Recently Discovered Bitcoin Vulnerability Is Even Worse Than Previously Thought

Siamak Masnavi

On Monday (17 September 2018), a vulnerability (known as CVE-2018-17144) in Bitcoin Core (Bitcoin's reference implementation), which had existed since version 0.14.0 of Bitcoin Core (released on 8 March 2017), was reported to developers working on Bitcoin Core as well as some projects supporting other cryptocurrencies that use this code (such as "Bitcoin ABC" and "Bitcoin Unlimited", the two leading full node implementations of the Bitcoin Cash protocol). This vulnerability was reported anonymously as a "Denial of Service" (DoS) bug. 

As covered by CryptoGlobe, Bitcoin Core developers came up with a fix for this bug the next day (18 September 2018), and released it as part of Bitcoin Core versions 0.16.3 and 0.17.0rc4. They urged anyone running vulnerable versions of Bitcoin Core (i.e. 0.14.0 up to and including 0.16.2) to upgrade to version 0.16.3 as soon as possible.

However, shortly after fixing the vulnerability, the Bitcoin Core developers discovered that the bug in the code causing the DoS problem was even more serious than previously thought because it also created a second problem: the same vulnerability could be exploited to inflate the Bitcoin supply (i.e. create new bitcoins, beyond the 21 million limit placed by Satoshi, which would have the effect of devaluing existing bitcoins). 

This meant that the code fix for the DoS bug would also take care of the supply inflation bug. But, probably in order not to cause panic, and to encourage quick upgrades, the developers decided to only disclose the DoS bug.

On September 20th, after a post in a public forum revealed the full impact of the vulnerability, the Bitcoin Core Developers decide to come clean and publish a full disclosure report for CVE-2018-17144.

Over half of the Bitcoin hashrate has upgraded to patched nodes (running version 0.16.3). The developers say that although they are "unaware of any attempts to exploit this vulnerability", it is still critical that "affected users upgrade and apply the latest patches to ensure no possibility of large reorganizations, mining of invalid blocks, or acceptance of invalid transactions occurs."

Featured Image Credit: Photo via "Crypto360" via Flickr.com; licensed via "CC BY 2.0"

Bitcoin Scam Artists are Using Fake QR Code Generators: Report

  • ZenGO published report showing crypto scammers are using QR code generators to steal crypto.
  • Scam websites are showing up at the top of Google searches. 

Researchers have issued a warning that scam artists are using Google search results and QR code generators as a potential avenue for fraud.

Fake QR Code Generators

According to the report by ZenGO, four of the first five Google search results for questions like “bitcoin QR generator,” led to scam websites. Rather than generating new wallet addresses for users, these QR codes lead back to the scammer’s bitcoin wallet ultimately causing theft of BTC. 

The report highlighted QR codes as a particularly malicious method for scammers to target crypto wallets, as users are unable to read or differentiate between addresses.

According to the report, 

These sites generate a QR code that encodes an address controlled by the scammers, instead of the one requested by the user, thus directing all payments for this QR code to the scammers.

The report continues, 

Scammers do not even bother with generating their fake QR themselves, instead they shamelessly call a blockchain explorer API to generate the QR for their address.

ZenGO estimates that the simple scam may have already cost users $20,000 in stolen BTC. The company recommends users avoid googling for QR code generators and instead use a trusted block explorer. They also recommend verifying the address of the QR code before sharing it with others. 

Featured Image Credit: Photo via Pixabay.com