Monero, an open-source cryptocurrency that is secure, private and untraceable, is quickly gaining popularity, particularly with its rising adoption in dark web marketplaces.

Currently the fifth most valued cryptocurrency, Monero has a market capitalization close to $140 million. However, a major vulnerability has been recently identified which can compromise Monero wallets.

Cybersecurity company MWR Labs has issued an advisory in an online post that states:

“A Cross Site Request Forgery [CSRF] vulnerability was discovered in Monero Simplewallet that could give attackers the ability to remotely steal Monero from users running vulnerable wallets. Monero users must take action and update wallets to protect themselves against this attack”.

MWR explains CSRF as an attack that forces a user’s browser to execute unwanted actions against web applications or web services they are authenticated with. By directing a user to a malicious web page, an attacker could easily make a payment from the user's wallet to their own wallet.

“An attacker could exploit this vulnerability to steal Monero from vulnerable wallets. This would involve a minimal amount of social engineering for attackers to direct users to a webpage hosting the exploit”, it added.

The post lists various vulnerable wallets which include SimpleWallet, Lightwallet, and Minonodo among others. It further explained that these wallets host an RPC web service on localhost, port 18082, which does not require authentication to initiate functions such as making payments, and can be compromised through a CSRF.

According to the latest update, MWR said that this vulnerability is still exploitable, and recommended users against using any third party Monero wallet, and against running Simplewallet in RPC mode.