Thanh Bui
ABSTRACT
Many cryptocurrency wallet applications on desktop provide an open remote procedure call (RPC) interface that other blockchain-based applications can use to access their functionality. This paper studies the security of the RPC interface in several cryptocurrency wallets. We find that, in many cases, a malicious process running on the computer regardless of its privileges can impersonate the communication endpoints of the RPC channel and, effectively, steal the funds in the wallet. The attacks are closely related to server and client impersonation on computer networks but occur inside the computer. The malicious process may be created by another authenticated but unprivileged user on the same computer or even by the guest user. The main contribution of this paper is to raise awareness among wallet developers about the need to protect local RPC channels with the same prudence as network connections. We also hope that it will discourage users to run security-critical applications like cryptocurrency wallets on shared systems or computers with guest account enabled.
- 2015. Enabling SSL on original client daemon. https://en.bitcoin.it/wiki/Enabling_SSL_on_original_client_daemonGoogle Scholar
- 2016. CSRF Vulnerability Allows for Remote Compromise of Monero Wallets. https://labs.mwrinfosecurity.com/advisories/csrf-vulnerability-allows-for-remote-compromise-of-monero-wallets/Google Scholar
- 2018. Bisq the P2P exchange network. https://bisq.network/Google Scholar
- 2018. Bitcoin Armory. https://btcarmory.com/Google Scholar
- 2018. Bitcoin Core. https://bitcoin.org/Google Scholar
- 2018. Bitcoin JSON-RPC API. https://en.bitcoin.it/wiki/API_reference_(JSON-RPC)Google Scholar
- 2018. Bitcoin Knots. https://bitcoinknots.org/Google Scholar
- 2018. Bitcoind-rpc library. https://github.com/bitpay/bitcoind-rpcGoogle Scholar
- 2018. Cpp Ethereum wallet. https://github.com/ethereum/alethGoogle Scholar
- 2018. CVE-2018-20587. Available from MITRE, CVE-ID CVE-2018-20587. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20587Google Scholar
- 2018. Dash Core wallet. https://github.com/dashpay/dashGoogle Scholar
- 2018. Dashd-rpc library. https://github.com/dashevo/dashd-rpcGoogle Scholar
- 2018. Docker Parity documentation. https://wiki.parity.io/DockerGoogle Scholar
- 2018. Electrum Bitcoin Wallets Left Exposed to Hacks for Two Years. https://www.bleepingcomputer.com/news/security/electrum-bitcoin-wallets-left-exposed-to-hacks-for-two-years/Google Scholar
- 2018. Go Ethereum wallet. https://geth.ethereum.org/Google Scholar
- 2018. How your Ethereum can be stolen through DNS rebinding. https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/Google Scholar
- 2018. Litecoin wallet. https://litecoin.org/Google Scholar
- 2018. Metamask Ethereum client. https://metamask.io/Google Scholar
- 2018. Monero-nodejs library. https://github.com/PsychicCat/monero-nodejsGoogle Scholar
- 2018. Monero-python library. https://github.com/emesik/monero-pythonGoogle Scholar
- 2018. Monero Wallet. https://getmonero.org/Google Scholar
- 2018. Parity Ethereum wallet. https://www.parity.io/Google Scholar
- 2018. Peatio: an open-source assets exchange. https://www.peatio.com/Google Scholar
- 2018. Python-BitcoinRPC library. https://github.com/jgarzik/python-bitcoinrpcGoogle Scholar
- 2018. Qtum Core wallet. https://github.com/qtumproject/qtumGoogle Scholar
- 2018. Qtumjs library. https://qtumproject.github.io/qtumjs-doc/Google Scholar
- 2018. Unauthenticated JSON-RPC API allows takeover of CryptoNote RPC wallets. https://www.ayrx.me/cryptonote-unauthenticated-json-rpcGoogle Scholar
- 2018. Vulnerability Spotlight: Multiple Vulnerabilities in the CPP and Parity Ethereum Client. https://blog.talosintelligence.com/2018/01/vulnerability-spotlight-multiple.htmlGoogle Scholar
- 2018. Web3 java Ethereum library. https://web3j.io/Google Scholar
- 2018. Web3 javascript Ethereum library. https://github.com/ethereum/web3.jsGoogle Scholar
- 2018. Web3 python Ethereum library. https://web3py.readthedocs.io/en/stable/index.htmlGoogle Scholar
- 2018. Zcash Wallet for Linux. https://github.com/zcash/zcashGoogle Scholar
- Jean-Philippe Aumasson. 2018. Attacking and Defending Blockchains: From Horror Stories to Secure Wallets. https://www.blackhat.com/eu-18/briefings/schedule/index.html#attacking-and-defending-blockchains-from-horror-stories-to-secure-wallets-12711.Google Scholar
- Steven M Bellovin and Michael Merritt. 1992. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, 72--84. Google ScholarDigital Library
- Thanh Bui, Siddharth Prakash Rao, Markku Antikainen, Viswanathan Manihatty Bojan, and Tuomas Aura. 2018. Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer. In USENIX Security 18. USENIX Association, Baltimore, MD, 1511--1525. Google ScholarDigital Library
- Vitalik Buterin. 2013. What proof of stake is and why it matters. Bitcoin Magazine (2013).Google Scholar
- Gil Cohen. 2017. Call the plumber - You have a leak in your (named) pipe. In DEF CON 25.Google Scholar
- Adrienne Porter Felt, Helen J Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. 2011. Permission Re-Delegation: Attacks and Defenses. In 20th USENIX Security Symposium. Google ScholarDigital Library
- J. Franks, P. Hallam-Baker, J. Hostetler, P. Leach, A. Luotonen, E. Sink, and L. Stewart. 1997. An Extension to HTTP: Digest Access Authentication. RFC 2069. RFC Editor. Google ScholarDigital Library
- Google. 2018. Native messaging. https://developer.chrome.com/apps/nativeMessaging.Google Scholar
- JSON-RPC Working Group and others. 2012. JSON-RPC 2.0 specification.Google Scholar
- Anne Kesteren. 2018. Cross-Origin Resource Sharing. https://www.w3.org/TR/cors/Google Scholar
- Jie Liang and Xue-Jia Lai. 2007. Improved collision attack on hash function MD5. Journal of Computer Science and Technology 22, 1 (2007), 79--87. Google ScholarDigital Library
- Microsoft Developers Network. 2018. Fast User Switching. https://msdn.microsoft.com/en-us/library/windows/desktop/bb776893.Google Scholar
- Mozzila. 2018. HTTP authentication. https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication.Google Scholar
- Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. (2008).Google Scholar
- Yutaka Oiwa, Hajime Watanabe, Hiromitsu Takagi, K Maeda, Tatsuya Hayashi, and Y Ioku. 2017. Mutual authentication protocol for HTTP. RFC 8120. https://tools.ietf.org/html/rfc8120Google Scholar
- Julian Reschke. 2015. The 'Basic' HTTP Authentication Scheme. RFC 7617. https://tools.ietf.org/html/rfc7617Google Scholar
- Yuru Shao, Jason Ott, Yunhan Jack Jia, Zhiyun Qian, and Z. Morley Mao. 2016. The Misuse of Android Unix Domain Sockets and Security Implications. In 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016. ACM, 80--91. Google ScholarDigital Library
- Hayawardh Vijayakumar, Xinyang Ge, Mathias Payer, and Trent Jaeger. 2014. JIGSAW: Protecting Resource Access by Inferring Programmer Expectations. In 23rd USENIX Security Symposium. 973--988. Google ScholarDigital Library
- Hayawardh Vijayakumar, Joshua Schiffman, and Trent Jaeger. 2012. STING: Finding Name Resolution Vulnerabilities in Programs. In 21th USENIX Security Symposium. 585--599. Google ScholarDigital Library
- Hayawardh Vijayakumar, Joshua Schiffman, and Trent Jaeger. 2013. Process firewalls: Protecting processes during resource access. In 8th ACM European Conference on Computer Systems, EuroSys'18. ACM, 57--70. Google ScholarDigital Library
- Marko Vukolić. 2015. The quest for scalable blockchain fabric: Proof-of-work vs. BFT replication. In International Workshop on Open Problems in Network Security. Springer, 112--125.Google Scholar
- Xiaoyun Wang and Hongbo Yu. 2005. Howto break MD5 and other hash functions. In Annual international conference on the theory and applications of cryptographic techniques. Springer, 19--35. Google ScholarDigital Library
- Blake Watts. 2017. Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit. http://www.blakewatts.com/namedpipepaper.html.Google Scholar
- Wang Wei. 2018. Hackers Stole Over $20 Million in Ethereum from Insecurely Configured Clients. https://thehackernews.com/2018/06/ethereum-geth-hacking.htmlGoogle Scholar
- Gavin Wood. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper 151 (2014), 1--32.Google Scholar
- Thomas D Wu et al. 1998. The Secure Remote Password Protocol. In NDSS, Vol. 98. 97--111.Google Scholar
- Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-Min Hu, and Xinhui Han. 2015. Cracking app isolation on Apple: Unauthorized cross-app resource access on macOS. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015. ACM, 31--43. Google ScholarDigital Library
Index Terms
- Pitfalls of open architecture: How friends can exploit your cryptocurrency wallet
Recommendations
Cracking Bitcoin wallets: I want what you have in the wallets
AbstractBitcoin is increasingly popular, which is partly evidenced by the significant increase in its value in recent years. This increase in popularity and value has led to malicious actors stealing, or attempting to steal, Bitcoin wallet ...
Highlights- Cracking bitcoin wallets: Multibit HD and Electrum.
- Password exploits and a ...
An Empirical Analysis of Security and Privacy Risks in Android Cryptocurrency Wallet Apps
Applied Cryptography and Network SecurityAbstractA cryptocurrency wallet app is a piece of software that manages, stores, and generates private keys of cryptocurrency accounts. With the provision of services such as easy access to transaction history, and checking account balance besides ...
Interface Illusions: Uncovering the Rise of Visual Scams in Cryptocurrency Wallets
WWW '24: Proceedings of the ACM on Web Conference 2024Cryptocurrencies, while revolutionary, have become a magnet for malicious actors. With numerous reports underscoring cyberattacks and scams in this domain, our paper takes the lead in characterizing visual scams associated with cryptocurrency wallets---a ...
Comments