chapter
The Chinese technology corporation Tencent informed the developers of the blockchain protocol NEO and the node operators in their network about the presence of a vulnerability that could theoretically allow an attacker to remotely steal tokens or, as the researchers themselves call it, to engage in "remote piracy". About this he writes Blockmanity with reference to the publication posted by Tencent division in the social network Weibo.
According to a statement by Tencent Security Lab, when a user launches a node on a network with a standard configuration, he is at risk. The company recommends all NEO node operators and GAS holders to pay attention to the security of their wallets and to update customers in a timely manner.
Tencent proposes the following actions to protect itself from this vulnerability :
- Upgrade to the latest version of the NEO-CLI client;
- Try not to use remote procedure call (RPC) and manually change “BindAddress” to “127.0.0.1”;
- If RPC is to be activated due to the need, try to change the port number of the RPC using the https port of JSON-PRC or install a firewall.
The founder of the cryptocurrency NEO startup Eric Zhang commented on a vulnerability in the project protocol that allows attackers to steal users' tokens through the remote procedure call function.
Zhang argues that the vulnerability does not threaten "regular users", since for its operation the RPC function must be activated in the NEO-CLI client, "the use of which is excluded by such users."
Zhang Erik @neoerikzhang , founder and core developer of #NEO , denied the risk of theft for remote token normal users and explained the reasons from the technical point of view. See report below? pic.twitter.com/yKfXYbD8bs
– NEO Smart Economy (@NEO_Blockchain) December 2, 2018
He also draws attention to the fact that RPC is activated not by default, but only under certain conditions and through the command line. The same applies to the “BindAddress” option, which by default corresponds to the value “127.0.0.1”.
"If the user does not attempt to change the configuration manually, the likelihood of associated risks may be excluded," the publication says.
Accordingly, users who decide to change the configuration manually, Zhang can not guarantee anything. In mid-June, Chinese antivirus software developer Qihoo 360 reported that the incorrect configuration of certain applications and farms in the Ethereum network resulted in their users losing over $ 20 million at the exchange rate at that time.
Late last week, NEO announced the opening of the Competence Center in St. Petersburg and the beginning of the development of a distributed file storage.
