Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 27 Jul 2013 13:09:37 -0600
From: Kurt Seifried <>
CC: Evan Teitelman <>,,
        "Steven M. Christey" <>
Subject: Re: CVE Request - Coin Widget serves code over plain

Hash: SHA1

On 07/26/2013 07:19 PM, Evan Teitelman wrote:
> Coin Widget is a Bitcoin and Lightcoin donation widget. Its code
> is normally downloaded from in
> the following manner.
> <script src=""></script> 
> <script> CoinWidgetCom.go({ wallet_address:
> "31uEbMgunupShBVTewXjtqbBv5MndwfXhb" , currency: "bitcoin" ,
> counter: "count" , alignment: "bl" , qrcode: true , auto_show:
> false , lbl_button: "Donate" , lbl_address: "My Bitcoin Address:" ,
> lbl_count: "donations" , lbl_amount: "BTC" }); </script>
> Without SSL or similar protection, it is possible for the code to
> be modified in transit. A malicious individual could modify the
> code to replace a legitimate wallet address with his or her own.

I also tried "" and it failed
(you can telnet to the port, it's open, but I got an SSL error). If
you try
you'll see the same.

> I believe this vulnerability is an example of CWE-300. Does it need
> a CVE identifier?

The problem is not in the code, the problem is in how the code is
served/distributed. CVE is traditionally for software and not for
services. So under a simplistic reading of that strict definition I
would say this doesn't deserve a CVE.

However the world is changing, for example a program that included an
auto-updater component that was advertised as being "Secure" but went
over HTTP would probably qualify for a CVE.

Steve I'm bouncing this to you, I'm inclined to NOT assign a CVE since
it opens up a huge can of worms (every single bit of JavaScript served
from HTTP and not available via HTTPS ever), but I can also see how it
should maybe get a CVE.

The good news is that future versions of Firefox are implementing a
security policy that when loading a page from HTTPS they will not load
page components from HTTP, which would fix this issue. Hopefully all
the browsers do this.

> I have copied the creator of Coin Widget on this email.
> Thank you for your time, Evan Teitelman.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.