An Overview of Official MyCrypto Applications

This document is meant to allow hackers to skip the recon stage and get straight into trying to find vulnerabilities. It outlines the in-scope domains, the software behind them, and a brief description of their functions.

Our responsible disclosure program policy can be found at - https://security.mycrypto.com.

(www.)mycrypto.com

What It Does

This is the domain for our main application - the interface for the blockchain. This is where users will come to interact with their funds, and sign transactions with private keys.

What to Look For

Since the platform is non-custodial (meaning we don't store users' keys), we are especially interested in how a bad actor could exploit potential attack vectors to steal user funds/keys.

The application is open-source on GitHub: https://github.com/MyCryptoHQ/MyCrypto.

What It Runs On

The domain itself points to an AWS instance and is delivered using CloudFront.

It is built with Typescript and Javascript (React framework).

https://builtwith.com/mycrypto.com

buy.mycrypto.com

What It Does

This is an application that uses Simplex to enable users to purchase ETH and BTC with a credit card. The purchasing process is handled by Simplex but the UI is hosted by MyCrypto.

What to Look For

The application is a simple UI form that redirects the user to Simplex. We are interested in ways the application can be exploited to redirect users away from Simplex. Since it is stateless, your best bet is reflected XSS (type II) or DOM-based XSS (type-0).

The application is open-source on GitHub: https://github.com/MyCryptoHQ/buy.mycrypto.com.

What It Runs On

The application is delivered via Cloudflare and runs on an Express server.

It is built with Javascript.

https://builtwith.com/buy.mycrypto.com

support.mycrypto.com

What It Does

This is our knowledge base, which contains a lot of articles that we point users to when they are in need of support. It is viewed as a trusted source of truth for users.

What to Look For

As the application is viewed as a trusted source of truth, we are interested in ways a bad actor could modify the contents of an article to misinform users or otherwise use the platform to give false information.

The application is open-source on GitHub: https://github.com/MyCryptoHQ/knowledge-base.

What It Runs On

The application is delivered via GitHub pages.

It is built with Typescript and Javascript (Gatsby framework).

https://builtwith.com/support.mycrypto.com

overflow.mycrypto.com

What It Does

This is a product page for some of our peripheral systems/applications that we use within our main product (mycrypto.com).

What to Look For

The application is essentially a directory for some of the other products we manage. Your route is reflected XSS (type II) or DOM-based XSS (type-0).

The application is open-source on GitHub: https://github.com/MyCryptoHQ/Overflow.

What It Runs On

The application is delivered via GitHub pages.

It is built with Typescript and Javascript (React framework).

https://builtwith.com/overflow.mycrypto.com

about.mycrypto.com

What It Does

An application detailing who is on the team and any job opening we have available.

What to Look For

The application is essentially a directory of jobs and people who work for MyCrypto. Links to dead off-domain profiles that can be harnessed to give false information to users is one attack vector that we are interested in.

The application is open-source on GitHub: https://github.com/MyCryptoHQ/about.mycrypto.com.

What It Runs On

The application is delivered via GitHub pages and cached behind Cloudfront.

It is built with Javascript.

https://builtwith.com/about.mycrypto.com

beta.mycrypto.com

What It Does

This sub-domain for our main application is our public staging area for all new features that will go into production after the development cycle is completed.

What to Look For

Since the platform is non-custodial (meaning we don't store users keys), we are especially interested in how a bad actor could exploit potential attack vectors to steal user funds/keys (such as altering a transaction to sign).

The application is open-source on GitHub: https://github.com/MyCryptoHQ/MyCrypto.

What It Runs On

The application is delivered via GitHub pages.

It is built with Typescript and Javascript (React framework).

https://builtwith.com/beta.mycrypto.com

download.mycrypto.com

What It Does

This application offers a download (Electron app) of our main product (mycrypto.com) for users to run offline. There are alow tools available also on the site that can be used to verify download checksums.

What to Look For

As the downloaded application is utilized for signing transactions, we are interested in invalid signed checksums being published/spoofed or any methods that can be used to circumvent the legitimate application from being downloaded.

The application is open-source on GitHub: https://github.com/MyCryptoHQ/download.mycrypto.com.

The downloaded application is generated with Electron based on our main repo https://github.com/MyCryptoHQ/MyCrypto

What It Runs On

The domain itself points to an AWS instance and delivered using CloudFront.

It is built with Typescript and Javascript.

https://builtwith.com/download.mycrypto.com

etherscamdb.info

What It Does

This application indexes details on scams within the ecosystem, read from a YAML file. It offers a simple GET API to return various pieces of data from the YAML file.

It has reporting functionality by which users can input data and submit to a PHP script hosted on a separate server.

What to Look For

As the application is a source of trust for users, we are interested in ways you can harness the application to deliver bad data (i.e.: XSS or unvalidated redirects).

The application is open-source on GitHub: https://github.com/MrLuit/EtherScamDB.

What It Runs On

It is hosted on a Ubuntu server, serving via Express server.

It is built with Javascript (NodeJS).

https://builtwith.com/etherscamdb.info

cryptoscamdb.org

What It Does

This application indexes details on scams within the ecosystem, read from a YAML file. It offers a simple GET API to return various pieces of data from the YAML file.

It has reporting functionality by which users can input data and submit to a script hosted on a separate server.

What to Look For

As the application is a source of trust for users, we are interested in ways a bad actor can harness the application to deliver bad data (i.e.: XSS or invalidated redirects). Including the frontend, we are interested in any unauthorized successful requests on restricted endpoints.

The application is open-source on GitHub https://github.com/CryptoScamDB/frontend-gatsby with a backend API https://github.com/CryptoScamDB/api.cryptoscamdb.org.

What It Runs On

It is served via AmazonS3 and cached with Cloudfront.

It is built with Typescript and Javascript (Gatsby framework).

https://builtwith.com/cryptoscamdb.org

ambo.io

What It Does

This is the homepage of Ambo, which details the product and provides download links

What to Look For

As it is the source of truth for anything Ambo related, we are interested in ways a bad actor can modify data without authorization. There is a CMS backend, so we are interested in any unauthorized access and other exploits that would allow someone to post malicious content.

What It Runs On

It is served via Godaddy.

It is built with PHP 5.6 (Wordpress platform).

https://builtwith.com/ambo.io

ambo.herokuapp.com

What It Does

This is a communication proxy between the Ambo iOS app and third-party APIs. It does inbound and outbound data transfers - including creating 0x protocol orders.

What to Look For

No user secrets are stored/sent here but because sends data to the app, we are interested in modifications to the requests that can confuse users, display bad data, and/or alter 0x order creation.

What It Runs On

It is served on a Heroku Dyno.

It is built with Express and NodeJs.

Ambo iOS App

What It Does

A mobile wallet that serves as a gateway for accessing decentralized protocols (ie 0x) and storing users' keys that are used to access their Ethereum funds.

What to Look For

Wallet creation process (key derivation process and such), interaction with protocols, transfer and storage of tokens and Ether, and/or manipulation of transactions.

What It Runs On

It is served via the iOS App Store.

It is built using Swift 4.2, made for devices >= iOS11.0.

analytics.mycryptoapi.com

What It Does

A self-hosted analytics platform.

What to Look For

Any unauthorized access or data leakage. Although we don't store any personal identifiable information for analytics (it's all anonymized data), we consider any outsider eyes a threat.

What It Runs On

It is hosted on an Amazon EC2 instance proxied with ELB.

It is built using Matomo (Piwik) for the analytics

gas.mycryptoapi.com

What It Does

This is a hosted solution for the estimated of gas needed for Ethereum transactions.

What to Look For

Being able to modify the values returned to get people to spend either too much gas (waiting money/making transactions super expensive) or too little, which can make transactions stall in "pending" so long that it upsets the user experience.

What It Runs On

The service is routed through Cloudfront with Amazon S3.

The application is running in an ECS container.

proxy.mycryptoapi.com

What It Does

This is a web proxy to relay API requests to third-parties.

What to Look For

This is our main gateway to retrieve data for our applications. We are mainly interested in any exposure of secret keys to APIs or modification of cached results, which could upset the user experience by giving false information.

What It Runs On

The service is routed through Cloudfront to an Amazon API Gateway.

Other Domains

*.mycrypto.com

Most of the things a typical user is interested on will be on the mycrypto.com domain - including various subdomains.

• legacy.mycrypto.com - the old interface look
• summer.mycrypto.com - our crypto summer calendar
• winter.mycrypto.com - our crypto winter calendar
• 0x.mycrypto.com - holding the 0x protocol code used by the MyCrypto interface

mycryptoapi.com

This domain holds many background processes that we rely on.

• raidentransport.mycryptoapi.com - [matrix] server for Raiden related stuff
• api.mycryptoapi.com - handles requests to our Blockchain RPC nodes
• apis.mycryptoapi.com - used for weighted load balancing between two regions
• monero.mycryptoapi.com - used for the backend of monerovision.com

mycryptobuilds.com

This domain is for staging and QA to test builds for our blockchain interface. Since the code running the interface is in test phase, there may be bugs - don't use it with the same conviction as production (mycrypto.com).

• mycryptobuilds.com - serves QA builds for the blockchain interface

Other

These are other domains in the MyCrypto family.

• etherscamdb.info - a directory of scams in the ecosystem
• cryptoscamdb.org - a directory of scams in the ecosystem
• defiscan.io - a read-only snapshot explorer for decentralised finance
• monerovision.com - a block explorer for Monero
• ambo.io - the homepage for the Ambo wallet
• findeth.io - a tool to help you find lost ether or address

Official Email From MyCrypto

If you recieve a communication that looks like it's from MyCrypto but doesn't come from one of the domains listed, please be careful as it may contain malware or be a phishing attempt.

You can signup to our newsletter by looking in the footer at MyCrypto.com

• mycrypto.com - all emails from employees and support staff

We have a newsletter that we send out monthly as well as communicate with you if you open any support ticket. Communications will only come from;

• newsletter@mycrypto.com - for newsletter communications
• noreply@mycrypto.com - for newsletter communications
• support@mycrypto.com - for any support tickets
• security@mycrypto.com - for any security related tickets