ETHEREUM customers configured in an unwavering inserted manner and unlocked accounts can lead to funds from the attackers.
Assigned configurations: Problem reported for Geth, although all the implementations included. C ++ and Python can in principle display this behavior if used insecure; Alone for the nodes which leave the JSON-RPC port open to an attacker (this prevents most of the nodes on internal networks behind Nat), bind the interface to a public IP and simultaneously leaves the accounts unlocked at startup.
Probability: Weak
Severity: High
Impact: Loss of funds related to imported or generated portfolios among customers
Details:
It has come to our attention that some people have bypassed the integrated safety which was placed on the JSON-RPC interface. The RPC interface allows you to send transactions from any account that has been unlocked before sending a transaction and will remain unlocked for the entire session.
By default, RPC is disabled, and by activating it, it is only accessible from the same host on which your Ethereum client is being executed. By opening the RPC to be accessible by anyone on the Internet and not to include firewall rules, you open your wallet by theft by anyone knows your address in combination with your IP.
Effects on the depth of reorganization of the expected chain: none
Repair actions taken by Ethereum: ETH RC1 will be fully secure by requiring an explicit authorization from the user for any potentially distant transaction. Subsequent versions of Geth can support this functionality.
Temporary solution proposed: Perform only the default settings for each customer and when you make changes, understand how these modifications have an impact on your safety.
Note: It is not a bug, but a misuse of JSON-RPC.
Advisory: Never activate the JSON-RPC interface on a machine accessible to the Internet without firewall policy in place to block the JSON-RPC port (default: 8545).
ETH: Use RC1 or later.
Geth: Use safe default values and know the options’ safety implications.
– RPCADDR “127.0.0.1”. This is the default value to allow connections from the local computer; Distant RPC connections are disabled
–open. This parameter is used to unlock accounts at start -ups to help automation. By default, all accounts are locked
