Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: Obyte: Totally new consensus algorithm + private untraceable payments
by
buksan
on 26/02/2020, 09:23:42 UTC
Quote from: tonych on February 25, 2020, 11:13:44 PM
An important security update is released.  It fixes two serious vulnerabilities discovered and reported to us by security researcher pearl:

*    text messages in chat were incorrectly handled which allowed attackers to execute arbitrary code on victim's wallet. An attacker could supply arbitrary code in angularjs {{}} expressions and the victim's wallet would evaluate it. The attack vector could be used to steal the private keys. The vulnerability existed in all versions of Obyte wallet since the first release in 2016. However, to exploit the vulnerability, an attacker needs to first trick the victim to pair with the attacker's wallet or chatbot. Users who had their wallets protected with a good password and seed words deleted were better protected against such an attack. We have no reports of this vulnerability being actually exploited. The fix makes sure that user input is always treated as text and never evaluated.

*    restore from full backup function allowed file paths with directory traversal (../) characters in backup archive, which could enable an attacker to overwrite important user files, such as .bashrc. on Linux. The vulnerability existed in all versions of Obyte wallet since restore from full backup was introduced in mid 2017. However, to exploit the vulnerability, an attacker needs to first trick the victim to restore from a maliciously crafted backup file. We have no reports of this vulnerability being actually exploited. The fix checks for directory traversal characters in file paths in the backup archive and ignores such files.

Since the two vulnerabilities are now publicly disclosed and each can be used to inflict serious damage to Obyte users who are not aware of them yet, the hub at obyte.org will refuse connections from non-upgraded wallets to keep them safe. All known operators of other hubs have been notified and recommended to apply the same policy.

Only GUI wallets are affected by the vulnerabilities and the upgrade is mandatory for them, headless nodes (wallets, hubs, relays) are not affected.

Please upgrade https://github.com/byteball/obyte-gui-wallet/releases



After updating, when I try to add a new chat bat, I see this error:
An exception occurred: TypeError: Cannot read property 'replace' of undefined; cause: undefined

I tried to create a new wallet and I can not add any chat bot for the same error.

PS Win64/32