Bug in NEO’s Blockchain Allows Hackers to Steal Remotely
A post on Chinese microblogging website Weibo has revealed that certain NEO users may be affected by a critical software vulnerability that could potentially lead to loss of tokens. The bug was reportedly discovered by another Chinese company, Tencent Security. According to the post, the vulnerability is limited to NEO and GAS users that have set up a network node with the default configuration. Node maintainers fitting this description could potentially have their cryptocurrency remotely stolen when they access their NEO wallet.
Outdated Software to Blame
Tencent has warned NEO users and, in particular, node owners to check their client versions, update any wallet software on their devices and keep track of ‘abnormal transfer behavior’. The NEO development team has reportedly been notified of this vulnerability as well. However, there has been no official advisory or bug acknowledgment released by the NEO Foundation.
Meanwhile, Tencent Security has advised node owners and NEO holders to follow these instructions:
“Upgrade to the highest version of the NEO-CLI client program. Avoid using the remote RPC function, modify the address of BindAddress in the configuration file to 127.0.0.1. If you have special requirements, you must use the remote RPC function. You should ensure the security of the node by modifying the RPC port number, enabling the Https-based JSON-RPC interface, and setting the firewall policy.”
Often referred to as the Chinese equivalent to Ethereum, NEO is currently priced at approximately $8.16. With a market cap of $530 million, it is the 17th largest cryptocurrency on the market. Those figures peaked in January 2018, when one NEO token was being traded for around $160. Similar to the rest of the market, however, the dApp platform has lost a significant chunk of its valuation in the months since.
Given that the bug discovered by Tencent’s Security arm affects a small minority of technically-inclined users, it is unlikely that NEO’s valuation will be significantly impacted, if at all. Notably though, the bug disclosure comes only days after cryptocurrency exchange Binance launched its ‘Gold Label’ program, which prominently features NEO as an ‘Officially Certified’ project. “Gold label badges will be given to projects that keep blockchain enthusiasts informed and updated,” the company wrote.
Cryptocurrency Theft
Reports of cryptocurrency theft have been rising in the past few weeks. On November 26, 2018, a popular Node.js JavaScript library was found to be stealing cryptocurrency from unsuspecting users. The ‘event-stream’ library package contained malicious code designed to send user tokens to an unknown wallet in the background. Researchers discovered that the library was targeted primarily due to its association with the Copay Bitcoin wallet service available on desktop and mobile.
