|
Title: Serious Security glitch in Electrum !! Post by: apoorvlathey on October 27, 2016, 03:36:22 PM I have noticed a very serious security breach in electrum desktop wallet. I have set a password to secure my wallet, but it is of no use.
While adding new address, it asked for a password, i pressed cancel even then new window to enter the private key appeared and i was able to add new bitcoin address without the password ! I then tried to sign a message with the new address added to the wallet. It asked me for the password, i again pressed cancel, and to my surprise the sign/verify window still appeared and i could successfully sign message with that address without even entering the password. I have not tried this with a bitcoin transaction though. Title: Re: Serious Security glitch in Electrum !! Post by: btchris on October 27, 2016, 05:18:32 PM It doesn't look like this was a known bug, but it was fixed here (https://github.com/spesmilo/electrum/commit/3062a62cf99ee907d2239cde3af7ae852463a14f) (as a result of fixing a related issue) in version 2.7.10 (current version is 2.7.11).
After upgrading, you'll still need to fix your wallet. Delete any affected addresses on the addresses tab, and import them again. Title: Re: Serious Security glitch in Electrum !! Post by: HI-TEC99 on October 27, 2016, 07:57:07 PM I have noticed a very serious security breach in electrum desktop wallet. I have set a password to secure my wallet, but it is of no use. While adding new address, it asked for a password, i pressed cancel even then new window to enter the private key appeared and i was able to add new bitcoin address without the password ! I then tried to sign a message with the new address added to the wallet. It asked me for the password, i again pressed cancel, and to my surprise the sign/verify window still appeared and i could successfully sign message with that address without even entering the password. I have not tried this with a bitcoin transaction though. By "adding new address" do you mean you created a new wallet and left the password blank when it asked you to create one? The dialog box says "enter nothing if you want to disable encryption". http://s16.postimg.org/6sjt6zs8l/electrum.jpg That's not a bug, it's a feature. If you don't want to be forced into entering a password every time you send Bitcoins then you miss out the password when you create the wallet. I can't find an option in the GUI to add a new address, I think you can only do that in the console through the command line. Title: Re: Serious Security glitch in Electrum !! Post by: btchris on October 27, 2016, 09:42:07 PM I can't find an option in the GUI to add a new address, I think you can only do that in the console through the command line. You misunderstood OP's issue. You can create a wallet containing loose (non-HD) keys: create a "standard" wallet, select "Use public or private keys", and paste in one or more keys. Set a password when asked. After creating the wallet, go to Wallet --> Private keys --> Import to import additional keys. Electrum will ask you for your password. In versions 2.7.9 and earlier, you could hit Cancel on the password prompt, but Electrum would still allow you to enter new private keys for import, and you'd end up with a wallet with the original keys encrypted, but the new keys in plaintext. As I said above, this was fixed in 2.7.10. |
