by Swati Khandelwal
February 14, 2018
Bitmessage developers have warned of a critical ‘remotely executable’ zero-day vulnerability in the PyBitmessage application that was being exploited in the wild.
Bitmessage is a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users. Since it is decentralized and trustless communications, one need-not inherently trust any entities like root certificate authorities.
Those who unaware, PyBitmessage is the official client for Bitmessage messaging service.
According to Bitmessage developers, a critical zero-day remote code execution vulnerability, described as a message encoding flaw, affects PyBitmessage version 0.6.2 for Linux, Mac, and Windows and has been exploited against some of their users.
“The exploit is triggered by a malicious message if you are the recipient (including joined chans). The attacker ran an automated script but also opened, or tried to open, a remote reverse shell,” Bitmessage core developer Peter Šurda explained in a Reddit thread.
“The automated script looked in ~/.electrum/wallets [Electrum wallets], but when using the reverse shell, he had access to other files as well. If the attacker transferred your Bitcoins, please contact me (here on Reddit).”
Moreover, hackers also targeted Šurda. Since his Bitmessage addresses were most likely considered to be compromised, he suggested users not to contact him at that address.
“My old Bitmessage addresses are to be considered compromised and not to be used,” Šurda tweeted.
Šurda believes that the attackers exploiting this vulnerability to gain remote access are primarily looking for private keys of Electrum bitcoin wallets stored on the compromised device, using which they could/might have stolen bitcoins.
Bitmessage developers have since fixed the vulnerability with the release of new PyBitmessage version 0.6.3.2.