News A security flaw in Monero's wallet might have jeopardized...

A security flaw in Monero’s wallet might have jeopardized users’ funds

-

- Advertisment -

A hack on privacy coin Monero’s official website yesterday let users download a malicious version of one of its wallets. 

“The Monero website is a common target for attack, and this is the first time that it was compromised,” Justin Ehrenhofer, Organizer of Monero’s Malware Response Workgroup, told Decrypt.

Monero’s Ehrenhofer said that volunteer security researchers have found code that sends the Monero mnemonic seed, which contains private keys, to the hacker’s server. The hacker could then use this information to drain funds from victims’ wallets. 

In addition, researchers have found suspicious activities related to remote-access, which Ehrenhofer says “indicates that the attacker may have access the filesystem and the ability to perform other actions.”

Monero said that the issue lasted 35 minutes—“a likely estimate of the total time it was compromised within this window based on user feedback and some initial results,” said Ehrenhofer.

Monero advised potentially compromised users—those who downloaded the command-line-interface wallet between 2:30 AM UTC and 4:30 PM UTC yesterday—and whose binary hashes don’t match the official ones—to transfer funds out of all wallets opened to a safe version of the Monero wallet. 

Downloads now come from a safe, fallback source, Monero said. 

In an interview with Decrypt, Dark.Fail—a pseudonymous cybersecurity researcher and the owner of a site that tracks how long sites hosted on Tor stay online—said that users with compromised wallets face risks, including de-anonymizing user IP addresses, having keystrokes logged by attackers, or further infecting their computers. 

Dark.Fail said Monero should have come clean about the hack sooner: “They did not post any warnings to their website [until 14 hours after announcing the breach on Reddit], the very place this malware was distributed. They chose instead to announce this breach to the small subset of their users that happen to follow them on Reddit, or on Twitter.” 

“If an official website says download something, people will download it. Arguing that people should check hashes or compile their own code, while technically true, completely alienates non-technical users,” they added. 

Ehrenhofer said that Monero’s notifications reached hundreds of thousands through social media, but admitted “we should have immediately started working on a notification on the main website, and we should have sent an email to the Monero-announce mailing list.” 

Still, Dark.Fail said too many questions remain: “How did this happen? What access controls are in place? Who has access to Monero’s servers? How hard is it to upload a malicious executable in place of the official one?”

Ehrenhofer said the box running the server was locked down with industry-leading file integrity monitoring and that when researchers complete their audit, answers will be forthcoming. Monero has organized a meeting on Friday post to discuss how to handle future emergencies. It will no doubt be a busy one.

Source

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

Top 7 Porn Sites That Accept Bitcoin/Crypto

Bitcoin and other cryptocurrencies are not that exotic anymore. Ever since the big boom on the crypto...

“Chinachain” aims to connect hundreds of cities across China. Will it work?

If there’s ever a “Chinachain” for business, sanctified and supported by the state, the BSN ( Blockchain...

Top 10 BEST Crypto Trading Books for New Traders (2020)

We may receive a small revenue share if you purchase something from this guide - with...

Crypto Firm That Connects Exchanges and Banks Receives $5m Investment From Wells Fargo

Cryptocurrency startup Elliptic recently held a Series B funding round which was joined by a venture arm...
- Advertisement -

Will New Zealand’s crypto salary project work?

Now in 2020, Bitcoin, and in a broader sense cryptocurrencies in general, have gone through hundreds of...

Is Tron’s decentralized app market really a “Las Vegas on the blockchain?”

The original idea behind creating cryptocurrencies was to offer a much more decentralized and convenient payment platform...

Must read

Top 7 Porn Sites That Accept Bitcoin/Crypto

Bitcoin and other cryptocurrencies are not that...

“Chinachain” aims to connect hundreds of cities across China. Will it work?

If there’s ever a “Chinachain” for business,...
- Advertisement -A security flaw in Monero's wallet might have jeopardized users’ fundsA security flaw in Monero's wallet might have jeopardized users’ funds

You might also likeRELATED
Recommended to you