14 DAY TRIAL // Users of Monero, today's second most popular crypto-currency after Bitcoin, are in danger of getting hacked due to a cross-site request forgery (CSRF) vulnerability that affects many Monero wallet applications.
Henry Hoggard, security researcher for MWR Labs, is the one who discovered the security issue, which affects Monero's built-in Simplewallet tool, a command-line interface responsible for the management and transfers of Monero crypto-currency.
Hoggard says that this tool hosts an RPC service on port 18082 on all the computers it's installed on, if RPC mode is enabled. It is important to note that RPC mode is not the Simplewallet default mode. If it is, an attacker can craft malicious JavaScript code that can issue commands to this port.
It's incredibly easy to hack Monero wallets using this bug
Since Simplewallet carries out operations without any type of user authentication, just by hosting the code on a web page and tricking a Monero user into accessing it, an attacker can empty a user's wallet in a matter of milliseconds, the time needed to execute the command and transfer the funds. The attack does not require any type of user interaction or click. Just accessing the page is enough.
Since Monero transactions are non-refundable, and Monero is considered even more secure and anonymous than Bitcoin itself, users won't have a way to recover their funds.
Furthermore, Monero's Simplewallet tool is also the base for other third-party Monero wallet applications. Hoggard lists the following third-party Monero wallets as vulnerable but warns that other wallets may also be affected since he didn't have the time to test all apps available on the market.
Monero SimpleWallet - https://github.com/monero-project/monero
Monero Lightwallet - https://github.com/jwinterm/LightWallet2/
Monero Wallet Chrome - https://chrome.google.com/webstore/detail/monero-wallet-for-google/bddoeeocbnbkdlciahimmaciiiiadocb
Monero GUI Client.net - https://github.com/kripod/MoneroGui.Net
Monero JS - https://github.com/netmonk/moneronjs
Monero NodeJS - https://github.com/PsychicCat/monero-nodejs
Monero QT - https://github.com/Neozaru/bitmonero-qt
Minonodo - https://github.com/ShenNoether/MiniNodo
MWR Labs privately disclosed the Simplewallet issue to Monero's developers on September 6, and they included a fix for the CSRF bug in a recent version of the Monero codebase released on September 19.
Monero wallets still vulnerable
Nevertheless, a day later, Welsh security researcher Joseph Redfern discovered that the fix is deactivated by default.
"To enable the patch, the '--user-agent' argument must be provided as shown in the example below," the MWR team notes in its advisory. "As this vulnerability is still exploitable, MWR recommends against using any third party Monero wallet, and against running Simplewallet in RPC mode."
Confronted by MWR Labs, the Monero team said they didn't enable the fix because they risked breaking other facets of their product. Furthermore, the company stated that a Simplewallet GUI is in the works, which doesn't include the vulnerable RPC service. No timeline was provided for this official GUI wallet.
./monero-wallet-cli --rpc-bind-port 18082 --rpc-bind-ip 127.0.0.1 --user-agent 123456randomstring
UPDATE: The Monero team appears to contest some of MWR Labs' findings. The project has put out an official statement which you can read in full below.