Bitcoin Forum

I just read about this here:

https://bitcointalk.org/index.php?topic=2702103.msg27624964#msg27624964

Can someone inform me should I worry if I am using Electrum with a Trezor?

Thanks

As you can see, all you need to do is update your wallet, so it's perfectly fine, and you don't need to worry about it.

Strictly speaking, if you neglected to put a password on your wallet, then you probably should worry as your funds are currently vulnerable.  But other than that, yes, it should just be a simple update. 

Users of Bitcoin and other cryptocurrencies should also be vaguely aware of the security risks around JavaScript generally.  It's not just any given website you happen to be visiting that could potentially run malicious code, but also all the third party websites utilised by that site which handle all manner of things from advertising to multimedia plugins.  Browsing the internet with JavaScript completely disabled will result in a somewhat limited experience, as many websites won't function correctly.  So the trade-off is to use a browser plugin to manually pick and choose which sites are safe to run JavaScript and which ones should be blocked.  For any Firefox/Mozilla users, there's NoScript (https://noscript.net/) and I'm pretty sure there's something similar for Chrome users.  You'll have to click some buttons for each and every website you know and trust to allow JavaScript, which does take some time and effort, but it's worth it.

I think so. You dont need to be worry about it because it just need to be upgrade then everything would be alright.
I think we need to do this to protect our account and make higher security

End your worries now, you just only need to update your wallet to fix this issue. So if you are still using the old version then better for you to update as soon as possible to avoid the risk of losing your coins.

I have read about it and its very alarming specially to those who mainly use electrum as a wallet.
I do have electrum wallet because of its signing message function which will i be needing for some purpose.

but don't worry guys developers already have an solution, you just need to update your electrum.

Don't panic! all you need to do is uninstall your electrum and reinstall it or just update, easy as 123 solution but i think there are some people who lost some of their funds because of that issue. Wallets are improving and so the hackers and scammers too, be careful guys even if its safe bad guys will surely look for it.

besides the wallet, if you have no password in your wallet, you deserve to be hacked because really, that means you don't give a value to your BTC (dust or not), as soon as i saw the red dot at the top of this page i have upgraded my electrum wallet and everything went fine.
If you don't have a password now it's the time to encrypt it, now.. come on guys, you will not regret to have a password but you will cry hard if you get hacked because you're too lazy to add it.

I also used the electrum.

Is there any report that someone got lost with electrum so far?

it is not such a good idea to open your Electrum now that this method of exploiting it have been made public, there are going to be a lot of people who will try to abuse this.

first upgrade your wallet to the new version (or wait a while to see if it is all fixed and then upgrade to the latest version) then attempt to set a password.

it is worth mentioning that none of this would have mattered if you were using cold storage!

Thanks guys! Quickly updated to the latest version as soon as I read this thread. Glad to hear that the flaw wasn't permanently damaging to Electrum.

You just only need to update your electrum to 3.0.4 version to solve that issue. Old version might be vulnerable for some who does not use password on his/her wallet other than that you don't have to worry much. I've read that electrum is vulnerable on past version and uses javascripts to do it.

i completely agree with you and bear in mind, my advice to add a password to your electrum wallet is to do it AFTER you updated to the newest version!
And of course, cold storage does not have bugs :)

So far none that I am aware of, even if one or few person lost their funds this way question is if they would even report it. They might be new to crypto or they may have all sorts of things in their minds about that it was their mistake.

This is why if you simply follow up with updates of any software no matter if it's oriented to crypto, it should be safer and more secure. Keep up wit updates and always encrypt your wallet. I mean even if some guy saw this issue and tried to use and exploit it and steal funds from others he wouldn't get far if user have set password and I mean strong one.


Well at least they hope that some news sites will pick it up and imform community about an update, do you think that many people upgraded their previous versions? Some people might not even upgraded it to support LN... They have to make it public and raise awareness in my opinion.

yeah, i was just clarifying.
and technically speaking the cold storage[1] has the bugs since it is the same software you are running but it is not affected by this particular issue and most of the rest that usually cause issues similar to this one like the new CPU meltdown and specter attacks.

[1] http://docs.electrum.org/en/latest/coldstorage.html

It gives us a warning Our wallets may not be safe, the safety of the purse is worth we suspect If we "had been stolen Who is responsible for So we should be prepared for protection It is very important for us the wallet operators should also be measures Timely find loopholes And in a timely manner to repair

This is great. It points out at how SPV wallets are a waste of time and why you should run your own full Bitcoin client to process your own transactions and put your coins in cold storage.

This also points out at how big blockers are terrorists against Bitcoin, as they want to get the power away from the users running full Bitcoin clients and they want everyone using nodes only except corporations.

Roger Ver and co are the biggest threats to Bitcoin.

dude take a chill pill ;D

this has nothing to do with Electrum being an SPV wallet. it is only because the JSONRPC interface of electrum were not using encryption. even if Electrum were a full client the same thing could have happened.
read the issue: https://github.com/spesmilo/electrum/issues/3374

Is that really the overall message you take from this thread?  What an utterly shameful stance.  Particularly as you seem to be deliberately twisting what happened to suit some political narrative.  Even if you could distort the facts to suit your personal attacks (which you've utterly failed at doing, as BitcoinHodler pointed out), it's never "great" that users could have their wallets compromised due to a security vulnerability.  Running a full node won't be suitable for every user and it's not something people should be coerced into against their will.  Dismissing SPV users as some sort of worthless underclass is reprehensible behaviour.  All you achieve is creating further division in the community when that's the last thing we need right now.  

NOBODY DESERVES to be hacked!  Do you deserved to be hacked for posting this assinine post?  Sheez!

Once you update your electrum wallet app to the next version you are safe. You are not the only one scared about the electrum latest vulnerability there are many people, though! 

Does anyone here think it could be the mod or forum hacked getting you to download the new wallet though? 

When you guys did the update when downloading new electrum, did it require you to type down the 12 word seed or not?  I updated electrum few times and i don't recall if it did or not.  I assume yes because well you are creating a new wallet?  But no because well you are just upgrading from one to another?

Nah, it's legit. Electrum is open-source, and someone seems to have found the vulnerability and reported it.

I have not updated yet because I want to wait until the entire thing blows over, and if you're paranoid, you can do the same thing. What the vulnerability does is it allows a hacker to see your seeds, but having a wallet password encrypts those seeds, so you should be fine for the most part if you have a password. That being said, I strongly advise you to not use your older version at all anymore. Once you do decide to download, just make sure you verify its PGP signature, as theymos has stated.

Thanks to this notice that I saw in the morning and hurriedly updated my electrum, hopefully its all fine now.
Was quite worries as yesterday almost all day my electrum was open and it was the affected version too.

SPV users ARE underclass, and this wouldn't have happened if you were processing your own transactions in your full validating node. The further you are from the ideal of sovereign money, the more underclass you become within the bitcoin network. This is a fact.
They are not worthless, I didn't say that. They have worth, just like people using 0 confirmation transactions (back then when you could still do that), but they are second class citizens in the network, they always were.

It's never a bad time to remind people how Roger Ver et al want nobody but corporations to run full validating nodes, they want everyone else on SPV wallets being a cuck of someone else processing the transactions for you. Not gonna happen.

Okay thanks for that information. So what if you open electrum now then but don't download new version.  Is that fine or not?  It says shut down electrum immediately but i assume only if you open the wallet?  Such as imagine you open electrum but don't put in your password to open the encryption?


What do you mean PGP signature?


Yes im going to wait as well in case this is a hack where the forum/mod got hacked.

if you don't have a password set for your Electrum wallet (any version between 2.6 to 3.0.3) and open it, an attacker can use the JSONRPC of your wallet to get your private keys.
that is why the warning tells you to "close" your wallet and don't open it until you upgrade.

https://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://gnupg.org/download/integrity_check.html

what does the forum mod getting hacked has anything to do with this?!!!

Have all the answers missed my initial post that I am using Trezor hardware wallet with Electrum? How can I even set up an Electrum password if I am using it with Trezor?

I already have a Trezor password that I type in every time I connect it to the Electrum.

Problem number 2 is that I would update Electrum wallet but I generally don't like updating, especially when I have 4 threats detected by scanning it on the VirusTotal. Yes, 4 threats on the newest Electrum 3.0.5

tempted to setup a few VMs with the vulnerable Electrum version installed, no adblock or noscript, and let them run wild on the internet crawling the sleaziest sites i can imagine for a few hours, and just see what i catch :)

I've spended a coin from electrum from a couple of weeks ago, so I do not have to worry about the current situation. But to prevent things that are not desirable, then it is better we need to update the electrum wallet to the latest version, because after all they will improve their system to be better again.

You are safe because the Trezor holds your seed, not Electrum. That is the whole point of using a hardware wallet, it signs the transactions and that cannot be done from the PC or other devices you connect it to. However, it is possible that the exploit could be used to compromise your privacy so you should still upgrade.


This could be a false positive from VirusTotal or you may have downloaded from a phishing site, not the genuine https://electrum.org/#download
Always verify the signature before installing.

Finally thanks for the answer!

Hey all.  So just to confirm.

Download the new electrum on the electrum.org site.

When you do this, do you need to copy/paste your 12 word seed when installing the new version?  I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?

You should be creating a new seed anyway since chances are you are new to this and don't know that if your seed ever saw the internet, your bitcoins are already compromised.

Get an OS that launches in a live OS like Tails for example and use that to generate the new wallet, of course disconnect your internet connection too, then you will guarantee that at least the seed was never saw online.

Now I don't know if it's normal behaviour if the new version should ask you to create a brand new seed, I would make sure that's normal before doing anything.

I guess you do not have to worry because eletrum already know and have a way out to remove the vulnerability, you just asked to upgrade so that you safe from danger.
All have their respective duties you just ordered to obey if you want to be safe.
So you do not have to worry about what's happening now because the electrum has taken a good step.

Hi there.  I had an electrum wallet for a while so i'm not new to this.  I also updated electrum few times from their website when it was version 2.x to 2.x etc. 

So when i update it again on their website, i want to know, do they ask you for your 12 word seed to install the new version of electrum or not.  Because i do not recall if it did when asking me this the last few times i installed new electrum version.

I presume that you did this --> https://blog.trezor.io/using-trezor-with-electrum-v3-a0b9bcffe26e .... You should be fine, if

you just upgrade to the latest version of Electrum 3.0.5. The previous upgrade 3.0.4 did not solve the problem, so you MUST

upgrade to Electrum 3.0.5 to solve it. Just make sure you keep your Trezor seed safe.  ;)

Hey all so just to confirm.  Download from

https://electrum.org/#download

Then download from windows installer right assuming you have windows?  I notice there is a word signature to it that you can click on but since its the real website, just click on windows installer and thats all?

Once you download it, do you need to copy/paste your 12 word seed to install the electrum 3.0.5 or not?

I want to make sure if this before i download it.

No, you do not need to, Electrum will just open normally but with the new version. However, you should always have a safely stored copy of your seed written down. If anything went wrong in the upgrade process you may need it to restore.

i have just download the new version from here=https://www.electrum.org/#download i clicked from my electrum wallet from help option and open this link.is this link the same with this link https://electrum.org/#download because i though it was the same because i clicked from my electrum wallet?

please tell me this is the same link because i am scared.i have download from here https://www.electrum.org/#download.

I think if you followed the instruction and do the necessary updates including passwording  your wallet there should be no more worries. Please just follow instructions.

If you have a strong password or use your device just to open your wallet (you don't use it to browse the Internet) you will be safe.
the vulnerability uses some malicious JavaScript codes that can be only executed through your browser.

If you didn't lose any funds just send it to another wallet or update your electrum wallet to the latest version.

Is the red light for electrum wallet over? I saw there is another upgrade for the wallet.
I am scared about it as I have all my btc on electrum.
 >:( >:( >:(

And also when I upgrade, I verify the signature of Electrum wallet I downloaded from https://electrum.org/#download

I got a warning. Is it legit?

Well, if you are users electrum site today you should upgrade to .3 to avoid of conflict in signing. But for those users are not connected to electrum you don't have to worry because we are safe in accessing the bitcoin forum index. Right this day we can see that it's already done fixing those cautions in electrum found at the top of our account.
 

Can someone here confirm that downloading electrum from the official electrum website now with the windows installer is fine?

Anyone here still using the old electrum and opened it and have no issues at all even though it was recommended by theymos to not do it?

The other thing is what percentage of electrum users even know about this?  Because even if you use electrum a bit, the only way to know about this would be either visiting this forum or going to their website.  And obviously someone isn't going to check electrum website everyday to check for the new update etc. 

Yes, I've done it and it is fine. As long as you make sure it is the official website and not a phishing one. Verify the signature to be extra safe and protect yourself from the extremely unlikely event that the site has been hacked.


I had Electrum open when I first saw theymos message. All my BTC are safe. The vulnerability was reported to Electrum rather than being discovered by someone exploiting it. The exploit would be via a website running javascript so you would have to not only open the old Electrum but also visit a malicious website (which there is no evidence even exists) at the same time.


It would be a reasonable suggestion for Electrum to add an automatic notification when a new version is available.

In general, just calm down and upgrade. If you are holding a large amount of BTC then it shouldn't be on an internet connected device in the first place. Get a hardware wallet or use an air gapped cold wallet.

I asked separately the same question in another thread and the general consensus of forum members was that it was safe. So I am just passing it along to your thread for your peace of mind :)

But now that Spectre and Meltdown exploits where found on all Intel computers since 1995, people are learning the fact that it's impossible to be safe. Electrum may have solved this, but you don't know if therea re more explouts lurking, either at software level or at hardware level, it's a losing battle, you must cold storage in isolated computers that are never connected to the internet, threat your bitcoins like they are radioactive material that must not escape it's containment (it must remain enclosed). People used to say that I was crazy about using libreboot, airgapping computers and so on, but now it's clear that it's impossible to keep your bitcoins safe outside of that model.

With Trezors and so on you are still connecting the device on an online machine and you are trusting that their method will not have any leaks, not as idea las airgapped linux machine in my book.

I believe so too. It is nice to fantasize that all is as easy as what we want it to be. But the thing is, it isn't. Even when security is improving, hackers are also improving which is why we all have to be careful and be more paranoid. Because in my opinion, being paranoid is more better than losing all your crypto possessions that you have worked hard in gaining.