Users of Monero, today’s second most popular cryptocurrency after Bitcoin, are in danger of getting hacked due to a cross-site request forgery (CSRF) vulnerability that affects many Monero wallet applications.
Henry Hoggard, security researcher for MWR Labs, is the one who discovered the security issue, which affects Monero’s built-in Simplewallet tool, a command-line interface responsible for the management and transfers of Monero crypto-currency.
Hoggard says that this tool hosts an RPC service on port 18082 on all the computers it’s installed on, if RPC mode is enabled. It is important to note that RPC mode is not the Simplewallet default mode. If it is, an attacker can craft malicious JavaScript code that can issue commands to this port.
Since Simplewallet carries out operations without any type of user authentication, just by hosting the code on a web page and tricking a Monero user into accessing it, an attacker can empty a user’s wallet in a matter of milliseconds, the time needed to execute the command and transfer the funds. The attack does not require any type of user interaction or click. Just accessing the page is enough.
Since Monero transactions are non-refundable, and Monero is considered even more secure and anonymous than Bitcoin itself, users won’t have a way to recover their funds.
Furthermore, Monero’s Simplewallet tool is also the base for other third-party Monero wallet applications. Hoggard lists the following third-party Monero wallets as vulnerable but warns that other wallets may also be affected since he didn’t have the time to test all apps available on the market.
Monero SimpleWallet – https://github.com/monero-project/monero
Monero Lightwallet – https://github.com/jwinterm/LightWallet2/
Monero Wallet Chrome – https://chrome.google.com/webstore/detail/monero-wallet-for-google/bddoeeocbnbkdlciahimmaciiiiadocb
Monero GUI Client.net – https://github.com/kripod/MoneroGui.Net
Monero JS – https://github.com/netmonk/moneronjs
Monero NodeJS – https://github.com/PsychicCat/monero-nodejs
Monero QT – https://github.com/Neozaru/bitmonero-qt
Minonodo – https://github.com/ShenNoether/MiniNodo
MWR Labs privately disclosed the Simplewallet issue to Monero’s developers on September 6, and they included a fix for the CSRF bug in a recent version of the Monero codebase released on September 19.