Bitcoin Forum
November 28, 2021, 06:16:37 AM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
   Home   Help Search Login Register More  
Pages: [1]
Author Topic: A security bug in headless client?  (Read 8277 times)
Full Member
Offline Offline

Activity: 210
Merit: 100

View Profile
July 16, 2010, 10:51:28 AM

(not found by me, but by user mkfifo)

If you start bitcoind as one user, then type some command as the other user (e.g. bitcoind getbalance), it will work and output your balance. It may be very dangerous on multi-user systems. Imagine there is a user with a hard password that owns bitcoin wallet and a user with weak password that doesn't. So if a hacker breaks the other user's password or gets access to the other user's account, he could steal the money from the first user.

Some desktops (Windows and Linux) even have the guest account with no password, that can be used to steal bitcoins too.

The solution would be to open a UNIX socket with read/write permissions only for the user/group it is opened as.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Hero Member
Offline Offline

Posts: 1638080197

View Profile Personal Message (Offline)

Reply with quote  #2

Report to moderator
Offline Offline

Activity: 4
Merit: 0

View Profile
July 16, 2010, 12:00:27 PM

i make topic:

thank d1337r! :-)
Pages: [1]
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!