Bitcoin Forum
December 05, 2016, 08:43:37 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Use a strong password for your local bitcoind  (Read 986 times)
gst
Jr. Member
*
Offline Offline

Activity: 38


View Profile
April 23, 2012, 09:29:55 PM
 #1

I've heard from several people now that they don't need a secure password for their local bitcoind, as "it's only listening on localhost" or as "the local network is secured by a firewall". Just a friendly reminder that neither of those protects you. If you have a bitcoind running on localhost and you use a weak password, it's trivial for an attacker to steal your bitcoins.

For example, a potential attack that uses the user's webbrowser might look like the following:
  • Create an <img /> tag that loads a URL with a username:password given in the img tag. This gets you get around the HTTP basic authentication of the bitcoind.
  • Use Flash to send a HTTP request to the bitcoind that transfers the coins to another address. Same-origin policies don't protect you here, as Flash applies those policies to the response instead of the request. So the Flash applet can't read bitcoind's reply, but can still send the request.
  • Repeat in a loop with a large number of potential passwords.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
April 23, 2012, 09:45:00 PM
 #2

Bitcoind listens on port 8332.  Browser loading an image on port 80 isn't going to have any communication with bitcoind.  
IF your firewall is blocking port 8332 then those attacks aren't going to work.

It IS a good idea to use strong passwords, but your examples are dubious.   Personally I use the key smash method
gst
Jr. Member
*
Offline Offline

Activity: 38


View Profile
April 23, 2012, 09:48:35 PM
 #3

Bitcoind listens on port 8332.  IF your firewall is blocking port 8332 then those attacks aren't going to work.

That's exactly the misconception I've pointed out: Your firewall does not protect you, as the connection is not established by the remote attacker, but by your Web browser. This should work with any browser that has Flash installed. It does not work without Flash (e.g., with Javascript), as Javascript applies the same-origin policy to the request, instead of the response.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
April 23, 2012, 10:00:08 PM
 #4

Quote
Create an <img /> tag that loads a URL with a username:password given in the img tag. This gets you get around the HTTP basic authentication of the bitcoind.

Care to elaborate on this?

Still good point on the flash not something I considered.
gst
Jr. Member
*
Offline Offline

Activity: 38


View Profile
April 23, 2012, 10:11:00 PM
 #5

Quote
Create an <img /> tag that loads a URL with a username:password given in the img tag. This gets you get around the HTTP basic authentication of the bitcoind.

Care to elaborate on this?

The local bitcoind uses HTTP basic authentication. So usually I need to enter a username/password in my browser if I send HTTP requests to the bitcoind. However, image tags allow to embed authentication information within the URL, for example: <img src="username:password@http://localhost:1234/" />. Furthermore, if this authentication is successful username and password are cached by the browser and automatically used on subsequent requests.

So if you have a list of common usernames and passwords you can just:
  • Take a username and password from the list and dynamically inject an <img /> tag in your page that loads this resource.
  • Create a client-side HTTP POST request that uses this cached authentication data to send a request to your bitcoind. For example by using Flash (as discussed in my first post) or by using a HTTP form submit in an iframe.
  • Repeat in a loop with many different combinations for usernames and passwords.

Basically that's very similar to a standard CSRF attack (https://en.wikipedia.org/wiki/Cross-site_request_forgery) and the password is the only protection against it. So if your password is just "password" (or word that's likely to be on a wordlist) this attack would succeed.

It seems like this won't work with current Chrome development versions, because they prevent embedding username/passwords inside URLs (https://code.google.com/p/chromium/issues/detail?id=123150). However, this should still work with the current stable Chrome version and other browsers such as Firefox.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!