Improperly configured Ethereum clients lacking a firewall and having accounts unlocked can result in funds being accessible remotely by attackers.
Vulnerable configurations: Issue noted for Geth, although every implementation including C++ and Python can theoretically exhibit this behavior if used insecurely; specifically for nodes that leave the JSON-RPC port accessible to an attacker (this typically excludes most nodes situated on internal networks behind NAT), bind the interface to a public IP, and concurrently have accounts unlocked at startup.
Probability: Low
Severity: High
Consequences: Loss of funds associated with wallets imported or generated within clients
Information:
It has come to our notice that certain users have been circumventing the inherent security measures imposed on the JSON-RPC interface. The RPC interface permits transactions from any account that has been unlocked prior to the transaction and will remain unlocked for the duration of the session.
By default, RPC is turned off, and upon activation, it becomes exclusively available from the host running your Ethereum client. By making the RPC accessible to the public internet without implementing firewall rules, you expose your wallet to theft by anyone aware of your address alongside your IP.
Impact on anticipated chain reorganisation depth: none
Corrective measures taken by Ethereum: eth RC1 will ensure complete security by necessitating explicit user-authorization for any transactions that could be initiated remotely. Future versions of Geth may incorporate this capability.
Suggested temporary solution: Stick to the default configurations for each client, and when adjustments are made, comprehend how these modifications affect your security.
NOTICE: This is not a flaw, but rather a misuse of JSON-RPC.
WARNING: Never activate the JSON-RPC interface on a machine accessible via the internet without a firewall policy configured to restrict access to the JSON-RPC port (default: 8545).
eth: Utilize RC1 or newer.
geth: Adopt the secure defaults and understand the security ramifications of the settings.
–rpcaddr “127.0.0.1”. This is the standard value that permits connections solely from the local device; remote RPC interactions are disabled.
–unlock. This option is utilized to unlock accounts at startup to facilitate automation. By default, all accounts remain locked.
