Bitmessage is a Peer-to-Peer (P2P) communications protocol used to post encrypted messages to users. Since it is decentralized in addition to trustless communications, i need-not inherently trust whatever entities similar root certificate authorities.
Those who unaware, PyBitmessage is the official customer for Bitmessage messaging service.
According to Bitmessage developers, a critical zero-day remote code execution vulnerability, described every bit a message encoding flaw, affects PyBitmessage version 0.6.2 for Linux, Mac, in addition to Windows in addition to has been exploited against roughly of their users.
"The exploit is triggered yesteryear a malicious message if yous are the recipient (including joined chans). The aggressor ran an automated script exactly likewise opened, or tried to open, a remote contrary shell," Bitmessage gist developer Peter Šurda explained inwards a Reddit thread.
"The automated script looked inwards /.electrum/wallets [Electrum wallets], exactly when using the contrary shell, he had access to other files every bit well. If the aggressor transferred your Bitcoins, delight contact me (here on Reddit)."Moreover, hackers likewise targeted Šurda. Since his Bitmessage addresses were most probable considered to travel compromised, he suggested users non to contact him at that address.
"My former Bitmessage addresses are to travel considered compromised in addition to non to travel used," Šurda tweeted.Šurda believes that the attackers exploiting this vulnerability to arrive at remote access are primarily looking for somebody keys of Electrum bitcoin wallets stored on the compromised device, using which they could/might convey stolen bitcoins.
Bitmessage developers convey since fixed the vulnerability amongst the unloose of novel PyBitmessage version 0.6.3.2.
So, if yous are running an affected version of PyBitmessage, yous are highly recommended to upgrade your software to version 0.6.3.2.
Since the vulnerability affects PyBitmessage version 0.6.2 in addition to non PyBitmessage 0.6.1, alternatively yous tin flaming likewise consider, every bit suggested yesteryear Šurda, downgrading your application to mitigate yourself from potential zero-day attacks.
Although the developers did non bring out to a greater extent than details nearly the critical vulnerability, Šurda advised users to modify all their passwords in addition to exercise novel Bitmessage keys, if they convey whatever suspicion of their computers beingness compromised.
Binary files for Windows in addition to OSX are expected to larn available on Wednesday.
The investigation into these attacks is withal ongoing, in addition to nosotros volition update this article amongst to a greater extent than information every bit it becomes available.
Stay Tuned! Stay Safe!
