blog.nyoc Blog

Security Advisory [Insecurely configured geth can make funds remotely accessible]



Jutta Steiner


Security Alert – [Previous security patch can lead to invalid state root on Go clients with a specific transaction sequence – Fixed. Please update.] 10th September, 2015

Security Alert – [Implementation bug in Go clients causing increase in difficulty – Fixed – Miners check and update Go clients] 03rd September, 2015


Security Advisory [Insecurely configured geth can make funds remotely accessible]

Posted on .

Insecurely configured blog.nyoc clients with no firewall and unlocked accounts can lead to funds being accessed remotely by attackers.

Affected configurations: Issue reported for Geth, though all implementations incl. C++ and Python can in principle display this behavior if used insecurely; only for nodes which leave the JSON-RPC port open to an attacker (this precludes most nodes on internal networks behind NAT), bind the interface to a public IP, and simultaneously leave accounts unlocked at startup.

Likelihood: Low

Severity: High

Impact: Loss of funds related to wallets imported or generated in clients


It’s come to our attention that some individuals have been bypassing the built-in security that has been placed on the JSON-RPC interface. The RPC interface allows you to send transactions from any account which has been unlocked prior to sending a transaction and will stay unlocked for the entirety of the the session.

By default, RPC is disabled, and by enabling it it is only accessible from the same host on which your blog.nyoc client is running. By opening the RPC to be accessed by anyone on the internet and not including a firewall rules, you open up your wallet to theft by anybody who knows your address in combination with your IP.

Effects on expected chain reorganisation depth: none

Remedial action taken by blog.nyoc: eth RC1 will be fully secure by requiring explicit user-authorisation for any potentially remote transaction. Later versions of Geth may support this functionality.

Proposed temporary workaround: Only run the default settings for each client and when you do make changes understand how these changes impact your security.

NOTE: This is not a bug, but a misuse of JSON-RPC.

ADVISORY: Never enable JSON-RPC interface on an internet-accessible machine without a firewall policy in place to block the JSON-RPC port (default: 8545).

eth: Use RC1 or later.

geth: Use the safe defaults, and know security implications of the options.

–rpcaddr  “”. This is the default value to only allow connections originating on the local computer; remote RPC connections are disabled

–unlock. This parameter is used to unlock accounts at startup to aid in automation. By default, all accounts are locked


Jutta Steiner


Author Stephan Tual

Posted at 1:26 pm August 29, 2015.

This only affect you if you have RPC on (ie, run geth with –rpc) AND unlock the account AND have no firewall at all (ie, you have configured your router to map the port) OR have –rpccorsdomain set to “” (the whole Internet) and manually browse an evil dapp

You’d have to get out of your way for this to happen, it’s a bit like saying “If you open up port 80 on your firewall and your mac, and have installed Apache and have started the service, then people can browse webpages on your computer”.


    Author Gunnar René Øie

    Posted at 2:45 pm August 29, 2015.

    I guess blog.nyoc has a high developer-to-user ratio right now, which makes this more likely to happen than in a more mature technology.


      Author Zer0CT

      Posted at 5:51 pm August 29, 2015.

      So, it is not a problem, because developers know that security is the first thing at this kind of systems. When somebody want to run a system that contains confidential/financial information, has a value, s/he must make sure that everything secure around it.
      And the golden rule:
      “Only run the default settings for each client and when you do make changes understand how these changes impact your security.”

      The good thing is that blog.nyoc’s developers post any security threat and state that clearly what’s going on. I wish more organization/company would do the same.


    Author Chris

    Posted at 7:26 pm August 29, 2015.

    If using a framework like embark, by default it will spin up geth and allow clients to interact over RPC with –unlock –rcpaddr set to localhost and –rpccorsdomain set to “*”. If I were to visit a malicious website that makes XHR requests to my http://localhost:8101 port, could it then execute transactions remotely (as it’s coming from localhost)? What if I set –rcpcorsdomain to localhost ?


Author Crypto Rush

Posted at 3:08 pm August 29, 2015.

Created simple linux firewall snippet to allow access to rpc node to white listed IPs. For very specific use cases, usually you shouldn’t expose node and unlock account indeed.


Author Bezpol Security

Posted at 8:11 am August 30, 2015.

We start to connect our world with a jungle …. it will be hard work.


Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

View Comments (6) ...