Hello, welcome to the Wednesday, November 22nd, 2017 edition of the Sandtonet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Earlier this week, Didi talked about how he's seeing in his web server a number of requests that look like someone is looking for various

cryptocurrency wallets. Well, I took a little bit closer look at that and it turns out that

it's not just wallets they're looking for. With Ethereum, you do have the option to have a JSON RPC engine listening for

commands if you are running an Ethereum note and this typically listens on port 8,545. To make things

easier, the protocol being used here is not authenticated.

It's simple HTTP requests.

So certainly we did have marked increase in scans for port 8,545 over the last few months.

I set up a quick honeypot and identified two different queries here

that are being used to fingerprint at least these Ethereum nodes. Haven't set up an actual

Ethereum node yet, but may do so shortly to see what happens kind of next after the initial scan. Now, typically you're not supposed to expose

this JSON RPC interface, but there's also an other risk here because it is just normal HTTP requests.

Someone could certainly use cross-site request forging in order to hit these interfaces.

Now you may have heard of same origin policy that protects somewhat against this type of attack,

but as far as I can tell, the requests being used here are simple requests.

So unless the user agent is being verified,

which I highly doubt, these requests can pretty easily be sent cross-origin. So this would make

things a lot more dangerous. For example, if you have one of those Ethereum nodes running

on your desktop, you're visiting

a malicious website.

This malicious website could now connect to this Ethereum node and issue commands.

Now, it would not be able to get the responses back, so that may make an attack is a little

...