Recently a Geth (and other ethereum clients) exploit making use of DNS Rebinding was found and shared on HackerNews. The exploit allows an attacker to access the JSON-RPC on the ethereum client using DNS rebinding. The repercussions of this exploit are severe, as it would allow the attacker complete control over your ethereum client.
The Ethereum Foundation has reportedly been made aware of the issue. Though it does not seem to see the threat the attack poses.
How does it work?
This attack makes use of something called DNS rebinding. DNS, or Domain Name System, is what allows computers to use names, called domains, to access servers. It works by having a server that acts like a phone book, allowing other computers to lookup the IP address (phone number) of a domain (person). For example, the link blockexplorer.com/news tells your computer to fetch the page ‘news’ at the server that blockexplorer.com points to (188.8.131.52 at the time of writing).
A critical part of how this attack works is the attacker making their own server the phone book for a domain they control. DNS rebinding itself refers to the practice of changing a domain’s address between lookups.
When you connect to the attacker’s website, your computer asks the internet where it can ask what the address of their domain is. The internet responds with “Go here and ask this server that”, with a link to the attacker’s DNS server. Once that interaction happens, the attacker’s server responds with the correct address for its website.
Why does this attack work?
Normally, your browser will stop requests going from a webpage to anywhere other than the server the webpage came from. This attack works because your web browser thinks that it’s still talking to the server the webpage is on. The address was re-bound while it was on the web page.
Proof of concept
The blog post also had a proof of concept link that demonstrates the attack by listing the ethereum addresses and the balances thereof on your computer when you connect to it. We will refrain from linking the proof, but it is simple to find on the blog for those interested.