How a Hacker Can Steal Monero, a Cryptocurrency More Anonymous Than Bitcoin
Thankfully, the issue's been fixed for most users.
Monero, a super-anonymous bitcoin alternative, quickly rose to prominence in the cryptocurrency world after it was recently adopted by the dark net's largest market for drugs and other illicit goods.
On Monday, security firm MWR InfoSecurity publicized a vulnerability that would allow a hacker to steal Monero from people using third-party digital wallets.
According to a company blog post, the hack is called CSRF (pronounced sea-surf), for Cross Site Request Forgery attack. Basically, an attacker would have to fool a Monero user into visiting a web page loaded with malicious code that then commandeers the person's Monero wallet, and releases funds to the hacker. This attack would "require a minimal amount of social engineering," according to MWR's post. In other words, this security firm believes that it wouldn't be very difficult to trick a person into falling for it.
Weeks before making the announcement, MWR responsibly disclosed the vulnerability to the developers of the most popular Monero wallet, SimpleWallet, Monero developer Riccardo Spagni wrote me in an email, and the issue was fixed in the latest software update, released on Sunday. However, MWR noted in an update on Tuesday, the fix isn't enabled by default.
"It's important to note that this only affects systems running [their wallet] in RPC mode—not the default—and also running a browser," Spagni wrote. This means that most users of SimpleWallet, who are presumably more technically savvy than the average user (SimpleWallet is command line only), were never vulnerable to begin with.
However, MWR researcher Henry Hoggard wrote me, the vulnerability may still affect users of third party wallets that have graphical interfaces and thus attract less technical users than SimpleWallet—for example, the Monero wallet for Google Chrome.
"Non-techie users are more likely to use third party [graphical user interface] wallets as they are easier to use than the command line SimpleWallet," Hoggard wrote. "It may be possible that users of third party wallets and users who haven't updated their software are still at risk."
It's unclear right now how many people are actually still vulnerable to being hacked in this way, and Spagni insisted that many budding third party wallets have very few users compared to SimpleWallet. This means that the greatest risk to Monero users was solved with the latest update to the wallet, so most users can rest easy.
Still, it's a lesson in how even an ostensibly more secure cryptocurrency is only as strong as its weakest link.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.
CORRECTION 09/20: An earlier version of this article stated that MWR InfoSecurity's comment came from a spokesperson, when in fact it came from researcher Henry Hoggard by way of a spokesperson. This article has been updated to reflect this information.
UPDATE 09/20: MWR InfoSecurity updated their assessment of the fix for the vulnerability, and this new information has been added.