MWR InfoSecurity released an advisory on a vulnerability admittedly found in Monero wallets. The coin devs have replied with a harsh statement on the discovery criticising it as “a largely useless observation.”
The security firm claims it has discovered a fault in what is regarded as the most anonymous cryptocurrency that supposedly enables hackers to steal funds from many Manero wallet platforms. The MWR Labs research team marked the CSRF vulnerability a high severity issue. Specifically, the firm referred to a Cross Site Request Forgery vulnerability discovered in Monero Simplewallet, which supposedly gave attackers access to user funds.
The alert has had some resonance in mainstream media which came up with some alarming headlines based on the claims made by MWR Labs. Motherboard Vice for instance, published a piece entitled “How a Hacker Can Steal Monero, a Cryptocurrency More Anonymous Than Bitcoin,” which by itself seems rather misleading.
To begin with, the MWR Labs team offered an overly generalised and inaccurate overview of the vulnerability by providing examples of Monero wallet platforms that have been discontinued or improperly structured. The RPC authentication vulnerability and the CSRF attack have been discussed on several occasions dating back to 2014, when they were brought to light by Coinspect’s Juliano Rizzo, so this time it was certainly not a “discovery”.
According to Monero Core Developer Riccardo Spagni (fluffypony), the unauthenticated RPC is the only way for exchanges, mining pools and integrators to integrate Monero as they are unaffected by the CSRF attack. It is usually not and must not be utilised by wallet service providers that run a browser in the background to integrate Monero.
“Libraries such as MoneroNJS and Monero NodeJS cannot be said to be "vulnerable" to this, because they are libraries that are used by integrators and not by any software that would run on a machine with a browser in the background. No automated system that has a hot wallet should ever run in such an insecure environment, and developers are keenly aware of this,” explained Spagni.
Essentially, the claims of MWR Labs suggest that the vulnerability that lies within the Monero Core system negatively affects Monero wallet platforms, which obviously is a false accusation. If hackers gain access to certain Monero wallet platforms through the CSRF vulnerability, the responsibility should be wholly taken by the wallet operator that created an unsecure ecosystem for users.
The claim made by the MWR Labs team could be compared to one saying that the world’s banking systems are extremely vulnerable because a bank experienced a physical theft after leaving a vault wide open for anyone to enter.
“That observation is like saying that all Monero wallets are at risk if you use "password" as your password and also post your wallet file on Dropbox and share the link on Reddit - technically true, but a largely useless observation,” Spagni remarks.
There were actually two active wallets that remained vulnerable to CSRF attacks – Bigreddmachine’s Google Chrome wallet and jwinterm’s lightWallet 2 – and they have received a quick patch to prevent the threat. The two wallets updated their platforms immediately after.