oss-security - CVE Request - Coin Widget serves code over plain http.

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Fri, 26 Jul 2013 21:19:33 -0400
From: Evan Teitelman <teitelmanevan@...il.com>
To: oss-security@...ts.openwall.com
Cc: scottydroid@...il.com
Subject: CVE Request - Coin Widget serves code over plain http.

Coin Widget is a Bitcoin and Lightcoin donation widget. Its code is
normally downloaded from http://coinwidget.com/widget/coin.js in the
following manner.

<script src="http://coinwidget.com/widget/coin.js"></script>
<script>
CoinWidgetCom.go({
    wallet_address: "31uEbMgunupShBVTewXjtqbBv5MndwfXhb"
    , currency: "bitcoin"
    , counter: "count"
    , alignment: "bl"
    , qrcode: true
    , auto_show: false
    , lbl_button: "Donate"
    , lbl_address: "My Bitcoin Address:"
    , lbl_count: "donations"
    , lbl_amount: "BTC"
});
</script>

Without SSL or similar protection, it is possible for the code to be
modified in transit. A malicious individual could modify the code to
replace a legitimate wallet address with his or her own.

I believe this vulnerability is an example of CWE-300. Does it need a
CVE identifier?

I have copied the creator of Coin Widget on this email.

Thank you for your time,
Evan Teitelman.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.