Hacked: Hacking Finance

Bitcoin

Majority of Monero 3rd Party Wallets Vulnerable to Theft, Says Security Advisory

Posted on .

Majority of Monero 3rd Party Wallets Vulnerable to Theft, Says Security Advisory

Introduction

 

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

A security firm has published an advisory that warns Monero users of a vulnerability that would enable a hacker to steal the cryptocurrency from a majority of third-party digital wallets.

Monero, the newly budding, far more anonymous younger crypto-cousin to bitcoin is vulnerable to an attack that would give attackers to remotely steal the cryptocurrency from users’ third-party wallets.

monero

Researchers at security firm MWR Labs discovered the vulnerability and deemed the exploit as a “Cross Site Request Forgery“ (CSRF) attack.

A successful exploit would have to see the attacker pull-off a minimal feat of social engineering, directing users to a webpage hosting the exploit.

The researchers used the cryptocurrency’s most popular wallet – the Monero SimpleWallet – to execute the exploit.

As detailed in their blog, MWR Labs’ researchers pointed to a vulnerability in the remote procedure call (RPC) web service hosted by SimpleWallet. Researchers wrote:

Monero SimpleWallet hosts an RPC web service on localhost, port 18082, the web service requires no authentication to initiate functions such as making payments, and can be compromised through a Cross Site Request Forgery attack.

Elaborating on a Cross Site Request Forgery attack, the researchers said it “forces a user’s web browser to execute unwanted actions against web applications or web services they are authenticated with.”

Underlining the attack’s effectiveness in the case of Monero, the researchers added:

In this case, by directing a user to a malicious web page, an attacker could make a payment from the user’s wallet to their own wallet.

Most Moreno Third-Party Wallets Vulnerable

Furthermore, the advisory states that third party wallets used Simplewallet in its RPC mode, before deducing that “the majority of third party wallets” are vulnerable to the attack.

The researchers include the script which performs the CSRF attack in the advisory, pointing to its ability to “automatically steal Monery from the wallet of any user who visited the webpage.”

MWR researchers disclosed the vulnerability to Monero on September 6th, with the latter acknowledging the issue a day later. The cryptocurrency’s developers pointed to a hotfix patch to be released alongside an official GUI wallet – in development at the time – that would not use the RPC service.

That hotfix went live yesterday, September 19th.

Following the release of the updated version containing the hotfix, MWR researchers recommended users to transfer their funds from other 3rd party wallets to the newly updated Simplewallet.

However, that patch hasn’t kicked in as it is disabled by default, leaving Monero users still vulernable.

At the time of publishing, researchers’ advice stands:

As this vulnerability is still exploitable, MWR recommends against using any third party Monero wallet, and against running Simplewallet in RPC mode.

Beyond the newly-disclosed vulnerability, the cryptocurrency has recently seen cybercriminals target its miners to siphon mined Monero. Unlike Bitcoin, Monero can still be mined – profitably – on personal computers, making it a ripe target for malware authors and cybercrooks.

 Images from iStock/MrKornFlakes and Monero.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

Comments
  • user

    AUTHOR thecoin

    Posted on 11:04 pm September 20, 2016.

    Majority of third party wallets are scam be it BTC, Lite, ETH, Monero, etc.

  • user

    AUTHOR fluffypony

    Posted on 1:44 pm September 21, 2016.

    The vulnerable wallets have already been updated, those that are still affected are abandoned and couldn’t possibly be used anyway as they use a very old, deprecated version of simplewallet (which no longer even exists, it’s not monero-wallet-cli).

  • user

    AUTHOR Grover Downs

    Posted on 9:25 pm September 22, 2016.

    wouldn’t CRSF need an infected computer, or at least a (browser hijack AND redirection AND unwary operator)?

  • View Comments (3) ...
    Navigation
    Waiting for the publication of the NASA Eagleworks EmDrive paper…