Bitcoin Forum

I've heard from several people now that they don't need a secure password for their local bitcoind, as "it's only listening on localhost" or as "the local network is secured by a firewall". Just a friendly reminder that neither of those protects you. If you have a bitcoind running on localhost and you use a weak password, it's trivial for an attacker to steal your bitcoins.

For example, a potential attack that uses the user's webbrowser might look like the following:

• Create an <img /> tag that loads a URL with a username:password given in the img tag. This gets you get around the HTTP basic authentication of the bitcoind.
• Use Flash to send a HTTP request to the bitcoind that transfers the coins to another address. Same-origin policies don't protect you here, as Flash applies those policies to the response instead of the request. So the Flash applet can't read bitcoind's reply, but can still send the request.
• Repeat in a loop with a large number of potential passwords.

Bitcoind listens on port 8332.  Browser loading an image on port 80 isn't going to have any communication with bitcoind.  
IF your firewall is blocking port 8332 then those attacks aren't going to work.

It IS a good idea to use strong passwords, but your examples are dubious.   Personally I use the key smash method

That's exactly the misconception I've pointed out: Your firewall does not protect you, as the connection is not established by the remote attacker, but by your Web browser. This should work with any browser that has Flash installed. It does not work without Flash (e.g., with Javascript), as Javascript applies the same-origin policy to the request, instead of the response.

Care to elaborate on this?

Still good point on the flash not something I considered.

The local bitcoind uses HTTP basic authentication. So usually I need to enter a username/password in my browser if I send HTTP requests to the bitcoind. However, image tags allow to embed authentication information within the URL, for example: <img src="username:password@http://localhost:1234/" />. Furthermore, if this authentication is successful username and password are cached by the browser and automatically used on subsequent requests.

So if you have a list of common usernames and passwords you can just:

• Take a username and password from the list and dynamically inject an <img /> tag in your page that loads this resource.
• Create a client-side HTTP POST request that uses this cached authentication data to send a request to your bitcoind. For example by using Flash (as discussed in my first post) or by using a HTTP form submit in an iframe.
• Repeat in a loop with many different combinations for usernames and passwords.

Basically that's very similar to a standard CSRF attack (https://en.wikipedia.org/wiki/Cross-site_request_forgery) and the password is the only protection against it. So if your password is just "password" (or word that's likely to be on a wordlist) this attack would succeed.

It seems like this won't work with current Chrome development versions, because they prevent embedding username/passwords inside URLs (https://code.google.com/p/chromium/issues/detail?id=123150). However, this should still work with the current stable Chrome version and other browsers such as Firefox.