Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Hackers Stole Over $20 Million From Misconfigured Ethereum Clients (bleepingcomputer.com) 65

Catalin Cimpanu, writing for BleepingComputer: A group of hackers has stolen over $20 million worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported today. The cause of these thefts is Ethereum software applications that have been configured to expose an RPC [Remote Procedure Call] interface on port 8545. The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service -- such as a mineror wallet application that users or companies have set up for mining or managing funds. Because of its role, this RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds, or retrieve the owner's personal details.

Hackers Stole Over $20 Million From Misconfigured Ethereum Clients

Comments Filter:
  • Does anyone have the numbers- are you more likely to have money stolen from your wallet or your virtual wallet. For each $1 value in each- which is more vulnerable?

    Seems to be a lot of big money heists from virtual wallets, but does that in %wise add up to more thefts per mano?

  • by Tulsa_Time ( 2430696 ) on Monday June 11, 2018 @12:14PM (#56765600)

    Was I lied to ?

    Trust was to be decentralized so this cannot happen. The transaction is on the blockchain... so just fix it. :)

    And I am sure it is backed by deposit insurance.... oh wait.....

    • by Anonymous Coward

      Crypto is safe. Don't expose private RPC ports (that are disabled by default) to the internet if you don't know what you're doing.

  • by Anonymous Coward

    Being your own bank seems to work out well.

  • I'm in this field (Score:2, Informative)

    by Anonymous Coward

    Rpc for native clients has only been only been enabled for localhost. Someone or something has to configure it for remote access. It takes some work to make it happen

  • You mean writing apps on the blockchain doesn't make them magically secure? I am shocked!

  • Or are we still only doing this for the big players only, you fucking fraud?

  • by rask22 ( 144831 ) on Monday June 11, 2018 @12:46PM (#56765810)

    Stolen seems like a strong word if the victims exposed an API online with calls to transfer away their balances....

  • I do hope that this was because of the clients opening it up to the outside world by accident/stupidity and not the developers leaving it open by default by accident or just assuming people would know about there being an RPC interface open to the public by default. Because if it was a dev fuckup, then there's probably a lot of vulnerable clients still out there and they're probably get sued, badly.
  • I mean, you say they're worth $200 million, but I say they make a fine bread for cookies.

    All of this is due to certain nations permitting Russia and North Korea to hack to their hearts' content.

  • by belthize ( 990217 ) on Monday June 11, 2018 @01:36PM (#56766206)

    The first thing I wondered was what percentage of the currency is that.

    According to this site: https://etherscan.io/stat/supp... [etherscan.io]

    The total market cap of etherium is $52B so $20M is about .2%. (1/5th of 1% in case the '.' is hard to see) of all etherium in circulation.

    There's about $1.6T US dollars in circulation, so as a percentage of total money in circulation that $20M etherium heist is the equivalent of a $6B USD heist.

    Admittedly an odd way of looking at it but it's hard to imagine somebody making off with $6B due to something as mundane as an RPC vulnerability.

  • Tell me again how wonderful blockchain is and that it will solve sooo many problems......

FORTRAN is the language of Powerful Computers. -- Steven Feiner

Working...