Cool to see DNS Rebinding getting more attention lately :D just a couple months ago I used DNS Rebinding to attack Ethereum wallets: https://medium.com/@rhodey/walking-past-same-origin-policy-n...

Nice one! Not surprising to see cryptocoin implementers make all the classic security mistakes

Ethereum brushed off my bug bounty submission and then began this hard fork junk so I documented and packaged my exploit publicly. It hasn't gotten much exposure yet, please have fun with it.

"Walking Past Same-origin Policy, NAT, and Firewall for Ethereum Wallet Control" - https://medium.com/@rhodey/walking-past-same-origin-policy-n...

From the Medium blog:

> The cypherpunk, anarchist future wasn’t supposed to be about stronger banking guarantees and wealth redistribution among Reddit users.

I think your interests may fall more closely in line with what the Monero folks are doing. I'm not aware of any other cryptocurrency project with better privacy features. And they're working directly with the I2P developers to get better privacy at the network level(Kovri).

It's been posted to r/ethereum. Check there.

https://www.reddit.com/r/ethereum/comments/4ta6go/walking_pa...

Nice post. It looks like a potential issue for someone specifically running geth with that config, but ok for an end-user using Mist or Metamask.

thanks! I didn't take the time to setup Mist but my understanding is that Mist is especially vulnerable because it's bundled with a wallet and used for browsing DAPPS which always require the JSON API to be enabled.

It's not since Mist (and Metamask) injects the web3 object into the page, no jSON-API is used. It also displays a confirmation dialog each time a transaction is generated. If setting up Mist too much trouble to try this, you can always try Metamask https://metamask.io/