In brief
- A Bitcoin Core developer has disclosed a bug found on earlier versions of Bitcoin.
- It is unlikely to cause any harm due to the way that modern devices work.
- There's no reason to panic.
A vulnerability affecting earlier versions of Bitcoin Core—the open-source software that powers Bitcoin—was disclosed by Core contributor and developer Andrew Chow on Monday. The issue, that has been fixed, is known to other Bitcoin developers and commonly affects web browsers, but did not cause any disruption.
In a tweet, Chow said that the vulnerability was present in Bitcoin Core 0.18 and earlier, but has been fixed since the 0.19 version. For reference, Bitcoin currently runs on the 0.21.0 version.
Disclosure of a likely unexploitable URI argument injection vulnerability present in Bitcoin Core 0.18 and earlier. This has been fixed since 0.19.https://t.co/gGhXASrOtM
— Andrew Chow (@achow101) February 1, 2021
But despite the warning, Chow said the attack was not likely to cause damage. “With the mitigations present in modern browsers and Linux desktop environments, I do not believe that this vulnerability can actually be exploited,” he said.
Chow added, “However if it could be exploited, it could lead to an RCE (i.e. malicious code being executed on the victim's computer).”
Attack breakdown
The attack revolved around three technical aspects: a URI, short for Unified Resource Identifier; an identifier used by computers to identify real-world and digital objects, Qt5, a free program that creates graphical interfaces, and lastly, the way these two are handled on a computer.
Bitcoin Engineers Rediscover Huge Blockchain Vulnerability
Two Bitcoin engineers have discovered several vulnerabilities that could shut down blockchains—two years after they thought they patched the issue. Bitcoin engineers Braydon Fuller and Javed Khan fixed the vulnerability, named INVDoS, on the Bitcoin blockchain in 2018, but published a research paper this week detailing how they found it in a number of other blockchain iterations: Btcd and Decred. The attack works like this: one hostile blockchain node—a member of the blockchain network that val...
Chow said that, since URI injections—the specific term for the nature of the vulnerability—are a known issue, software developers (Bitcoin developers in this case) know how to steer clear of them.
This means, in simple terms, that developers usually and easily avoid any flagged information sent by URIs and prevent attacks. However, the problem lay with Qt5, the graphic software, which did not recognize any faulty URIs and could have allowed for unwanted arguments (digital variables that contain data), to pass through.
Bitcoin Wallet Exploit Has Caused $25 Million Stolen to Date
In August and September, multiple reports surfaced that users of the Electrum Bitcoin software wallet had seen significant amounts of Bitcoin stolen via an exploit in an older version of the crypto wallet. A new investigation has detailed the process behind the exploit and the extent of the damage inflicted on users to date. According to an investigation from ZDNet, more than $25 million worth of Bitcoin at today’s valuation has been stolen via the exploit, with 1980 Bitcoin ($22.9 million) hel...
In theory, such a vulnerability causes illicit code to send out false data/instructions to a computer and install a malicious plugin. This can then cause the user’s system to malfunction and/or other forms of cybercrime, such as data theft.
But, fortunately, most web browsers already have in-built systems to avoid such attacks and flag any unwanted arguments from going through. This means that while the vulnerability was present, it was hard to exploit, with Chow stating that it could even be impossible to actually cause harm.
Meanwhile, the vulnerability was one of the first such instances on Bitcoin Core. And it’s worth repeating again: Bitcoin itself remains unharmed—the attack was present in past versions of the software and could theoretically affect user devices, not the protocol itself.
