Tencent warning: NEO cryptocurrency is vulnerable to remote theft
There are some conflicting reports, but NEO prices don't seem to have discernibly responded to the news.
Tencent's ZhanluLab security outfit has discovered and reported a vulnerability in NEO which allows hackers to remotely steal tokens from user wallets.
"When a user starts the NEO network node with the default configuration and opens the wallet, the digital currency may be remotely stolen," it says.
Tencent's two cents
ZhanluLab advises NEO node operators to do the following:
1. Upgrade to the latest NEO-CLI client
2. Try not to use the RPC function and manually change the address of BindAddress to 127.0.0.1
3. If you have to use the remote RPC function, change the RPC port number, enable the https-based port of JSON-PRC and set up a firewall.
NEO co-founder Erik Zhang didn't deny that there was a potential avenue for remote token theft, but suggested that the circumstances needed to steal the tokens made it unlikely that regular users would be affected.
Zhang stated that RPC can only be called by NEO-CLI, which casual users generally won't access, and it wouldn't activate RPC by default. Rather, one would have to deliberately set it up to do so by adding an additional command line. The BindAddress, meanwhile, is set to 127.0.0.1 by default, and would have to be changed manually to open the vulnerability.
"All in all, normal users of the NEO blockchain will not suffer the possibilities of a token theft operated from afar," Zhang stated.
The two statements seem to conflict, with Tencent saying the vulnerability would be open if a user starts a node with the default configurations. However, Zhang says the default settings won't leave one vulnerable.
Still, even if the settings do have to be changed, it would mean there is a feasible avenue for remote token theft.
The news doesn't seem to have had too much of an impact on NEO prices. It's dropped, but its prices are still just tracking bitcoin as usual.
One of the following charts shows NEO prices over the last 24 hours, and the other shows bitcoin. It probably doesn't really matter which is which, but it could make for a neat guessing game.