On Reddit ret2got quoted the EF on why they don't consider this a geth vulnerability:
DNS rebinding to bypass SOP is an old and known issue. There is nothing
particular about geth being vulnerable to this.
* The RPC api is not the primary protection against theft of ether, users are
encouraged to have a long and difficult password, presumably difficult to
bruteforce.
* Although I cannot find the ticket right now, we're already considering
being even more strict on Origin, so that geth would not accept
POST-requests from non-whitelisted Origin:s (by default).
I'm not sure about the first bullet point. You have to unlock your accounts before calling any balance-changing methods but I don't know if there is a default time after which the accounts get locked again.
Even if there is, isn't there a time period while your accounts would be vulnerable?
As this seems easily mitigated by a simple security token, I don't see why they shouldn't implement this.
I'm not sure about the first bullet point. You have to unlock your accounts before calling any balance-changing methods but I don't know if there is a default time after which the accounts get locked again.
Even if there is, isn't there a time period while your accounts would be vulnerable?
As this seems easily mitigated by a simple security token, I don't see why they shouldn't implement this.