Could it happen that an attacker injects malicious code into the satoshi client? For example that all money of the user's wallet is transferred to the attacker (If the wallet is encrypted, as soon as user enters the password). Then the infected client would have to made available for download on official site bitcoin.org.
Even if the problem is noticed within a few hours, the attacker could have gained lots of money, so such an attack would be very attractive for a criminal hacker.
Additional to the damage done to the users, this could do much damage to bitcoin itself, if not even destroying it.
I can think of a lot possible access points for the attacker:
- An attacker could break directly into the source control where the source code is stored and unnoticed injects his code which is then automatically include in the next version.
But since bitcoin is open source, the attacker should hide its code in a file where people rarely look into or file which at first glance does not look important but are indeed source files
- An attacker could hack a computer of one of the bitcoin client developers (Either through direct physical access or through some trojan)
- The attacker could threaten one of the bitcoin developers and such force his to do what he wants
- An attacker could break into the website bitcoin.org and place his malicious client for download, or redirect bitcoin.org via some dns attack to his own (same looking) website
With this attack, the checksum of the client won't be ok but how many users will (or even know how to) check that?
This are my greatest fears. Please tell me that these scenarios are almost impossible to happen. So the question is, could this be possible?
