Title: Use a strong password for your local bitcoind Post by: gst on April 23, 2012, 09:29:55 PM I've heard from several people now that they don't need a secure password for their local bitcoind, as "it's only listening on localhost" or as "the local network is secured by a firewall". Just a friendly reminder that neither of those protects you. If you have a bitcoind running on localhost and you use a weak password, it's trivial for an attacker to steal your bitcoins.
For example, a potential attack that uses the user's webbrowser might look like the following:
Title: Re: Use a strong password for your local bitcoind Post by: DeathAndTaxes on April 23, 2012, 09:45:00 PM Bitcoind listens on port 8332. Browser loading an image on port 80 isn't going to have any communication with bitcoind.
IF your firewall is blocking port 8332 then those attacks aren't going to work. It IS a good idea to use strong passwords, but your examples are dubious. Personally I use the key smash method Title: Re: Use a strong password for your local bitcoind Post by: gst on April 23, 2012, 09:48:35 PM Bitcoind listens on port 8332. IF your firewall is blocking port 8332 then those attacks aren't going to work. That's exactly the misconception I've pointed out: Your firewall does not protect you, as the connection is not established by the remote attacker, but by your Web browser. This should work with any browser that has Flash installed. It does not work without Flash (e.g., with Javascript), as Javascript applies the same-origin policy to the request, instead of the response. Title: Re: Use a strong password for your local bitcoind Post by: DeathAndTaxes on April 23, 2012, 10:00:08 PM Quote Create an <img /> tag that loads a URL with a username:password given in the img tag. This gets you get around the HTTP basic authentication of the bitcoind. Care to elaborate on this? Still good point on the flash not something I considered. Title: Re: Use a strong password for your local bitcoind Post by: gst on April 23, 2012, 10:11:00 PM Quote Create an <img /> tag that loads a URL with a username:password given in the img tag. This gets you get around the HTTP basic authentication of the bitcoind. Care to elaborate on this? The local bitcoind uses HTTP basic authentication. So usually I need to enter a username/password in my browser if I send HTTP requests to the bitcoind. However, image tags allow to embed authentication information within the URL, for example: <img src="username:password@http://localhost:1234/" />. Furthermore, if this authentication is successful username and password are cached by the browser and automatically used on subsequent requests. So if you have a list of common usernames and passwords you can just:
Basically that's very similar to a standard CSRF attack (https://en.wikipedia.org/wiki/Cross-site_request_forgery) and the password is the only protection against it. So if your password is just "password" (or word that's likely to be on a wordlist) this attack would succeed. It seems like this won't work with current Chrome development versions, because they prevent embedding username/passwords inside URLs (https://code.google.com/p/chromium/issues/detail?id=123150). However, this should still work with the current stable Chrome version and other browsers such as Firefox. |