Majority of Monero 3rd Party Wallets Vulnerable to Theft, Says Security Advisory | Hacked: Hacking Finance


Majority of Monero 3rd Party Wallets Vulnerable to Theft, Says Security Advisory

Posted on .

Majority of Monero 3rd Party Wallets Vulnerable to Theft, Says Security Advisory


This article was posted on Tuesday, 22:05, UTC.


// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

A security firm has published an advisory that warns Monero users of a vulnerability that would enable a hacker to steal the cryptocurrency from a majority of third-party digital wallets.

Monero, the newly budding, far more anonymous younger crypto-cousin to bitcoin is vulnerable to an attack that would give attackers to remotely steal the cryptocurrency from users’ third-party wallets.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //


Researchers at security firm MWR Labs discovered the vulnerability and deemed the exploit as a “Cross Site Request Forgery“ (CSRF) attack.

A successful exploit would have to see the attacker pull-off a minimal feat of social engineering, directing users to a webpage hosting the exploit.

The researchers used the cryptocurrency’s most popular wallet – the Monero SimpleWallet – to execute the exploit.

As detailed in their blog, MWR Labs’ researchers pointed to a vulnerability in the remote procedure call (RPC) web service hosted by SimpleWallet. Researchers wrote:

Monero SimpleWallet hosts an RPC web service on localhost, port 18082, the web service requires no authentication to initiate functions such as making payments, and can be compromised through a Cross Site Request Forgery attack.

Elaborating on a Cross Site Request Forgery attack, the researchers said it “forces a user’s web browser to execute unwanted actions against web applications or web services they are authenticated with.”

Underlining the attack’s effectiveness in the case of Monero, the researchers added:

In this case, by directing a user to a malicious web page, an attacker could make a payment from the user’s wallet to their own wallet.

Most Moreno Third-Party Wallets Vulnerable

Furthermore, the advisory states that third party wallets used Simplewallet in its RPC mode, before deducing that “the majority of third party wallets” are vulnerable to the attack.

The researchers include the script which performs the CSRF attack in the advisory, pointing to its ability to “automatically steal Monery from the wallet of any user who visited the webpage.”

MWR researchers disclosed the vulnerability to Monero on September 6th, with the latter acknowledging the issue a day later. The cryptocurrency’s developers pointed to a hotfix patch to be released alongside an official GUI wallet – in development at the time – that would not use the RPC service.

That hotfix went live yesterday, September 19th.

Following the release of the updated version containing the hotfix, MWR researchers recommended users to transfer their funds from other 3rd party wallets to the newly updated Simplewallet.

However, that patch hasn’t kicked in as it is disabled by default, leaving Monero users still vulernable.

At the time of publishing, researchers’ advice stands:

As this vulnerability is still exploitable, MWR recommends against using any third party Monero wallet, and against running Simplewallet in RPC mode.

Beyond the newly-disclosed vulnerability, the cryptocurrency has recently seen cybercriminals target its miners to siphon mined Monero. Unlike Bitcoin, Monero can still be mined – profitably – on personal computers, making it a ripe target for malware authors and cybercrooks.

 Images from iStock/MrKornFlakes and Monero.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

  • user

    AUTHOR thecoin

    Posted on 11:04 pm September 20, 2016.

    Majority of third party wallets are scam be it BTC, Lite, ETH, Monero, etc.

  • user

    AUTHOR fluffypony

    Posted on 1:44 pm September 21, 2016.

    The vulnerable wallets have already been updated, those that are still affected are abandoned and couldn’t possibly be used anyway as they use a very old, deprecated version of simplewallet (which no longer even exists, it’s not monero-wallet-cli).

  • user

    AUTHOR Grover Downs

    Posted on 9:25 pm September 22, 2016.

    wouldn’t CRSF need an infected computer, or at least a (browser hijack AND redirection AND unwary operator)?

  • View Comments (3) ...
    The team:
    Dmitriy Lavrov
    Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
    Jonas Borchgrevink
    Jonas Borchgrevink is the founder of and He is a serial entrepreneur, trader and investor. He shares his own personal journey on // -- Discuss and ask Read More
    Mate Csar
    Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
    Mati Greenspan
    Senior Market Analyst at // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
    Rakesh Upadhyay
    Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
    Pamela Meropiali
    Account Manager
    Pamela Meropiali is responsible for users on // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
    Joseph Young
    Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
    Waiting for the publication of the NASA Eagleworks EmDrive paper…