$20M Worth of Ether Stolen After Hackers Exploit Poor App Configuration
A poorly designed Ethereum app led to the hacking of $20 million worth of Ether, Cointelegraph has reported. Attackers exploited the vulnerability present in a Remote Procedure Call (RPC), which allows third parties to access and interact with the data within.
The attackers exploited port 8545, where the RPC had been left enabled by developers for some reason. This allowed the hackers to compile and make off with sensitive miner and wallet information. It provided these illicit third parties with access to private keys and the chance to peek into the port owners' personal data and consequently transfer funds.
For this reason, the RPC interface is usually disabled. And even if it is open, it’s generally designed to give access to apps that are operating only locally.
It’s still unclear why the app developers enabled port 8545’s RPC – maybe they were configuring something – but it gave the hackers backdoor entry. In short, human error is likely the culprit in such a large loss yet again.
Incidentally, attention was already called to this vulnerability by Qihoo 360 Net Lab in March. During the time, an attacker got only 3.96234 worth of Ether, which was valued at about $2,000 to $3,000 then.
Netlab developers added that hackers are continuing to scan port 8545 hoping to find any other RPC interface that has been left open. With the success of this recent heist, other illicit actors will surely want to join the fray.
While this is grim news for the victims, the increase in hacking incidents will only make Ether and other cryptocurrencies resistant to this kind of attack in the future, according to some experts. Blockstar CEO Christian Ferri said that hacking incidents will always be painful for some in the short run, but will play a significant role in creating a more secure framework for the crypto industry in the future.
Indeed, vulnerabilities like this will definitely contribute to the guidelines that will govern how blockchain companies operate in order to make a habit of plugging these threats and risks. Ethereum developers and co-founder Vitalik Buterin have yet to comment on the attack.