'Bash Bug' a Concern, But Little Threat to Bitcoin Services

There were widespread security concerns yesterday after the discovery of an old flaw that could affect web servers and Internet-connected devices - but many in the industry are claiming it presents no immediate threat to bitcoin services.

The vulnerability, dubbed either the 'Bash Bug' or the 'Shellshock Bug', would allow a malicious access to a UNIX-based device's operating system via the command line shell - the most widely used of which is bash.

Jeff Garzik, bitcoin core developer and now senior software engineer at BitPay said there is no clear and present danger to bitcoin users.

"Prediction: bash bug NOT bigger threat than heartbleed," he posted on a Reddit thread. Garzik told CoinDesk that, while the newly-discovered bug had the potential to be bad, "Most online services using bitcoin are far more secure than your average home router".

At this stage, there are no reports of any exploit of the Bash Bug affecting any bitcoin-related services.

Bitcoin services may potentially be a more attractive target for hackers and thieves than more established, fiat-based services like online banking and PayPal.

Because the bug allowed malicious hackers full access to an operating system there was potential for any kind of attack, from stealing bitcoin wallets to installing keyloggers and backdoors.

"However, as a centralized provider of exchange or wallet services it is possible to be affected by the bash bug. Due to the presence of this vulnerability, open SSH, HTTP, FTP and other application servers are all at risk of being remotely accessed and controlled by a hacker."

The Bash Bug vulnerability stems from a serious security flaw that exists in the bash command 'env'.

YC explained how the bug could be exploited, saying that many web servers send the user's HTTP request information, REQUEST METHOD, QUERY-STRING, etc) stored in an environment variable, to the backend Web framework or CGI scripts.