LIVE NOW

Monero website hacked, official wallet compromised

Posted: 20 November 2019 12:53 pm
News

Picture not described

Don't panic, unless this issue affects you. If it does, some panic is encouraged.

First things first:

  • If you downloaded the CLI wallet from the official Monero website on Monday 18 November, between 2.30am and 4.30pm UTC, you should immediately get funds out of the wallet and check the hashes of the binaries and make sure they match the official ones.
  • The issue has been resolved.

Second things second:

Monero developers have confirmed that the binaries of the official Monero CLI wallet were compromised.

What happened is someone managed to put some malicious files on the Monero website, so people who downloaded the wallet from the website were served with an infected wallet. Early analysis reportedly suggests it's a coin stealer, which sends the user's seed to an unknown party.

Anyone who downloaded the wallet from the Monero website, ran it without checking the binaries, and put funds into their wallet, may find those funds missing. The issue was spotted quickly, by users who did check the binaries.

It's not clear whether anyone was affected by this.

In this case, verifying the binaries means comparing the downloaded version of the wallet with another clean one, to make sure they both match. If they do not match, it means one of them has been compromised, and it's probably the one you just downloaded.

In this case, Monero's clean comparison version comes from Monero lead developer Riccardo "FluffyPony" Spagni's GPG key. It's basically an encrypted source of truth, which theoretically can't be tampered with.

Centralised points of failure

This issue highlights the security issues that emerge where centralised and decentralised systems clash.

Blockchains are theoretically hack-proof, but engaging with them still requires people to go through a number of centralised points, such as individual websites and GitHub repositories which may be altered.

The hacking of the Monero website is an example of how problematic these centralised elements can be. But the speed with which the problem was identified is also an example of how effective counter-measures can be.

Monero's counter-measures take the form of decentralisation, of sorts. The binaries are hosted in multiple places (GitHub, the Monero website, etc), as are the clean comparison binaries. The idea is that even if someone manages to hack one location, as happened here, they can't hack everything.

So, as long as you follow the rules that everything should be distributed across multiple places, that everything should match, and that you always check to make sure everything matches, it should all theoretically be perfectly secure.

This system is extremely inconvenient, it shifts an enormous burden onto the end user, and it means a certain level of technical competence is required for someone to actually be reasonably certain they aren't about to have their wallet hacked. But as things stand, that's the price of security.

Eg

One might be tempted to look at this incident as a black mark, and there's a natural tendency to ask what can be done to prevent it from happening again, but as FluffyPony said, even if you change it up and stop trusting the website, all you're really doing is shifting the point of failure to another compromisable point.

Picture not described

In the context of centralised vs decentralised security, it's worth looking at some other incidents where malicious wallets, or entirely malicious cryptocurrency exchanges, were served to users, and how urging end users to verify the validity of service for themselves could have helped.

In all cases, the only real solution is to urge end users to take responsibility for their own security.

Of course, the end user is also a centralised point of failure, as is just about everything they touch. For example, Russian state-sponsored hackers got at Olympic officials by hacking the officials' hotel Wi-Fi at the 2016 Olympics.

Any kind of public Wi-Fi, airport USB chargers and just about everything else in the world still presents a centralised point of potential failure, as is the concept of trust itself. FluffyPony and other Monero developers could probably find a few ways to steal user funds if they really wanted.

Decentralisation ain't easy.



Also watch


Disclosure: The author holds BNB, BTC at the time of writing.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Ask a question
Go to site