Now Reading
Majority of Monero 3rd Party Wallets Vulnerable to Theft, Says Security Advisory

Majority of Monero 3rd Party Wallets Vulnerable to Theft, Says Security Advisory

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
by Samburaj DasSeptember 20, 2016


A security firm has published an advisory that warns Monero users of a vulnerability that would enable a hacker to steal the cryptocurrency from a majority of third-party digital wallets.

Monero, the newly budding, far more anonymous younger crypto-cousin to bitcoin is vulnerable to an attack that would give attackers to remotely steal the cryptocurrency from users’ third-party wallets.


Researchers at security firm MWR Labs discovered the vulnerability and deemed the exploit as a “Cross Site Request Forgery“ (CSRF) attack.

A successful exploit would have to see the attacker pull-off a minimal feat of social engineering, directing users to a webpage hosting the exploit.

The researchers used the cryptocurrency’s most popular wallet – the Monero SimpleWallet – to execute the exploit.

As detailed in their blog, MWR Labs’ researchers pointed to a vulnerability in the remote procedure call (RPC) web service hosted by SimpleWallet. Researchers wrote:

Monero SimpleWallet hosts an RPC web service on localhost, port 18082, the web service requires no authentication to initiate functions such as making payments, and can be compromised through a Cross Site Request Forgery attack.

Elaborating on a Cross Site Request Forgery attack, the researchers said it “forces a user’s web browser to execute unwanted actions against web applications or web services they are authenticated with.”

Underlining the attack’s effectiveness in the case of Monero, the researchers added:

In this case, by directing a user to a malicious web page, an attacker could make a payment from the user’s wallet to their own wallet.

Most Moreno Third-Party Wallets Vulnerable

Furthermore, the advisory states that third party wallets used Simplewallet in its RPC mode, before deducing that “the majority of third party wallets” are vulnerable to the attack.

The researchers include the script which performs the CSRF attack in the advisory, pointing to its ability to “automatically steal Monery from the wallet of any user who visited the webpage.”

MWR researchers disclosed the vulnerability to Monero on September 6th, with the latter acknowledging the issue a day later. The cryptocurrency’s developers pointed to a hotfix patch to be released alongside an official GUI wallet – in development at the time – that would not use the RPC service.

That hotfix went live yesterday, September 19th.

Following the release of the updated version containing the hotfix, MWR researchers recommended users to transfer their funds from other 3rd party wallets to the newly updated Simplewallet.

However, that patch hasn’t kicked in as it is disabled by default, leaving Monero users still vulernable.

At the time of publishing, researchers’ advice stands:

As this vulnerability is still exploitable, MWR recommends against using any third party Monero wallet, and against running Simplewallet in RPC mode.

Beyond the newly-disclosed vulnerability, the cryptocurrency has recently seen cybercriminals target its miners to siphon mined Monero. Unlike Bitcoin, Monero can still be mined – profitably – on personal computers, making it a ripe target for malware authors and cybercrooks.

 Images from iStock/MrKornFlakes and Monero.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • thecoin

    Majority of third party wallets are scam be it BTC, Lite, ETH, Monero, etc.

  • fluffypony

    The vulnerable wallets have already been updated, those that are still affected are abandoned and couldn’t possibly be used anyway as they use a very old, deprecated version of simplewallet (which no longer even exists, it’s not monero-wallet-cli).

  • Grover Downs

    wouldn’t CRSF need an infected computer, or at least a (browser hijack AND redirection AND unwary operator)?