A vulnerability affecting earlier versions of Bitcoin Core—the open-source software that powers Bitcoin—was disclosed by Core contributor and developer Andrew Chow on Monday. The issue, that has been fixed, is known to other Bitcoin developers and commonly affects web browsers, but did not cause any disruption.
In a tweet, Chow said that the vulnerability was present in Bitcoin Core 0.18 and earlier, but has been fixed since the 0.19 version. For reference, Bitcoin currently runs on the 0.21.0 version.
Disclosure of a likely unexploitable URI argument injection vulnerability present in Bitcoin Core 0.18 and earlier. This has been fixed since 0.19.https://t.co/gGhXASrOtM
— Andrew Chow (@achow101) February 1, 2021
But despite the warning, Chow said the attack was not likely to cause damage. “With the mitigations present in modern browsers and Linux desktop environments, I do not believe that this vulnerability can actually be exploited,” he said.
Chow added, “However if it could be exploited, it could lead to an RCE (i.e. malicious code being executed on the victim's computer).”
The attack revolved around three technical aspects: a URI, short for Unified Resource Identifier; an identifier used by computers to identify real-world and digital objects, Qt5, a free program that creates graphical interfaces, and lastly, the way these two are handled on a computer.
Chow said that, since URI injections—the specific term for the nature of the vulnerability—are a known issue, software developers (Bitcoin developers in this case) know how to steer clear of them.
This means, in simple terms, that developers usually and easily avoid any flagged information sent by URIs and prevent attacks. However, the problem lay with Qt5, the graphic software, which did not recognize any faulty URIs and could have allowed for unwanted arguments (digital variables that contain data), to pass through.
In theory, such a vulnerability causes illicit code to send out false data/instructions to a computer and install a malicious plugin. This can then cause the user’s system to malfunction and/or other forms of cybercrime, such as data theft.
But, fortunately, most web browsers already have in-built systems to avoid such attacks and flag any unwanted arguments from going through. This means that while the vulnerability was present, it was hard to exploit, with Chow stating that it could even be impossible to actually cause harm.
Meanwhile, the vulnerability was one of the first such instances on Bitcoin Core. And it’s worth repeating again: Bitcoin itself remains unharmed—the attack was present in past versions of the software and could theoretically affect user devices, not the protocol itself.