CoinNess.com reported on a vulnerability in NEO which can be exploited by hackers and leads to token thefts pulled off remotely. In face of such a major vulnerability exposed, the NEO promptly made an announcement, explaining the issue brought up by Tencent's joint security lab.
Erik Zhang, co-founder of NEO, said on Weibo, China's Twitter:
1. RPC can only be called by NEO-CLI, which normal users are excluded from accessing;
2. NEO-CLI will not activate RPC in default setting, and will only do so upon special circumstances with an additional command line parameter;
3. The RPC setting of NEO-CLI adds "BindAddress", which is set as "127.0.0.1" by default. Unless the users manually change the configuration files, chances of related risks can be rooted out.
All in all, normal users of the NEO blockchain will not suffer the possibilities of a token theft operated from afar.
In the end, Erik calls upon the public to pay more attention to the "NEO Vulnerability Bounty Program", which is launched this year.