Title: WTF? bitcoin-qt Wallet Passphrase in history??? (Bitcoin Knots) Post by: rico666 on September 16, 2016, 08:41:36 AM I just found out, that my wallet passphrase is kept SOMEWHERE in the history of the debug window in my bitcoin-qt client.
WTF!? For importing private keys (or whatever other operation needs this), you have to unlock the wallet if it is protected by a passphrase. You do this by typing walletpassphrase "<your passphrase here>" <time> in the CLI of the debug window to get it unlocked for a <time> limit. Now when someone gained access to the computer, and fired up the debug window, all he had to do was going up the history (arrow up) to see the passphrase in clear text. "Ich glaube, mein Schwein pfeift" as some Germans would comment on that. How do I get rid of this unbelievable behavior? How do I find out which "developer" is responsible for that? Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: Foxpup on September 16, 2016, 09:44:41 AM How do I get rid of this unbelievable behavior? By clicking the Clear Console button (shortcut: Control-L), which has the added benefit that your passphrase is no longer displayed right there on the screen, so why on Earth would you not clear it anyway if other people have access to your machine? ???Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: rico666 on September 16, 2016, 09:58:43 AM By clicking the Clear Console button (shortcut: Control-L), which has the added benefit that your passphrase is no longer displayed right there on the screen, so why on Earth would you not clear it anyway if other people have access to your machine? ??? There is no "Clear Console button", but Control-L works. Thanks. I did not write other people have access to my machine, I wrote "when someone gained access". Big difference - you're welcome. I will use Control-L from now on, but I still fail to see why this isn't default after bitcoin-qt has been closed, at least cleanse history from all critical or potentially critical information (passphrase, private keys etc.). Quite a security risk IMHO, especially as I cannot recall to have read that big fat warning to "not forget doing Ctrl-L" after entering some sensitive information. Actually the help states Ctrl-L is for clearing the screen - not screen and history. Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: achow101 on September 16, 2016, 01:07:57 PM By clicking the Clear Console button (shortcut: Control-L), which has the added benefit that your passphrase is no longer displayed right there on the screen, so why on Earth would you not clear it anyway if other people have access to your machine? ??? There is no "Clear Console button", but Control-L works. Thanks. I did not write other people have access to my machine, I wrote "when someone gained access". Big difference - you're welcome. It should clear the history every time you restart Bitcoin Core. It doesn't do that when you close the debug window though.I will use Control-L from now on, but I still fail to see why this isn't default after bitcoin-qt has been closed, at least cleanse history from all critical or potentially critical information (passphrase, private keys etc.). Quite a security risk IMHO, especially as I cannot recall to have read that big fat warning to "not forget doing Ctrl-L" after entering some sensitive information. Actually the help states Ctrl-L is for clearing the screen - not screen and history. You're a programmer. You should submit a PR to fix this, or at the very least, open an issue and suggest it. The developers don't frequent this forum anymore.Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: rico666 on September 16, 2016, 01:36:13 PM It should clear the history every time you restart Bitcoin Core. It doesn't do that when you close the debug window though. (i found the pale blue (x)) unfortunately, v0.13.0.0-ga402396 (64-bit) doesn't clear the history at all. Not if I restart Bitcoin Core, not if restart the computer. You're a programmer. You should submit a PR to fix this, or at the very least, open an issue and suggest it. The developers don't frequent this forum anymore. Ok, I'll submit a press release. ;) Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: achow101 on September 16, 2016, 01:40:53 PM It should clear the history every time you restart Bitcoin Core. It doesn't do that when you close the debug window though. (i found the pale blue (x)) unfortunately, v0.13.0.0-ga402396 (64-bit) doesn't clear the history at all. Not if I restart Bitcoin Core, not if restart the computer. You're a programmer. You should submit a PR to fix this, or at the very least, open an issue and suggest it. The developers don't frequent this forum anymore. Ok, I'll submit a press release. ;) Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: rico666 on September 16, 2016, 02:03:27 PM Really? That is quite strange. It works for me on multiple systems. The history is never written to the disk so it should not persist across instances of Bitcoin Core. Not sure about being written to disk, but it definitely had to read it from the disk. My only explanation so far would be, that some old version of bitcoin core did write this. I have not yet restarted my server since I found out with the 0.13.0, I actually cannot claim id does write something to the disk. But as I have restarted Bitcoin core several times on the running server (uptime like 2 days), I can confirm that the history stored on disk - obviously, but maybe from earlier versions - 0.13.0 did read on every startup. Let me check again: Yup. My bitcoin-qt definitely stores history to disk, as even garbage I put in, like walletpassphrase "shitty passphrase" timeout appears again after I shutdown and restart my bitcoin-qt and then simply press arrow up. of course I know what a git PR is. Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: achow101 on September 16, 2016, 02:15:07 PM Really? That is quite strange. It works for me on multiple systems. The history is never written to the disk so it should not persist across instances of Bitcoin Core. Not sure about being written to disk, but it definitely had to read it from the disk. My only explanation so far would be, that some old version of bitcoin core did write this. I have not yet restarted my server since I found out with the 0.13.0, I actually cannot claim id does write something to the disk. But as I have restarted Bitcoin core several times on the running server (uptime like 2 days), I can confirm that the history stored on disk - obviously, but maybe from earlier versions - 0.13.0 did read on every startup. Let me check again: Yup. My bitcoin-qt definitely stores history to disk, as even garbage I put in, like walletpassphrase "shitty passphrase" timeout appears again after I shutdown and restart my bitcoin-qt and then simply press arrow up. Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: Foxpup on September 16, 2016, 03:08:01 PM Not sure about being written to disk, but it definitely had to read it from the disk. No version I've ever used saves history when closed. Are you quite sure you're not just minimising it?My only explanation so far would be, that some old version of bitcoin core did write this. I have not yet restarted my server since I found out with the 0.13.0, I actually cannot claim id does write something to the disk. But as I have restarted Bitcoin core several times on the running server (uptime like 2 days), I can confirm that the history stored on disk - obviously, but maybe from earlier versions - 0.13.0 did read on every startup. Let me check again: Yup. My bitcoin-qt definitely stores history to disk, as even garbage I put in, like walletpassphrase "shitty passphrase" timeout appears again after I shutdown and restart my bitcoin-qt and then simply press arrow up. Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: rico666 on September 16, 2016, 03:32:26 PM No version I've ever used saves history when closed. Are you quite sure you're not just minimising it? Minimising? :) You're talking to someone who starts (and sees ending) his bitcoin-qt like this: Code: # bitcoin-qt it's a self-compiled version under Gentoo linux: Code: # eix bitcoin-qt of course, when I end it, no bitcoin* process runs anymore Code: # ps aux | grep bitcoin So if you say I'm experiencing something no one has seen so far... interesting... Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: achow101 on September 16, 2016, 03:37:24 PM So if you say I'm experiencing something no one has seen so far... interesting... Indeed, you are experiencing an issue that no one else has before.Rico Here, I made a PR fixing this: https://github.com/bitcoin/bitcoin/pull/8746. Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: Foxpup on September 16, 2016, 03:46:37 PM interesting... Very interesting, considering the RPCConsole constructor initialises the history by calling clear() and there is no code anywhere for saving or restoring history from previous sessions. Unless you (or someone else) has modified this code, what you're claiming is... impossible.Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: 2112 on September 16, 2016, 05:04:58 PM Please carefully read the manpages for https://en.wikipedia.org/wiki/GNU_Readline . Depending on the version and the settings it is capable of saving history per each application linked with libreadline.so .
Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: rico666 on September 17, 2016, 07:49:35 AM ldd doesn't indicate libreadline or libhistory is linked:
Code: # ldd /usr/bin/bitcoin-qt The only other "anomaly" of my bitcoin-qt I am aware of, is that I start it on my server with remote display to my notebook (X Server Protocol). It should be completely transparent, but not sure if that could do something. Naturally I would want this mystery to be solved, but I am quite reluctant to put my bitcoin-qt binary somewhere to download for inspection, as I do not know what could be stored in it. Rico Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: Luke-Jr on September 27, 2016, 01:28:25 AM Code: # eix bitcoin-qt But... unfortunately, v0.13.0.0-ga402396 (64-bit) doesn't clear the history at all. Where are you getting that version from? That indicates Core, not Knots. :/Please open an issue here: https://github.com/bitcoinknots/bitcoin/issues Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: Luke-Jr on October 23, 2016, 05:08:14 AM This issue has been assigned CVE-2016-8889 and will be fixed in the next release of Bitcoin Knots.
Title: Re: WTF? bitcoin-qt Wallet Passphrase in history??? Post by: Luke-Jr on November 15, 2016, 08:58:27 AM This is fixed in Knots 0.13.1.
|