Mess With The Best…
… and Die Like The Rest.
A critical security issue was discovered by Turtlecoin developers and subsequently patched. Other Cryptonote forks and, possibly, other coins are vulnerable as well.
If you have not already done so, please update to the latest version of Turtlecoin.
Turtlecoin is completely secure from the vulnerability described in this article from v0.3.1 onwards. Technical details are published here: https://www.ayrx.me/cryptonote-unauthenticated-json-rpc
Roughly two weeks ago, some of our developers decided to look into the security of Turtlecoin. It was immediately apparent that the vulnerability Tavis Ormandy pointed out in the Electrum Wallets (https://twitter.com/taviso/status/949804775473737728) were also present in Turtlecoin as well as most Cryptonote forks.
We immediately set out to fix this in two commits:
Additionally, we have also reached out to the majority of the other affected Cryptonote coins with our findings in an effort to secure the community and to raise awareness for the bug class.
The impact of the vulnerability is substantial. A simple hosted webpage could allow an attacker to steal funds from an open wallet as a victim surfs the internet without any interaction from the victim at all. This drive-by attack would not alert the victim until it is too late and the funds are gone.
We recommend that users of other coins exert extreme caution when using their wallets and to avoid clicking on links sent by untrusted individuals.
Note: Thanks to the members of the Turtle team that worked hard to patch and disclose this issue responsibly. We hold your safety as our first priority, and tests like this help us hold that commitment. — RockSteady