5. December 2018 share Facebook Twitter LinkedIn xing mail
On the 1. December Tencent Security announced on the Chinese Social Media platform Weibo, the discovery of a bug in the NEO-Blockchain. Accordingly, the operator of NEO-Nodes of crypto-piracy, if you use the default configuration. It is said in the message of Tencent:
"The Monitoring of the famous Blockchain-project NEO [...] promoted the risk of Remote-piracy to light. When a user launches the NEO-Node with the default configuration, and the Wallet opens, it can be stolen, the digital currency from the distance.“
Tencent recommends that the Node-operators three things:
1. Update of the NEO-Clients to the latest Version
2. Renunciation of the use of the RPC function, and the Change of the BindAdress in the configuration file to point to 127.0.0.1
3. If not, RPC-change Port and HTTPS-based JSON-RPC interface to be activated and the Firewall policies accordingly
So far, So FUD to adjust. What is not made, in contrast to Tencent's warning so quickly, was the answer of NEO-co-founder Erik Zhang, who had only a few hours to wait.Erik Zhang: "Normal" users don't
Zhang affected tried to calm the common NEO-Hodler. "Normal User" would have to make, therefore, no thoughts, because the RPC function is disabled by default. The access RPC can only be carried out through the NEO-CLI Client. Since it is a command-line utility, running non-technical users also risk to open due to careless Configuration changes hackers the door. Zhang includes:
"in conclusion, no risk for the conventional NEO-user Remote-piracy"
Since Zhang the vulnerability is denied, one can assume, for operators of NEO-Nodes is quite in danger or there was, robbed. Presumably Zhang also points to the Bounty program, that NEO has been launched this year under the name "NEO Vulnerability Bounty Program". Who Bug finds a relevant and, above all, unknown NEO, you may claim a reward of NEO.
In the guidelines of the Bounty program, it is called:
"If vulnerabilities are published, before NEO has repaired or published, the reward."
Tencent will be able to claim for the discovery of the NEO-Bugs so no reward for themselves.