Bitmessage developers have warned of a critical ‘remotely executable’ zero-day vulnerability in the PyBitmessage application that was being exploited in the wild.
Bitmessage is a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users. Since it is decentralized and trustless communications, one need-not inherently trust any entities like root certificate authorities.
Those who unaware, PyBitmessage is the official client for Bitmessage messaging service.
According to Bitmessage developers, a critical zero-day remote code execution vulnerability, described as a message encoding flaw, affects PyBitmessage version 0.6.2 for Linux, Mac, and Windows and has been exploited against some of their users.
“The exploit is triggered by a malicious message if you are the recipient (including joined chans). The attacker ran an automated script but also opened, or tried to open, a remote reverse shell,” Bitmessage core developer Peter Šurda explained in a Reddit thread.
“The automated script looked in ~/.electrum/wallets [Electrum wallets], but when using the reverse shell, he had access to other files as well. If the attacker transferred your Bitcoins, please contact me (here on Reddit).”
Moreover, hackers also targeted Šurda. Since his Bitmessage addresses were most likely considered to be compromised, he suggested users not to contact him at that address.
“My old Bitmessage addresses are to be considered compromised and not to be used,” Šurda tweeted.
Šurda believes that the attackers exploiting this vulnerability to gain remote access are primarily looking for private keys of Electrum bitcoin wallets stored on the compromised device, using which they could/might have stolen bitcoins.
Bitmessage developers have since fixed the vulnerability with the release of new PyBitmessage version 0.6.3.2.
So, if you are running an affected version of PyBitmessage, you are highly recommended to upgrade your software to version 0.6.3.2.
Since the vulnerability affects PyBitmessage version 0.6.2 and not PyBitmessage 0.6.1, alternatively you can also consider, as suggested by Šurda, downgrading your application to mitigate yourself from potential zero-day attacks.
Although the developers did not reveal more details about the critical vulnerability, Šurda advised users to change all their passwords and create new Bitmessage keys, if they have any suspicion of their computers being compromised.
Binary files for Windows and OSX are expected to become available on Wednesday.
The investigation into these attacks is still ongoing, and we will update this article with more information as it becomes available.