Create an <img /> tag that loads a URL with a username:password given in the img tag. This gets you get around the HTTP basic authentication of the bitcoind.
Care to elaborate on this?
The local bitcoind uses HTTP basic authentication. So usually I need to enter a username/password in my browser if I send HTTP requests to the bitcoind. However, image tags allow to embed authentication information within the URL, for example: <img src="username:password@http://localhost:1234/" />. Furthermore, if this authentication is successful username and password are cached by the browser and automatically used on subsequent requests.
So if you have a list of common usernames and passwords you can just:
- Take a username and password from the list and dynamically inject an <img /> tag in your page that loads this resource.
- Create a client-side HTTP POST request that uses this cached authentication data to send a request to your bitcoind. For example by using Flash (as discussed in my first post) or by using a HTTP form submit in an iframe.
- Repeat in a loop with many different combinations for usernames and passwords.
Basically that's very similar to a standard CSRF attack (
https://en.wikipedia.org/wiki/Cross-site_request_forgery) and the password is the only protection against it. So if your password is just "password" (or word that's likely to be on a wordlist) this attack would succeed.
It seems like this won't work with current Chrome development versions, because they prevent embedding username/passwords inside URLs (
https://code.google.com/p/chromium/issues/detail?id=123150). However, this should still work with the current stable Chrome version and other browsers such as Firefox.