Hackers Can Gain Access to Funds if Ethereum clients are Poorly Configured.
Affected Versions: Geth, C++ and Python clients can all be vulnerable when used incorrectly.
Likelihood: Low
Severity: High
Damage: Funds can be transferred to other wallets.
Description:
It has been found that some users may have neglected the security features of the JSON-RPC interface. This interface allows for transactions to be sent from any unlocked account. This means that it will remain unlocked for the duration of the session.
The RPC interface is off by default, and it must be enabled on the same host where the Ethereum Client is running. If this is left open, anyone with the IP address and your address can steal your wallet.
Chain Restructuring: No Impact
Action Taken By Ethereum: Geth RC1 is safe since it requires explicit authorization from the user for remote transactions. Future versions of Geth may have this feature.
Proposed Solution:Utilize the default settings and be aware of the consequences when changing your security settings.
NOTE: This is not a bug but an abuse of the JSON-RPC.
REMINDER: Never Enable the JSON-RPC interface on a computer with Internet Access without a firewall to block the JSON-RPC port (default is 8545).
eth: Use RC1 or later
geth:Use secure defaults and be mindful of the security implications of any changes.
–rpcaddr “127.0.0.1”
