‘The Bash Bug’: Bigger Than ‘Heartbleed’, but No Threat to Bitcoin Services

A newly-discovered cyber flaw, dubbed “Bash bug” or “Shellshock Bug”, is not likely to affect bitcoin.

Bash bug involves the execution of malicious code within a bash shell, which is a command-line shell used in many Linux and Unix operating systems, as well as Apple's Mac OS X operating system. Photo: Torkild Retvedt/Flickr

Bash bug involves the execution of malicious code within a bash shell, which is a command-line shell used in many Linux and Unix operating systems, as well as Apple's Mac OS X operating system. Photo: Torkild Retvedt/Flickr

New bug, called “Bash” or “Shellshock” has been discovered by computer security professionals. In comparison with the last year bug “Heartbleed”, the latest vulnerability could constitute more threat to the computers and smartphone devices.

The flaw is related to Bash computer program that is installed on millions of devices around the globe that run such operating systems as Unix, Linux and Macs as well.

Tod Beardsley, an engineering manager at security company Rapid7, told: “Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes etc.” He added: “Anybody with systems using Bash needs to deploy the patch immediately.”

Errata security CEO, Robert Graham, said: “It’s really important that people who maintain websites make sure their computers are patched as quickly as they can. Hackers are already going to all websites and trying out this bug.”

BitPay software engineer, Jeff Garzik, there is no clear danger to bitcoin users. He posted on Reddit: “Prediction: bash bug NOT bigger threat than heartbleed.” He also noted that “most online services using bitcoin are far more secure than your average home router”.

Garzik said Bash Bug will affect mostly non-bitcoin sites and that it was rather exaggerated. “It requires special set of conditions to be exploitable, and home routers and ancient Apache web servers were already Swiss cheese security anyway. I think the practical impact will be much less than the mainstream media is making it out to be,”he said.

Until now, there has not been any news about Shellshock affecting bitcoin services.

BitBays.com CTO, Yan Chuan, recommended the users to check their devices to ensure no attacks had occurred.

There is a potential to any type of attack, ranging from bitcoin wallets steal to installing keyloggers and backdoors, as the bug provides hackers an access to an operating system.

Bitcoin is not likely to be affected, given its decentralized nature. Yan Chuan said: “However, as a centralized provider of exchange or wallet services it is possible to be affected by the bash bug. Due to the presence of this vulnerability, open SSH, HTTP, FTP and other application servers are all at risk of being remotely accessed and controlled by a hacker.”

Notably, Windows users will not be affected as the system is not based on UNIX.

The Bash Bug provokes a security flaw existing in the bash command ‘env‘, which affects the local shell and other services, including SSH, FTP and HTTP.

Chuan explained that many web servers send the user’s HTTP request data, stored in an environment variable, to the backend Web framework or CGI scripts. If this information contains malicious instructions, each time the server executes bash it will implement the malicious instructions.

Today, Apache + PHP and Nginx + wsgi frameworks are vulnerable.

The bug, which was discovered over 25 years ago, could affect millions of computers in the future.

Share This article

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Coinspeaker Ltd.