From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 24 Oct 2025 09:26:32 -0700 Received: from mail-oa1-f56.google.com ([209.85.160.56]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vCKca-0001s1-60 for bitcoindev@gnusha.org; Fri, 24 Oct 2025 09:26:32 -0700 Received: by mail-oa1-f56.google.com with SMTP id 586e51a60fabf-3c97cc5f086sf806906fac.3 for ; Fri, 24 Oct 2025 09:26:31 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1761323186; cv=pass; d=google.com; s=arc-20240605; b=lSm1m5RhnOnH2k3U3KWal+LLPv3FyBoQvPFPyTjzgZd61fwUpSYHlTSQtZ4HQFSMCM gd+8fUfW5RQY18DiTu3D4WuoYyCoQt1AeaNQTtsjzfYtMvHsU3+XbEOn2oVETS7hnQJ0 s9NMC3aljY8Xz7IFsZXdmPq/loIwEebhLxYPkfwHU/EuJdFomJrfGVsXUpDfoPybDa+h B0QCPmeIVoif628yQTOAkNK+DCVTZYsZfPHwc0NnUL6KdJOfDTg+DugNKoDxX0cGLjdE IAA8NEy2QXqkAoKfjZCUpErmp+Fecn7R8zvTsvoSMLl4p4NdUw1FF5Png5Q0JCNWc0UG pxHg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :mime-version:sender:dkim-signature:dkim-signature; bh=A0I8oRg3K1ZRQmLFp4M4m/e0IFxjLlgpgyOWnwaxf3Q=; fh=PzrKjHT9LVZqLTzl7NcSRq6Hple+Sjhh5gM6/DJdBX4=; b=JYYnU2KFOjQo8GDj9Bb8/SMqM20KeqX3vwcoGzIrPmxYInGp8PBhPYz3G9dKELMkIV zRlposcSjQToCWnqehdydvkNmchWN78FZVeESKvi29DfWfRcPSFX9NbqHK/KRc23uAVR /QO/h8IudeoEpODQee5yol1ja78N+ih5S0rSmrVHTdA2X49QlsYjt0vL6fANMLsndWRr dBSQAk0KFNkZMt/sGa79DFWAOQ6+nFu7cWpmmwuYDF47xHeTU5qx2aJbiJ51COYQwxBt 1psTB/mGVBb6m/NJ47Wd7h6VnAJYUv3it6A3Y9CKIg3QQnCJJ9wchl+UmclXHbcikf8Z TPvQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jpWZgglW; spf=pass (google.com: domain of alicexbtong@gmail.com designates 2607:f8b0:4864:20::c2f as permitted sender) smtp.mailfrom=alicexbtong@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1761323186; x=1761927986; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:mime-version :sender:from:to:cc:subject:date:message-id:reply-to; bh=A0I8oRg3K1ZRQmLFp4M4m/e0IFxjLlgpgyOWnwaxf3Q=; b=QJIgHh13uvYPSsduYE/PmjdOeLEdyMmdvudb71mxEgCppTwSLYSsfKyS+ESKTvfP9A KsRny0YCMmwBtuKGklHtuY+0muMIJ7LVC4x+08wAA5T7RylEB1/CXQZCSMFNCLRdM++p LR6KBkTkRAzXvsjGy2t7Wt4aqMOMoIBHP7dyYBUUnETG3O5tC0J2TVcxYdOnislLsC6R JPsZfFu31haKFW2gw2JwMtzwlH7gS46Vk6t4/bPj1WpTueKmqKmnumNAzozz0Qz0CJDy d+uEdQCcl3UIKTyeRec/FXv40u1tfvnxbzNEL21d2GF6NQ+4fINdr/03hvJ/k1BV7w1C RBZg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761323186; x=1761927986; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=A0I8oRg3K1ZRQmLFp4M4m/e0IFxjLlgpgyOWnwaxf3Q=; b=N7h6EAexsyE3Skl/25ziQrgqKzurWRCJ3oEFI5brTGFsm33HEJN//K+K2woekbHO0d DGQU3WzRoiBLLBGD7oZ4p7GAF7ro+BG6v/2XhwkgxBhzwzEHQwgOeMboOYiAiBvIW5jt dPHfiCMDHzU3x+rsVr3tR1+iZ9HYi5p3awDaKJ/lVYKinw9eiT8ZvjO/6CRe2lAkqsPe yNWV6aHw1lfPRtF9RDAzzoL72pmwIzXV4sU9Kgru+Z3heb6Tp3IBCIyzqSSgn4fd7m7i pHNdMpeJrGxmPFSXkkauachCzjWQvzLzRB1NRWLXdpt/tc7W5OtaXzOdBXk7tRaEz33j 53KA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761323186; x=1761927986; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:mime-version :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=A0I8oRg3K1ZRQmLFp4M4m/e0IFxjLlgpgyOWnwaxf3Q=; b=lXmh/Bovmp7Dvd8XBIK3MHQfsJbK36/mVl6fYTbflV+mfaa0de37yAfxwkHBFkIDc1 RomJ1Bj5scvXK2dPzMArqOMGgFE/1Eg31+P3zCTjqMhHxNr+QmCv95u+oek7urLn5WmI qck94+fuU/V4doOY7uHSTXKJ3jByh54VWRb4iGModf02CClU/T0fBN3KHtxkpwzk+q/g pBZtzmLMbfstYYXXtEldEO94ASabP5dow7vNhIdhPn35ENI14SUd3oqJfrw/aZFLokv5 pBQaowKdEafSXoTEBh/ODMV5vcw41yHLiAzKqjhTyOXmcfIi61hdLalterRWowNybn+m 7ycA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVtMoUYTi1rV2cwiKTnmLvUPND3lZbW+nt3HoCT3dvhQwhyMKCpGqdR/jUkvUI9cleHzhY/N8uLc12P@gnusha.org X-Gm-Message-State: AOJu0YyGOTwWw8Ta3PfL4+BgB06/4G/ku4JcbP+m/rTJDMlSRrXT+7kx zvvjJ4o4KkMQ/CmZndkxpi3gX0kzfaA0Z1rTz3aixlVlOaYOpnl9s0yl X-Google-Smtp-Source: AGHT+IGtcyCdra76q7Sva0UbYBWQNncw0QdIIEzruAhN9QP4tXuIP+FjA28WDM8tk9Kf0blwZsFtWw== X-Received: by 2002:a05:6870:d8c9:b0:3af:bc65:420b with SMTP id 586e51a60fabf-3c98d10db9emr10841537fac.33.1761323185690; Fri, 24 Oct 2025 09:26:25 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="ARHlJd7jlQtyLGykTI51TjW9fxMZ7re29+orDEWmXSuo/xhklA==" Received: by 2002:a05:6870:26e:b0:383:97ca:d48c with SMTP id 586e51a60fabf-3cdc648d937ls796100fac.0.-pod-prod-04-us; Fri, 24 Oct 2025 09:26:21 -0700 (PDT) X-Received: by 2002:a05:6808:318e:b0:43f:5552:1e7a with SMTP id 5614622812f47-443a2e633f9mr12141090b6e.29.1761323181082; Fri, 24 Oct 2025 09:26:21 -0700 (PDT) Received: by 2002:a05:6808:1802:b0:442:1282:b401 with SMTP id 5614622812f47-44d8f83ada2msb6e; Fri, 24 Oct 2025 08:59:24 -0700 (PDT) X-Received: by 2002:a92:ca4d:0:b0:430:b05a:ecc3 with SMTP id e9e14a558f8ab-430c525f52amr197506145ab.9.1761321563799; Fri, 24 Oct 2025 08:59:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1761321563; cv=none; d=google.com; s=arc-20240605; b=LeISgyUOtPrcrm8nwOvgBTkCE5QFa/FBjECbeddg1othyevShK1x7tl1apa4XV9r/D n2fl5D39Rc2u/KI3tyqcui1nT+HuXk+dDu4k97OwojAZCrE3NMUVkgwpZ85sy742QCVv g6CJqYz8sz09lvZdTAYK9T2654DjqVUafAXMkFckzZwTTI/J2/PUa/u6g/77vFDCADRk pwEdxiT58CsXJnRRlNXNi5fT8AT6DuwHY4q+h4P9GOL4NI93FPBKSXZWTUTvI7RUmhw1 lS+fgGnJ8XQSUXO2D8t6U2VnllFxx9yBKpjfHZMHvuvm2UmrMILchM/K76UM1PN8oeLb nBOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=datqsLkpEearIkOtIHRUipn2KKuAxulhl2fZ0sRb/Wo=; fh=i8KRRiE5CSUWuu64jBlTNE7HKgT4W1WeyefOOTS99Fw=; b=GfFDLcd+9e2Golf6v/He3OpyI6boa81XCRGqb/AHinxjpfZYrkblZA9ubT33KJuiF4 cv1hIEGvxF5ty0U1nlXnOK2Yd02ZkAP5i04vkVwlZqOpg7ImHrYqqOgCmrva5EhbN0T9 tgS/DPjozZfgg6BacdKB/hFZbylUbI7P4BxxgVKnn6fDxO67q22O8CLZN04N1WyA5vKN +rL8uztgPmaZK+qF6zOa5fcDmH5RUt3d1BSvfrAaTXBJgqUjBZ8C+SWNIzUvKIhJnqF8 PwR/mHN9EJj1WJ2Ix3hxsy3LTTyF8jEMPRfTilVKSgJn5SjvI+UH0QQ026kl0GngNpTl as8A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jpWZgglW; spf=pass (google.com: domain of alicexbtong@gmail.com designates 2607:f8b0:4864:20::c2f as permitted sender) smtp.mailfrom=alicexbtong@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-oo1-xc2f.google.com (mail-oo1-xc2f.google.com. [2607:f8b0:4864:20::c2f]) by gmr-mx.google.com with ESMTPS id 8926c6da1cb9f-5abb7cef651si292198173.5.2025.10.24.08.59.23 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 24 Oct 2025 08:59:23 -0700 (PDT) Received-SPF: pass (google.com: domain of alicexbtong@gmail.com designates 2607:f8b0:4864:20::c2f as permitted sender) client-ip=2607:f8b0:4864:20::c2f; Received: by mail-oo1-xc2f.google.com with SMTP id 006d021491bc7-654d8479c46so567709eaf.3 for ; Fri, 24 Oct 2025 08:59:23 -0700 (PDT) X-Gm-Gg: ASbGncv5c3zmZf/Z8PgreS1gImqIKZ3J9fdUcHksWQ58t+Uhl5nsd0+sNzJRCglawQw gkUQBDXrUnCZfnCnssiO01CnMLunXltzS7VVhL/7VRWT0ZJfPm8ZGklD/Aw0IxAMwRoGZx1wXme foAhZNIcdqaJaIKx1nxdmSDrSOE8T4QuS420QPvl7EAqUryps5tMAjZ+cvIG9g1R1HnVxuDGiec i+E1fuP3z6jYoP9C38H1oe+K41P0Ja34ctRa5mrA0kfSxlvVpkB7BQICAxz9lXWL8UPWoqKNIB1 1i4op0NInobV9CmctKt9zZmqH70jvjRHCWEKxxz7ZleC X-Received: by 2002:a05:6870:b252:b0:344:d813:6d50 with SMTP id 586e51a60fabf-3c98cf019e4mr11582999fac.4.1761321562903; Fri, 24 Oct 2025 08:59:22 -0700 (PDT) MIME-Version: 1.0 From: "/dev /fd0" Date: Fri, 24 Oct 2025 21:29:09 +0530 X-Gm-Features: AS18NWDM1Cf0Tu01ULz1ZsQY4_pK7Ys62_RAXREjbpXmhlXKf5IycZmUHaUFOSQ Message-ID: Subject: [bitcoindev] Full Disclosure: Debug console history storing sensitive info in bitcoin core v24.0-v30.0 To: Bitcoin Development Mailing List Cc: security@bitcoincore.org Content-Type: multipart/alternative; boundary="000000000000179a7a0641e9a27a" X-Original-Sender: alicexbtong@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jpWZgglW; spf=pass (google.com: domain of alicexbtong@gmail.com designates 2607:f8b0:4864:20::c2f as permitted sender) smtp.mailfrom=alicexbtong@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --000000000000179a7a0641e9a27a Content-Type: text/plain; charset="UTF-8" Hi everyone, This is a disclosure of a low-severity vulnerability that exists in all bitcoin core versions from v24.0 to v30.0. It has already been reported in a GitHub [issue][0] and shared on social media. However, I wanted to formally disclose it on the mailing list so that all users are aware of the risks. The full disclosure approach is primarily used when vulnerabilities are ignored. It is exactly what happened in this case although it has been [fixed][1] in bitcoin knots which also persists the history to disk. Some RPC commands use private keys, wallet passphrase etc. in their arguments and this remained in the debug console history until [2016][2]. An attacker can no longer see the history and get sensitive information with the history filter. However, [`migratewallet`][3] wasn't added in the history filter. This allows an attacker with access to the victim's machine to get the wallet passphrase from the history. GUI has an option to migrate the wallet without using RPC commands in the debug console since v26.0 but some users may prefer RPC over it. ``` // don't add private key handling cmd's to the history const QStringList historyFilter = QStringList() << "signmessagewithprivkey" << "signrawtransactionwithkey" << "walletpassphrase" << "walletpassphrasechange" << "encryptwallet"; } ``` Timeline: 02 October 2025: User [reported][4] the issue in bitcoin knots telegram group 02 October 2025: I opened the pull request to fix the issue in knots repo 11 October 2025: [knots v29.2][5] released with the fix 11 October 2025: I acknowledged the bug in bitcoin core repo and waketraindev opened a [pull request][6] to fix it 24 October 2025: Full disclosure as bitcoin core remains vulnerable Credits: waketraindev lukedashjr [0]: https://github.com/bitcoin-core/gui/issues/897 [1]: https://github.com/bitcoinknots/bitcoin/pull/203 [2]: https://github.com/bitcoin/bitcoin/pull/8877 [3]: https://bitcoincore.org/en/doc/30.0.0/rpc/wallet/migratewallet/ [4]: https://t.me/Bitcoin_Knots/12784 [5]: https://github.com/bitcoinknots/bitcoin/releases/tag/v29.2.knots20251010 [6]: https://github.com/bitcoin-core/gui/pull/901 /dev/fd0 floppy disk guy -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALiT-ZoGahaZye2UikvMQ0uuMn-LKrMVGJ6PLVHwO3BwvO5dwg%40mail.gmail.com. --000000000000179a7a0641e9a27a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi everyone,

This is a disclosure of a = low-severity vulnerability that exists in all bitcoin core versions from v2= 4.0 to v30.0. It has already been reported in a GitHub [issue][0] and share= d on social media. However, I wanted to formally disclose it on the mailing= list so that all users are aware of the risks.=C2=A0The full disclosure ap= proach is primarily used when vulnerabilities are ignored. It is exactly wh= at happened in this case although it has been [fixed][1] in bitcoin knots w= hich also persists=C2=A0the history to disk.

Some = RPC commands use private keys, wallet passphrase=C2=A0etc. in their argumen= ts and this remained in the debug console history until [2016][2]. An attac= ker can no longer see the history and get sensitive information with the hi= story filter. However, [`migratewallet`][3] wasn't added in the history= filter. This allows an attacker with access to the victim's machine to= get the wallet passphrase from the history. GUI has an option to migrate t= he wallet without using RPC commands in the debug console since v26.0 but s= ome users may prefer RPC over it.

```
// don't add private ke= y handling cmd's to the history
const QStringList historyFilter =3D = QStringList()
=C2=A0 =C2=A0 << "signmessagewithprivkey"<= br>=C2=A0 =C2=A0 << "signrawtransactionwithkey"
=C2=A0 = =C2=A0 << "walletpassphrase"
=C2=A0 =C2=A0 << &quo= t;walletpassphrasechange"
=C2=A0 =C2=A0 << "encryptwalle= t";


}
```

Timeline:
02 Octob= er 2025: User [reported][4] the issue in bitcoin knots telegram group
02= October 2025: I opened the pull request to fix the issue in knots repo
= 11 October 2025: [knots v29.2][5] released with the fix
11 Octobe= r 2025: I acknowledged the bug in bitcoin core repo and waketraindev opened= a [pull request][6] to fix it
24 October 2025: Full disclosure as bitco= in core remains vulnerable

Credits:
waketraindev=C2=A0
=
lukedashjr
<= div>[2]:=C2=A0http= s://github.com/bitcoin/bitcoin/pull/8877
[3]:=C2=A0https://bitcoinc= ore.org/en/doc/30.0.0/rpc/wallet/migratewallet/
[4]:=C2=A0https://t.me/Bitcoin_Knots/12784
= [5]:=C2=A0https://github.com/bitcoinknots/bitcoin/releases/tag/v2= 9.2.knots20251010
[6]:=C2=A0https://github.com/bitcoin-core/gui/pull/901

/d= ev/fd0
floppy disk guy




--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/ms= gid/bitcoindev/CALiT-ZoGahaZye2UikvMQ0uuMn-LKrMVGJ6PLVHwO3BwvO5dwg%40mail.g= mail.com.
--000000000000179a7a0641e9a27a--