Monero wallets - vulnerable or not?

[segovia]

MWR InfoSecurity released an advisory on a vulnerability admittedly found in Monero wallets. The coin devs have replied with a harsh statement on the discovery criticising it as “a largely useless observation.”

To begin with, the MWR Labs team offered an overly generalised and inaccurate overview of the vulnerability by providing examples of Monero wallet platforms that have been discontinued or improperly structured. The RPC authentication vulnerability and the CSRF attack have been discussed on several occasions dating back to 2014, when they were brought to light by Coinspect’s Juliano Rizzo, so this time it was certainly not a “discovery”.

According to Monero Core Developer Riccardo Spagni (fluffypony), the unauthenticated RPC is the only way for exchanges, mining pools and integrators to integrate Monero as they are unaffected by the CSRF attack. It is usually not and must not be utilised by wallet service providers that run a browser in the background to integrate Monero.

If hackers gain access to certain Monero wallet platforms through the CSRF vulnerability, the responsibility should be wholly taken by the wallet operator that created an unsecure ecosystem for users.

The claim made by the MWR Labs team could be compared to one saying that the world’s banking systems are extremely vulnerable because a bank experienced a physical theft after leaving a vault wide open for anyone to enter.

Source: http://www.coinfox.info/news/6454-monero-wallets-vulnerable-or-not

[bbc.reporter]

Who is MWR InfoSecurity and who is Coinspect? This is the first time I have heard of these two companies? Are they certified as qualified to make these claims and where are their claims? Please post the vulnerability of the code here. Also who owns that website coinfox.info? Those mentioned are very questionable because we have no idea what their real motive is. One could always say and accuse that they have a large short position on Monero that is why they are doing this. So why is that? Because they have not proven themselves as trust worthy to the community.

[vigZ]

This was the statement from Monero https://getmonero.org/2016/09/21/a-statement-on-the-mwr-labs-disclosure.html and it was fixed before MWR announced it.

[Daisy14]

Similarly, MWR Lab's claims of certain wallets being vulnerable is equally useless. MoneroGui.Net, for instance, has a huge note on the README highlighting that the project is discontinued. The same goes for bitmonero-qt and MiniNodo, both of which are unmaintained. All of these wallets wouldn't even work with the current version of Monero, so they're technically vulnerable, but it's not even possible for anyone to use them.


I copied the above quote from Monero website and it summarizes it all.

The claim is a bogus one.

[bbc.reporter]

Sometimes it is hard to believe these guys because they could have their own motivations for bringing out these claims. Maybe they were paid by the other competing anonymous coins like Dash or SDC. I am not saying they really did it, I am only pointing out what it possible. Or maybe the whales who are shorting XMR are responsible for this.