Hey guys, watching this recent hacking activity, I thought about what might be attacked next. What I think might be very sensitive points to attack are the pools and the miners itself.
Were the pools and miners programmed with strong security in mind? Can pools/miners defend to all crap of invalid input and other attacks? If attackers could successfully run some buffer overflow attack (for example) on a pool, they could 1. do lots of malicious stuff with the pool itself (steal coins, fuck up with transactions, try to fork blockchain if pool is big enough) and 2. start attacking the miners itself and steal their wallet's coins if successful (assuming they're on the some machine - many will). I don't know, can python / java programms (miners) somehow get exploited with stuff like buffer overflows like it's done with c(++) programms?
Of course an attack like this might require more skills than to use a trojan to steal the mtgox db (if that actually happend) and suck the accounts with weak passwords dry, but it's a risk we should mitigate better now than later.
And, well, I see slushs pool using csrf protection (
) bit still no ssl (yes you can use https and ignore the warning but the account credentials will get submitted WITHOUT using ssl). btcmine is using ssl but has no csrf protection (at least not when I checked it the last time). That two pools are the only I used so far. Don't misunderstand me, I don't want to run down on the pool ops, I'm basically quite happy with the pools, but this simply doesn't give me much confidence that the described attack won't happen some day.
Please, pool operators and miner coding guys, check your codes for security aspects, treat every user input as evil and run it against a whitelist, maybe even consider implementing a solid security toolkit as owasp esapi
https://www.owasp.org/index.php/ESAPI (not intended as a commercial but I use it for my own projects and I'm quite happy with it).
I think it's important to have this things as fkn secure as possible. OK maybe I'm just paranoid, but I didn't get any coins stolen (yet?
), being paranoid is great
.
What do you think?
