14:29:52
ohchase:
Was looking over the monero-gui and from what I can tell it runs the wallet rpc locally without any authorization. Am i understanding this correctly
14:30:25
ohchase:
I'm ignoring the whole wallet unlock and close access control portion
14:30:27
ofrnxmr:xmr.mx:
No
14:31:11
ofrnxmr:xmr.mx:
clarify: wdym about runs the wallet rpc?
14:32:29
ohchase:
The wallet not daemon rpc, so default for mainnet it would be on the local network at 127.0.0.1:18088
14:35:47
ohchase:
overall my concern/thought was with a simple curl command if the user has their wallet open when running a local node with the usage of monero-gui, the wallet could be sweeped. So it would be a low difficulty, opportunistic way to steal funds. E.g. hey heres this new cool monero tool I made, person downloads or pulls in dependency and has their gui wallet unlocked, and the package build does a local curl request sweeping the wallet
14:42:00
plowsof:
the daemon is not a wallet remember
14:46:12
ohchase:
ahhh this doesn't use the wallet rpc at all, uses wallet2 native bindings for all wallet interactions it seems
15:06:16
ofrnxmr:xmr.mx:
wallet2_api
15:06:17
ofrnxmr:xmr.mx:
18088 isnt a default port for anything