Report: Misconfigured Ethereum Clients Have Resulted in Hack of Around $20 Mln

… and it is a well-known vulnerability – and one without a fix.
(Ever heard of a “mis-configured” Bitcoin / PoW client?
— or the existence of RPC calls able to attack Proof-of-Work?)


About $20 mln worth of Ethereum have reportedly been stolen by a group of hackers, exploiting misconfigured Ethereum clients, according to a Bleeping Computer article published June 11.

The hackers were able access applications using the Ethereum software which configured their interface to expose a Remote Procedure Call (RPC). The RPC interface allows third parties to query, interact with, and retrieve data from the Ethereum-based service, meaning those with access could get private keys, see the owner’s personal information, and even move funds.

While most apps disable this interface by default, and even when it is turned on, it is usually configured to only allow access to apps that are run locally. However, developers do not always keep this configuration and sometimes reconfigure their Ethereum clients without knowing the danger.

The Ethereum project has long known about the potential for exploiting this vulnerability and sent out an official security advisory as a warning to its users back in August 2015, indicating that the likelihood of an attack was low, but its potential severity was high.

According to Bleeping Computer, the Chinese cyber-security firm Qihoo 360 Netlab identified in March that at least one “threat actor” was making mass-scans for exposed Ethereum software with RPC interfaces specifically on port 8545. At the time, 360 Netlab said in a tweet that, “[so] far it has only got 3.96234 Ether [~$2000-$3000] on its account, but hey it is free money!”

On June 11, after reviewing the research again, the team from Netlab said that the scans for port 8545 never stopped, but actually increased as more “threat actors” joined in. The current figure of siphoned Ether is 38,642.7 ($18.1 mln).

At the time of posting, neither the Ethereum team, nor the co-founder Vitalik Buterin responded to a request for comment.