Key facts:
This vulnerability can expose the IP addresses personal needs of many users.Other cryptocurrencies as Hush, Komodo and the Pirate can present problems.The main developer of Komodo (KMD) Duke Leto revealed on the 28th of September, a vulnerability in all deployments of ZCash (SACS) and most of its branches, which could reveal the metadata that contain the nodes complete along with the IP addresses protected (zaddr).Through a posting on his personal blog, Leto added that to trace the problem is already in place a code of Common Vulnerabilities and Exposures (CVE, for its acronym in English).In addition, Leto provided the list of cryptocurrencies that may present the same problem. The list includes criptoactivos as Hush, Pirate and the smartchain of Komodo that use zaddr by default.Also on the list cryptocurrencies as BitcoinPrivate, Zero, Zelcash, Horizen, LitecoinZ, VoteCoin, BitcoinZ, Ycash and Snowgem. Leto also noted that Komodo has already deleted the address armored, which implies that KMD does not already have that vulnerability.Leto explains that since that Zcash and its protocol began to work, the bug that threatens the safety of all directions protected has always been there.
There has been an error for all directions protected from the development of the protocol Zcash. It is present in all of the programs source code Zcash. It is possible to find the IP address of nodes possessing complete address protected (zaddr). That is to say, if Alice gives to Bob a zaddr to pay him, might allow Bob to discover the IP address of Alice. This goes dramatically against the design of the Protocol Zcash.Duke Leto, lead developer of Komodo.
Zcash Metadata Leakage-CVE-2019-16930https://t.co/BFVNd4MrZM
TLDR: Attackers can link shielded addresses (zaddrs) to the IP addresses and nodes that control them.
This is pretty bad if Alice doesn’t want Bob to stalk her.
All $ZEC protocol coins have this bug. pic.twitter.com/U8zIWH02DS— Duke Leto (@dukeleto) September 28, 2019
In theory, anyone whose zaddr it public is under threat of disclosure of identity due to that your IP address is in public. This vulnerability can expose the IP addresses personal for many users of the protocol Zcash. The geolocation and the IP address are associated with zaddr and are therefore vulnerable.People that has never used a zaddr or that employ a routing Tor Onion will not be victims.Leto poses some of the ways through which users can mitigate the problem, one of them is to use Tor. In the second place, the affected users can create a new wallet with a new zaddr and then send the funds to that new address.
If you don’t want the people that know your zaddr know your IP address, I recommend that you clear the nodes complete until they are patched, and/or create brand new purses with new zaddrs and stop using the purses old until they release software updates.Duke Leto, lead developer of Komodo.
On the other hand, Electric Coin, the company behind the criptomoneda Zcash, is urging the participants of the network to update the software of its nodes, with the objective that they adopt immediately the last version, since this contains an important security update.“Users should update their nodes to version 2.0.7-3 immediately, and to discontinue the use of previous versions”, commented a newsletter with the date of September 24.Electric Coin has been facing several setbacks related with Zcash, taking into account that the british section of Coinbase, from the 26th of August last, stopped providing support for the criptomoneda focused on privacy.