Ethereum clients found to be vulnerable to DNS rebind attack

Recently a Geth (and other ethereum clients) exploit making use of DNS Rebinding was found and shared on HackerNews. The exploit allows an attacker to access the JSON-RPC on the ethereum client using DNS rebinding. The repercussions of this exploit are severe, as it would allow the attacker complete control over your ethereum client.

The Ethereum Foundation has reportedly been made aware of the issue. Though it does not seem to see the threat the attack poses.

“This has been reported to the ethereum foundation but they don’t consider it a valid vulnerability.” – End of @ret2got’s blog post on the issue.

How does it work?

This attack makes use of something called DNS rebinding. DNS, or Domain Name System, is what allows computers to use names, called domains, to access servers. It works by having a server that acts like a phone book, allowing other computers to lookup the IP address (phone number) of a domain (person). For example, the link tells your computer to fetch the page ‘news’ at the server that points to ( at the time of writing).

A critical part of how this attack works is the attacker making their own server the phone book for a domain they control. DNS rebinding itself refers to the practice of changing a domain’s address between lookups.

When you connect to the attacker’s website, your computer asks the internet where it can ask what the address of their domain is. The internet responds with “Go here and ask this server that”, with a link to the attacker’s DNS server. Once that interaction happens, the attacker’s server responds with the correct address for its website.

Now that you’ve loaded the attacker’s webpage, the attack can start. The attacker’s server gives your computer a webpage with some malicious javascript on it. This javascript is what attacks your ethereum client. When the javascript runs, it again looks up the domain but now the attacker’s DNS server says that the domain points to the special address, instead of the real address. The special address is also referred to as localhost, any requests to it are directed to the computer they come from, this lets the malicious javascript talk to your ethereum client, and control it completely.

Why does this attack work?

Normally, your browser will stop requests going from a webpage to anywhere other than the server the webpage came from. This attack works because your web browser thinks that it’s still talking to the server the webpage is on. The address was re-bound while it was on the web page.

Proof of concept

The blog post also had a proof of concept link that demonstrates the attack by listing the ethereum addresses and the balances thereof on your computer when you connect to it. We will refrain from linking the proof, but it is simple to find on the blog for those interested.


The best mitigation at the moment is to make use of a NoScript plugin. Which stop javascript from running altogether. Though this may break some web pages. Otherwise, make sure to not follow any suspicious links.

Armin Davis

Armin is a cryptocurrency mining and computer security enthusiast. Writing is fun too.

One Reply to “Ethereum clients found to be vulnerable to DNS rebind attack”

  1. hardware wallets are the best way to avoid this type of problem another option to avoid this attack is to use meta mask on a portable browser this way its isolated from the rest of the computer or you could run it inside of a more well written browser such as torch or brave if you do not do any non crypto related browsing in that browser and only launch that browser when its needed to do a transaction your gonna be allot safer then having a wallet constantly open running as part of the block chain is really helpful for the network as whole so having a wallet open that has nothing in it just to help the block chain would help and not put you at risk of theft the control of any one client does not put the entire block chain at risk so they can not steel any asset your client does not control no ETH in a wallet nothing to steal wallet locked away with a password or not running your safe best to have not running and to close down all other browsers when your wallet is open as an alternative to a hardware wallet is a wallet running on a live Linux system with no other porpoise this type of setup is gonna be bigger then any hardware wallet and not very portable some mini computers are small enough to easily fit inside a small safe or disguised as a book and hidden on a shelf a browser plugin type wallet could be put onto a thumb drive

    I know exodus can be ran from a thumb drive on Ubuntu options exist bottom line this currency is like a mix of cash and credit first its like cash you hold it you control it and to some extent vulnerable but it has some safeguards against theft that makes recovery fairly easy and not dependent on recovering the stolen device its like credit as one can send currency across the globe just like a credit card exchange this is real its almost the perfect currency

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.