A security flaw in Monero puts users’ funds at risk

Yesterday volunteer security researchers detected a significant security flaw in Monero wallet that could have prompted its users to download a malicious version, thereby putting their funds at risk.

On 19th November 2019, an XMR Core Team member /u/binaryFate published a Monero security warning on the subreddit that stated a potential hack on CLI binaries over the last twenty-four hours. According to the post, some Monero wallet users noted that the hash of the downloaded binaries was different than the results expected otherwise. Although the issue has been brought out in the open, it is yet to be resolved.

A major security flaw in Monero

Thus, the team has urged anyone who has downloaded the binaries in the last twenty-four hours and not verified the authenticity of the files, to immediately check if the hashes match. If they fail to match, the users are requested not to run the downloaded file. And those who have gone ahead and run the file, transfer all the funds out of the wallet, thus preventing them from getting stolen.

Meanwhile, the moderators have requested users’ cooperation until the security team is able to get to the bottom of this issue and resolve it. Meanwhile, if anyone wishes to use the secure version of the Monero wallet, the link to the corrected hashes has been shared by the Monero team.

Hackers could gain unauthorized control

Justin Ehrenhofer, Organizer of Monero Malware Response Workgroup, explains although hackers have frequently targeted the Monero website for malicious activities, this was, in fact, the first time that it got compromised. He further added that the researchers detected a code that transfers the Monero mnemonic seed, with the information on private keys, to the hackers’ server, thus jeopardizing the victims’ funds stored in the wallet.

A further investigation on activities related to remote-access suggests that attackers may have the ability to perform other unauthorized actions on users’ behalf, Ehrenhofer added.

A disaster that could have been avoided

Meanwhile, a pseudonymous cybersecurity researcher and the owner of a security website commented that had Monero come clean about the security breach well in advance, many users would have been saved from the trouble of verifying their downloaded files. Instead, according to him, Monero chose to post the warnings as late as fourteen hours after the breach, only on platforms such as Twitter and Reddit, thus exposing many of its users to risk.

If only Monero’s official website had warned its users of the potential risk immediately after the flaw was noticed, a lot of damage could have been averted, claims the cybersecurity expert.

Featured Image by Pixabay