Warning: don't use -server or bitcoind where you web browse (v0.3.2 and lower)

Don’t use the -server or -daemon switch or run bitcoind on a machine where you use a web browser.  It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn’t think that web browsers could cross-site access it, but it is possible.

We’re working on a release soon that puts a password on the JSON-RPC interface, but until then, avoid using the -server switch, and don’t web browse on the same machine where bitcoind is running.

Update: The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.

You can still generate bitcoins, just don’t run bitcoind or bitcoin -server or bitcoin -daemon on machine that you use to browse the Web.

As sirius says, if you do you could browse to a website that empties your Bitcoin wallet without your knowledge or permission.

I’m full of dumb questions today: Are there any other conceivable problems? And would the daemon be protected of it were on a VM and/or chrooted? Thanks.

chroot: won’t protect you.

Running as a separate VM: I think will protect you. But I thought browsers wouldn’t allow XMLHTTPRequests to “localhost” from web pages fetched from the web, so my advice would be to test it. See if you can talk to the Bitcoin daemon from another VM on the same machine by running “bitcoind getinfo” or “bitcoin getinfo” on the non-bitcoin-vm.

The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.