* [bitcoindev] Full Disclosure: Debug console history storing sensitive info in bitcoin core v24.0-v30.0
@ 2025-10-24 15:59 /dev /fd0
0 siblings, 0 replies; only message in thread
From: /dev /fd0 @ 2025-10-24 15:59 UTC (permalink / raw)
To: Bitcoin Development Mailing List; +Cc: security
[-- Attachment #1: Type: text/plain, Size: 2586 bytes --]
Hi everyone,
This is a disclosure of a low-severity vulnerability that exists in all
bitcoin core versions from v24.0 to v30.0. It has already been reported in
a GitHub [issue][0] and shared on social media. However, I wanted to
formally disclose it on the mailing list so that all users are aware of the
risks. The full disclosure approach is primarily used when vulnerabilities
are ignored. It is exactly what happened in this case although it has been
[fixed][1] in bitcoin knots which also persists the history to disk.
Some RPC commands use private keys, wallet passphrase etc. in their
arguments and this remained in the debug console history until [2016][2].
An attacker can no longer see the history and get sensitive information
with the history filter. However, [`migratewallet`][3] wasn't added in the
history filter. This allows an attacker with access to the victim's machine
to get the wallet passphrase from the history. GUI has an option to migrate
the wallet without using RPC commands in the debug console since v26.0 but
some users may prefer RPC over it.
```
// don't add private key handling cmd's to the history
const QStringList historyFilter = QStringList()
<< "signmessagewithprivkey"
<< "signrawtransactionwithkey"
<< "walletpassphrase"
<< "walletpassphrasechange"
<< "encryptwallet";
}
```
Timeline:
02 October 2025: User [reported][4] the issue in bitcoin knots telegram
group
02 October 2025: I opened the pull request to fix the issue in knots repo
11 October 2025: [knots v29.2][5] released with the fix
11 October 2025: I acknowledged the bug in bitcoin core repo and
waketraindev opened a [pull request][6] to fix it
24 October 2025: Full disclosure as bitcoin core remains vulnerable
Credits:
waketraindev
lukedashjr
[0]: https://github.com/bitcoin-core/gui/issues/897
[1]: https://github.com/bitcoinknots/bitcoin/pull/203
[2]: https://github.com/bitcoin/bitcoin/pull/8877
[3]: https://bitcoincore.org/en/doc/30.0.0/rpc/wallet/migratewallet/
[4]: https://t.me/Bitcoin_Knots/12784
[5]:
https://github.com/bitcoinknots/bitcoin/releases/tag/v29.2.knots20251010
[6]: https://github.com/bitcoin-core/gui/pull/901
/dev/fd0
floppy disk guy
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALiT-ZoGahaZye2UikvMQ0uuMn-LKrMVGJ6PLVHwO3BwvO5dwg%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 3735 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-10-24 16:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-24 15:59 [bitcoindev] Full Disclosure: Debug console history storing sensitive info in bitcoin core v24.0-v30.0 /dev /fd0
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox