skip to main content
10.1145/3301417.3312495acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Pitfalls of open architecture: How friends can exploit your cryptocurrency wallet

Published: 25 March 2019 Publication History

Abstract

Many cryptocurrency wallet applications on desktop provide an open remote procedure call (RPC) interface that other blockchain-based applications can use to access their functionality. This paper studies the security of the RPC interface in several cryptocurrency wallets. We find that, in many cases, a malicious process running on the computer regardless of its privileges can impersonate the communication endpoints of the RPC channel and, effectively, steal the funds in the wallet. The attacks are closely related to server and client impersonation on computer networks but occur inside the computer. The malicious process may be created by another authenticated but unprivileged user on the same computer or even by the guest user. The main contribution of this paper is to raise awareness among wallet developers about the need to protect local RPC channels with the same prudence as network connections. We also hope that it will discourage users to run security-critical applications like cryptocurrency wallets on shared systems or computers with guest account enabled.

References

[1]
2015. Enabling SSL on original client daemon. https://en.bitcoin.it/wiki/Enabling_SSL_on_original_client_daemon
[2]
2016. CSRF Vulnerability Allows for Remote Compromise of Monero Wallets. https://labs.mwrinfosecurity.com/advisories/csrf-vulnerability-allows-for-remote-compromise-of-monero-wallets/
[3]
2018. Bisq the P2P exchange network. https://bisq.network/
[4]
2018. Bitcoin Armory. https://btcarmory.com/
[5]
2018. Bitcoin Core. https://bitcoin.org/
[6]
2018. Bitcoin JSON-RPC API. https://en.bitcoin.it/wiki/API_reference_(JSON-RPC)
[7]
2018. Bitcoin Knots. https://bitcoinknots.org/
[8]
2018. Bitcoind-rpc library. https://github.com/bitpay/bitcoind-rpc
[9]
2018. Cpp Ethereum wallet. https://github.com/ethereum/aleth
[10]
2018. CVE-2018-20587. Available from MITRE, CVE-ID CVE-2018-20587. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20587
[11]
2018. Dash Core wallet. https://github.com/dashpay/dash
[12]
2018. Dashd-rpc library. https://github.com/dashevo/dashd-rpc
[13]
2018. Docker Parity documentation. https://wiki.parity.io/Docker
[14]
2018. Electrum Bitcoin Wallets Left Exposed to Hacks for Two Years. https://www.bleepingcomputer.com/news/security/electrum-bitcoin-wallets-left-exposed-to-hacks-for-two-years/
[15]
2018. Go Ethereum wallet. https://geth.ethereum.org/
[16]
2018. How your Ethereum can be stolen through DNS rebinding. https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
[17]
2018. Litecoin wallet. https://litecoin.org/
[18]
2018. Metamask Ethereum client. https://metamask.io/
[19]
2018. Monero-nodejs library. https://github.com/PsychicCat/monero-nodejs
[20]
2018. Monero-python library. https://github.com/emesik/monero-python
[21]
2018. Monero Wallet. https://getmonero.org/
[22]
2018. Parity Ethereum wallet. https://www.parity.io/
[23]
2018. Peatio: an open-source assets exchange. https://www.peatio.com/
[24]
2018. Python-BitcoinRPC library. https://github.com/jgarzik/python-bitcoinrpc
[25]
2018. Qtum Core wallet. https://github.com/qtumproject/qtum
[26]
2018. Qtumjs library. https://qtumproject.github.io/qtumjs-doc/
[27]
2018. Unauthenticated JSON-RPC API allows takeover of CryptoNote RPC wallets. https://www.ayrx.me/cryptonote-unauthenticated-json-rpc
[28]
2018. Vulnerability Spotlight: Multiple Vulnerabilities in the CPP and Parity Ethereum Client. https://blog.talosintelligence.com/2018/01/vulnerability-spotlight-multiple.html
[29]
2018. Web3 java Ethereum library. https://web3j.io/
[30]
2018. Web3 javascript Ethereum library. https://github.com/ethereum/web3.js
[31]
2018. Web3 python Ethereum library. https://web3py.readthedocs.io/en/stable/index.html
[32]
2018. Zcash Wallet for Linux. https://github.com/zcash/zcash
[33]
Jean-Philippe Aumasson. 2018. Attacking and Defending Blockchains: From Horror Stories to Secure Wallets. https://www.blackhat.com/eu-18/briefings/schedule/index.html#attacking-and-defending-blockchains-from-horror-stories-to-secure-wallets-12711.
[34]
Steven M Bellovin and Michael Merritt. 1992. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, 72--84.
[35]
Thanh Bui, Siddharth Prakash Rao, Markku Antikainen, Viswanathan Manihatty Bojan, and Tuomas Aura. 2018. Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer. In USENIX Security 18. USENIX Association, Baltimore, MD, 1511--1525.
[36]
Vitalik Buterin. 2013. What proof of stake is and why it matters. Bitcoin Magazine (2013).
[37]
Gil Cohen. 2017. Call the plumber - You have a leak in your (named) pipe. In DEF CON 25.
[38]
Adrienne Porter Felt, Helen J Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. 2011. Permission Re-Delegation: Attacks and Defenses. In 20th USENIX Security Symposium.
[39]
J. Franks, P. Hallam-Baker, J. Hostetler, P. Leach, A. Luotonen, E. Sink, and L. Stewart. 1997. An Extension to HTTP: Digest Access Authentication. RFC 2069. RFC Editor.
[40]
Google. 2018. Native messaging. https://developer.chrome.com/apps/nativeMessaging.
[41]
JSON-RPC Working Group and others. 2012. JSON-RPC 2.0 specification.
[42]
Anne Kesteren. 2018. Cross-Origin Resource Sharing. https://www.w3.org/TR/cors/
[43]
Jie Liang and Xue-Jia Lai. 2007. Improved collision attack on hash function MD5. Journal of Computer Science and Technology 22, 1 (2007), 79--87.
[44]
Microsoft Developers Network. 2018. Fast User Switching. https://msdn.microsoft.com/en-us/library/windows/desktop/bb776893.
[45]
Mozzila. 2018. HTTP authentication. https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication.
[46]
Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. (2008).
[47]
Yutaka Oiwa, Hajime Watanabe, Hiromitsu Takagi, K Maeda, Tatsuya Hayashi, and Y Ioku. 2017. Mutual authentication protocol for HTTP. RFC 8120. https://tools.ietf.org/html/rfc8120
[48]
Julian Reschke. 2015. The 'Basic' HTTP Authentication Scheme. RFC 7617. https://tools.ietf.org/html/rfc7617
[49]
Yuru Shao, Jason Ott, Yunhan Jack Jia, Zhiyun Qian, and Z. Morley Mao. 2016. The Misuse of Android Unix Domain Sockets and Security Implications. In 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016. ACM, 80--91.
[50]
Hayawardh Vijayakumar, Xinyang Ge, Mathias Payer, and Trent Jaeger. 2014. JIGSAW: Protecting Resource Access by Inferring Programmer Expectations. In 23rd USENIX Security Symposium. 973--988.
[51]
Hayawardh Vijayakumar, Joshua Schiffman, and Trent Jaeger. 2012. STING: Finding Name Resolution Vulnerabilities in Programs. In 21th USENIX Security Symposium. 585--599.
[52]
Hayawardh Vijayakumar, Joshua Schiffman, and Trent Jaeger. 2013. Process firewalls: Protecting processes during resource access. In 8th ACM European Conference on Computer Systems, EuroSys'18. ACM, 57--70.
[53]
Marko Vukolić. 2015. The quest for scalable blockchain fabric: Proof-of-work vs. BFT replication. In International Workshop on Open Problems in Network Security. Springer, 112--125.
[54]
Xiaoyun Wang and Hongbo Yu. 2005. Howto break MD5 and other hash functions. In Annual international conference on the theory and applications of cryptographic techniques. Springer, 19--35.
[55]
Blake Watts. 2017. Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit. http://www.blakewatts.com/namedpipepaper.html.
[56]
Wang Wei. 2018. Hackers Stole Over $20 Million in Ethereum from Insecurely Configured Clients. https://thehackernews.com/2018/06/ethereum-geth-hacking.html
[57]
Gavin Wood. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper 151 (2014), 1--32.
[58]
Thomas D Wu et al. 1998. The Secure Remote Password Protocol. In NDSS, Vol. 98. 97--111.
[59]
Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-Min Hu, and Xinhui Han. 2015. Cracking app isolation on Apple: Unauthorized cross-app resource access on macOS. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015. ACM, 31--43.

Cited By

View all
  • (2024)Exploring Security in Cryptocurrency: Challenges, Solutions, and Implications – A Systematic Literature Review2024 International Conference on ICT for Smart Society (ICISS)10.1109/ICISS62896.2024.10751129(1-9)Online publication date: 4-Sep-2024
  • (2024)Pragmatic Analysis of Key Management for Cryptocurrency Custodians2024 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)10.1109/ICBC59979.2024.10634356(747-765)Online publication date: 27-May-2024
  • (2023)Security Aspects of Cryptocurrency Wallets—A Systematic Literature ReviewACM Computing Surveys10.1145/359690656:1(1-31)Online publication date: 28-Aug-2023
  • Show More Cited By

Index Terms

  1. Pitfalls of open architecture: How friends can exploit your cryptocurrency wallet

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      EuroSec '19: Proceedings of the 12th European Workshop on Systems Security
      March 2019
      59 pages
      ISBN:9781450362740
      DOI:10.1145/3301417
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 25 March 2019

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Cryptocurrency Wallet
      2. Remote Procedure Call (RPC)

      Qualifiers

      • Research-article
      • Research
      • Refereed limited

      Conference

      EuroSys '19
      Sponsor:
      EuroSys '19: Fourteenth EuroSys Conference 2019
      March 25 - 28, 2019
      Dresden, Germany

      Acceptance Rates

      EuroSec '19 Paper Acceptance Rate 9 of 25 submissions, 36%;
      Overall Acceptance Rate 47 of 113 submissions, 42%

      Upcoming Conference

      EuroSys '25
      Twentieth European Conference on Computer Systems
      March 30 - April 3, 2025
      Rotterdam , Netherlands

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)33
      • Downloads (Last 6 weeks)3
      Reflects downloads up to 15 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Exploring Security in Cryptocurrency: Challenges, Solutions, and Implications – A Systematic Literature Review2024 International Conference on ICT for Smart Society (ICISS)10.1109/ICISS62896.2024.10751129(1-9)Online publication date: 4-Sep-2024
      • (2024)Pragmatic Analysis of Key Management for Cryptocurrency Custodians2024 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)10.1109/ICBC59979.2024.10634356(747-765)Online publication date: 27-May-2024
      • (2023)Security Aspects of Cryptocurrency Wallets—A Systematic Literature ReviewACM Computing Surveys10.1145/359690656:1(1-31)Online publication date: 28-Aug-2023
      • (2023)Uncovering Impact of Mental Models towards Adoption of Multi-device Crypto-WalletsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623218(3153-3167)Online publication date: 15-Nov-2023
      • (2022)Technology and Security Analysis of Cryptocurrency Based on BlockchainComplexity10.1155/2022/58354572022:1Online publication date: 21-Jul-2022
      • (2022)A Study on Blockchain Architecture Design Decisions and Their Security Attacks and ThreatsACM Transactions on Software Engineering and Methodology10.1145/350274031:2(1-45)Online publication date: 1-Apr-2022
      • (2020)Security Analysis of Cryptocurrency Wallets in Android-Based ApplicationsIEEE Network10.1109/MNET.011.200002534:6(114-119)Online publication date: Nov-2020
      • (2020)The novel secure testament methodology for cryptocurrency wallet using mnemonic seedInformation Security Journal: A Global Perspective10.1080/19393555.2020.1739788(1-14)Online publication date: 21-Mar-2020
      • (2020)Deciphering Cryptocurrencies by Reverse Analyzing on Smart ContractsBlockchain and Trustworthy Systems10.1007/978-981-15-9213-3_41(532-546)Online publication date: 12-Nov-2020

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media