Bitcoin Forum
April 25, 2018, 03:58:03 AM *
News: Latest stable version of Bitcoin Core: 0.16.0  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Warning: don't use -server or bitcoind where you web browse (v0.3.2 and lower)  (Read 3681 times)
satoshi
Founder
Sr. Member
*
Offline Offline

Activity: 364
Merit: 1224


View Profile
July 19, 2010, 04:01:38 PM
 #1

Don't use the -server or -daemon switch or run bitcoind on a machine where you use a web browser.  It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn't think that web browsers could cross-site access it, but it is possible.

We're working on a release soon that puts a password on the JSON-RPC interface, but until then, avoid using the -server switch, and don't web browse on the same machine where bitcoind is running.

Update:
The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.
1524628683
Hero Member
*
Offline Offline

Posts: 1524628683

View Profile Personal Message (Offline)

Ignore
1524628683
Reply with quote  #2

1524628683
Report to moderator
1524628683
Hero Member
*
Offline Offline

Posts: 1524628683

View Profile Personal Message (Offline)

Ignore
1524628683
Reply with quote  #2

1524628683
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1524628683
Hero Member
*
Offline Offline

Posts: 1524628683

View Profile Personal Message (Offline)

Ignore
1524628683
Reply with quote  #2

1524628683
Report to moderator
1524628683
Hero Member
*
Offline Offline

Posts: 1524628683

View Profile Personal Message (Offline)

Ignore
1524628683
Reply with quote  #2

1524628683
Report to moderator
Quantumplation
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


“Blockchain Just Entered The Real World”


View Profile
July 19, 2010, 04:03:41 PM
 #2

satoshi: How many other developers do you have working with you?

Martin (another forum member and I) were talking about writing a .Net compatible library for integrating bitcoins into other programs.

      ███████████████████████
     ███▄ ▄▄▄▄   ▄▄▄█▀▀  █████
    ███  █▀  ▀█▀▀▀       ▐█ ███
   ███  ▄██▄▄█▀▄▄▄        █▌ ███
  ███ ▄█▀  █     ▀█▄▄     ▐█  ▐██
 ███▄█▀    █        ▀█▄▄  ▄▄▄ ██
████▀      █           ▀██▀   ▀█ ██
 ██▀█▄     █          ▄█▀▀█▄▄▄█▀██
  ██ ▀█▄   █      ▄▄█▀▀    ▐█  ██
   ██  ▀█▄█▀▀█▄▄█▀▀        █▌ ██
    ███  █▄  ▄█▀█▄▄▄      █▌███
     ███  ▀▀▀▀     ▀▀▀█▄▄▐████
      ███████████████████████

 ▄▄       ▄▄▄        ▄▄   ▄▄▄▄▄ 
  ▀█▄   ▄█▀ ▀█▄    ▄█▀ ▄█▀▀   ▀▀█▄
    ▀█▄█▀     ▀█▄▄█▀  ▐█         █▌
    ▄█▀█▄      ▄█▀    ▐█         █▌
  ▄█▀   ▀█▄  ▄█▀       █▄       ▄█
▄█▀       ▀██▀          ▀▀█▄▄▄█▀▀


Network
BLOCKCHAIN JUST ENTERED THE REAL WORLD
  Decentralized Crypto-Location Oracle Network
GET WHITELISTED FOR TOKEN SALE ( Limited )

WHITE PAPER  ││  ANN Thread  Telegram   Medium   Twitter   Reddit
franzl
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
July 20, 2010, 11:07:52 AM
 #3

Martin (another forum member and I) were talking about writing a .Net compatible library for integrating bitcoins into other programs.

I think this is a very good idea! I also think it's important to have a PHP library since this is an important programming language for e-commerce sites. It would help a great deal in acceptance of bitcoin as a currency.
Quantumplation
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


“Blockchain Just Entered The Real World”


View Profile
July 20, 2010, 04:59:46 PM
 #4

Franzl: >_> I abhor PHP, so I can't help you there, but some day (Completely overwhelmed with projects right now, but some day...) we might write the .net library.

      ███████████████████████
     ███▄ ▄▄▄▄   ▄▄▄█▀▀  █████
    ███  █▀  ▀█▀▀▀       ▐█ ███
   ███  ▄██▄▄█▀▄▄▄        █▌ ███
  ███ ▄█▀  █     ▀█▄▄     ▐█  ▐██
 ███▄█▀    █        ▀█▄▄  ▄▄▄ ██
████▀      █           ▀██▀   ▀█ ██
 ██▀█▄     █          ▄█▀▀█▄▄▄█▀██
  ██ ▀█▄   █      ▄▄█▀▀    ▐█  ██
   ██  ▀█▄█▀▀█▄▄█▀▀        █▌ ██
    ███  █▄  ▄█▀█▄▄▄      █▌███
     ███  ▀▀▀▀     ▀▀▀█▄▄▐████
      ███████████████████████

 ▄▄       ▄▄▄        ▄▄   ▄▄▄▄▄ 
  ▀█▄   ▄█▀ ▀█▄    ▄█▀ ▄█▀▀   ▀▀█▄
    ▀█▄█▀     ▀█▄▄█▀  ▐█         █▌
    ▄█▀█▄      ▄█▀    ▐█         █▌
  ▄█▀   ▀█▄  ▄█▀       █▄       ▄█
▄█▀       ▀██▀          ▀▀█▄▄▄█▀▀


Network
BLOCKCHAIN JUST ENTERED THE REAL WORLD
  Decentralized Crypto-Location Oracle Network
GET WHITELISTED FOR TOKEN SALE ( Limited )

WHITE PAPER  ││  ANN Thread  Telegram   Medium   Twitter   Reddit
Axcella
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
July 20, 2010, 06:52:45 PM
 #5

this is the only computer i have at present i am working on getting a standalone for the bit coin program until then how do i retain the kash if the connection is lost?
fresno
Member
**
Offline Offline

Activity: 94
Merit: 10


View Profile
July 21, 2010, 01:42:34 AM
 #6

Quote
Don't use the -server or -daemon switch or run bitcoind on a machine where you use a web browser.  It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn't think that web browsers could cross-site access it, but it is possible.

This sounds like something I would not like to have happen, but what does it mean? Let's face it, we're ALL generating Bitcoins on everything we can get hold of. What is the potential damage, in language my Mom might understand?


sirius
Bitcoiner
Sr. Member
****
Offline Offline

Activity: 429
Merit: 251



View Profile
July 21, 2010, 05:53:31 AM
 #7

Quote
Don't use the -server or -daemon switch or run bitcoind on a machine where you use a web browser.  It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn't think that web browsers could cross-site access it, but it is possible.

This sounds like something I would not like to have happen, but what does it mean? Let's face it, we're ALL generating Bitcoins on everything we can get hold of. What is the potential damage, in language my Mom might understand?

Malicious websites could have a javascript that steals all your coins.

Identifi - Decentralized address book with trust ratings
I'm not a forum admin - please contact theymos instead.
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 1012


Chief Scientist


View Profile WWW
July 21, 2010, 03:01:01 PM
 #8

You can still generate bitcoins, just don't run bitcoind or bitcoin -server or bitcoin -daemon on machine that you use to browse the Web.

As sirius says, if you do you could browse to a website that empties your Bitcoin wallet without your knowledge or permission.

How often do you get the chance to work on a potentially world-changing project?
fresno
Member
**
Offline Offline

Activity: 94
Merit: 10


View Profile
July 21, 2010, 03:27:49 PM
 #9

I'm full of dumb questions today: Are there any other conceivable problems? And would the daemon be protected of it were on a VM and/or chrooted? Thanks.



Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 1012


Chief Scientist


View Profile WWW
July 21, 2010, 04:10:32 PM
 #10

chroot: won't protect you.

Running as a separate VM:  I think will protect you.  But I thought browsers wouldn't allow XMLHTTPRequests to "localhost" from web pages fetched from the web, so my advice would be to test it.  See if you can talk to the Bitcoin daemon from another VM on the same machine by running "bitcoind getinfo" or "bitcoin getinfo" on the non-bitcoin-vm.

How often do you get the chance to work on a potentially world-changing project?
satoshi
Founder
Sr. Member
*
Offline Offline

Activity: 364
Merit: 1224


View Profile
July 24, 2010, 02:29:09 AM
 #11

The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.
dbijoy
Jr. Member
*
Offline Offline

Activity: 126
Merit: 1


View Profile
February 01, 2018, 03:54:46 PM
 #12

Don't use the -server or -daemon switch or run bitcoind on a machine where you use a web browser.  It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn't think that web browsers could cross-site access it, but it is possible.

We're working on a release soon that puts a password on the JSON-RPC interface, but until then, avoid using the -server switch, and don't web browse on the same machine where bitcoind is running.

Update:
The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.
satoshi:you are a right topic in our bitcoin forum,If you want to say that any earnings will be used on their computer, then the account will be banned. If I say that the server or the Doodle switch is not good to use on the computer.If anybody else wants to use another account on the same computer, then he must make a mistake. A new action, you are working in the release soon, that keeps a password on the JSON-RPC interface,And then we must avoid the problem.It is necessary to overcome the problem,0.3.3 soves this problem.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!