HTTPS. Now security report summary gives “A” rating.
|
2) Vulnerability of XRP Application of the ELLIPAL Wallet
|
Vulnerability |
ELLIPAL’s Response |
|
The ELLIPAL wallet does not parse and display DestinationTag field for payment transactions, allowing attacker to enter any DestinationTag and alter destination of the XRP.
|
DestinationTag field for XRP is now added and released on version v2.8.1
|
|
The ELLIPAL wallet does not parse and display the SendMax, DeliverMin or Flags fields for payment transactions, allowing attacker to set advanced payment flags, attacker control path and indirectly steal the full amount being sent.
|
This has been fixed in version v.2.8.1. For Cold Wallet, users are always able to check transfer information before signing, including destination tag field and will not lead to funds being lost.
|
|
The ELLIPAL wallet does not block unsupported transaction types. This allows an attacker to send a set regular key or set signer list transaction, leading to an Account Takeover vulnerability.
|
This has been fixed in version v.2.8.1. For Cold Wallet, users are always able to check transfer information before signing, including destination tag field and will not lead to funds being lost.
|
|
The ELLIPAL wallet does not verify the Account value in the transaction blob. This allows an attacker to spoof the sending account, leading to an Account Misuse vulnerability for anyone account with a regular key set.
|
This has been fixed in version v.2.8.1. For Cold Wallet, users are always able to check transfer information before signing, including destination tag field and will not lead to funds being lost.
|
|
Since the Ellipal wallet does not block unsupported transaction types and does not display the Fee field, an attacker can send for example an EscrowCreate transaction or specify an extremely large Fee to make the XRP become lost.
|
This has been fixed in version v.2.8.1. For Cold Wallet, users are always able to check transfer information before signing, including destination tag field and will not lead to funds being lost.
|
Special thanks to Mr. Markus Alvila Co-founder & CEO of Towo Labs (@RareData)
