Bitcoin Forum
July 20, 2024, 09:39:00 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 4 »
1  Bitcoin / Electrum / Vulnerability discovered in Electrum 2.6 to 3.0.4: please upgrade on: January 10, 2018, 12:50:46 PM
A vulnerability has been found in Electrum, and patched in version 3.0.5.
Please update your software if you are running an earlier version.

Below is a copy of the satement we put on our website.
The original can be found here:

Thanks to Theymos for displaying a notice on this website.

JSONRPC vulnerability in Electrum 2.6 to 3.0.4

On January 6th, a vulnerability was disclosed in the Electrum wallet
software, that allows malicious websites to execute wallet commands
through JSONRPC executed in a web browser. The bug affects versions
2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of
Electrum such as Electron Cash.

Can funds be stolen?

Wallets that are not password protected are at risk of theft, if they
are opened with a version of Electrum older than 3.0.5 while a web
browser is active.

In addition, the vulnerability allows an attacker to modify user
settings, the list of contacts in a wallet, and the "payto" and
"amount" fields of the user interface while Electrum is running.

Although there is no known occurrence of Bitcoin theft occurring
because of this vulnerability, the risk increases substantially now
that the vulnerability has been made public.

Can wallet data be leaked?

Yes, an attacker can obtain private data, such as: Bitcoin addresses,
transaction labels, address labels, wallet contacts and master public

Can a password-protected wallet be bruteforced?

Not realistically. The vulnerability does not allow an attacker to
access encrypted seed or private keys, which would be needed in order
to perform an efficient brute force attack. Without the encrypted
seed, an attacker must try passwords using the JSONRPC interface,
while the user is visiting a malicious page. This is several orders of
magnitude slower than an attack with the encrypted seed, and
restricted in time. Even a weak password will protect against that.

What should users do?

All users should upgrade their Electrum software, and stop using old

Users who did not protect their wallet with a password should create a
new wallet, and move their funds to that wallet. Even if it never
received any funds, a wallet without password should not be used
anymore, because its seed might have been compromised.

In addition, users should review their settings, and delete all
contacts from their contacts list, because the Bitcoin addresses of
their contacts might have been modified.

How to upgrade Electrum

Stop running any version of Electrum older than 3.0.5, and install
Electrum the most recent version. On desktop, make sure you download
Electrum from and no other website. On Android,
the most recent version is available in Google Play.

If Electrum 3.0.5 (or any later version) cannot be installed or does
not work on your computer, stop using Electrum on that computer, and
access your funds from a device that can run Electrum 3.0.5. If you
really need to use an older version of Electrum, for example in order
to access wallet seed, make sure that your computer is offline, and
that no web browser is running on the computer at the same time.

Should all users move their funds to a new address?

We do not recommend moving funds from password protected wallets. For
wallets that were not password protected, moving funds is an extreme
precaution, that might not be necessary; indeed, if a wallet was
compromised, it is very likely that the attacker would have stolen the
funds immediately.

When was the issue reported and fixed?

The absence of password protection in the JSONRPC interface was
reported on November 25th, 2017 by user jsmad:

jsmad's report was about the Electrum daemon, a piece of software that
runs on web servers and is used by merchants in order to receive
Bitcoin payments. In that context, connections to the daemon from the
outside world must be explicitly authorized, by setting 'rpchost' and
'rpcport' in the Electrum configuration.                                                                                                                                                                          

On January 6th, 2018, Tavis Ormandy demonstrated that the JSONRPC
interface could be exploited against the Electrum GUI, and that the
attack could be carried out by a web browser running locally, visiting
a webpage with specially crafted JavaScript.

We released a new version (3.0.4) in the hours following Tavis' post,
with a patch written by mithrandi (Debian packager), that addressed
the attack demonstrated by Tavis. In addition, the Github issue
remained open, because mithrandi's patch was not adding password
protection to the JSONRPC interface.
2  Bitcoin / Electrum / Electrum 2.9 was released today on: July 27, 2017, 03:52:00 PM
Release Notes:

# Release 2.9 - Independence (July 27th, 2017)
  * Multiple Chain Validation: Electrum will download and validate
    block headers sent by servers that may follow different branches
    of a fork in the Bitcoin blockchain. Instead of a linear sequence,
    block headers are organized in a tree structure. Branching points
    are located efficiently using binary search. The purpose of MCV is
    to detect and handle blockchain forks that are invisible to the
    classical SPV model.
  * The desired branch of a blockchain fork can be selected using the
    network dialog. Branches are identified by the hash and height of
    the diverging block. Coin splitting is possible using RBF
    transaction (a tutorial will be added).
  * Multibit support: If the user enters a BIP39 seed (or uses a
    hardware wallet), the full derivation path is configurable in the
    install wizard.
  * Option to send only confirmed coins
  * Qt GUI:
    - Network dialog uses tabs and gets updated by network events.
    - The gui tabs use icons
  * Kivy GUI:
    - separation between network dialog and wallet settings dialog.
    - option for manual server entry
    - proxy configuration
  * Daemon: The wallet password can be passed as parameter to the
  * Various other bugfixes and improvements.
3  Bitcoin / Electrum / Electrum 2.8 is released on: March 09, 2017, 06:48:15 PM
From the release notes:

# Release 2.8.0 (March 9, 2017)
  * Wallet file encryption using ECIES: A keypair is derived from the
    wallet password. Once the wallet is decrypted, only the public key
    is retained in memory, in order to save the encrypted file.
  * The daemon requires wallets to be explicitly loaded before
    commands can use them. Wallets can be loaded using: 'electrum
    daemon load_wallet [-w path]'. This command will require a
    password if the wallet is encrypted.
  * Invoices and contacts are stored in the wallet file and are no
    longer shared between wallets. Previously created invoices and
    contacts files may be imported from the menu.
  * Fees improvements:
    - Dynamic fees are enabled by default.
    - Child Pays For Parent (CPFP) dialog in the GUI.
    - RBF is automatically proposed for low fee transactions.
  * Support for Segregated Witness (testnet only).
  * Support for Digital Bitbox hardware wallet.
  * The GUI shows a blue icon when connected using a proxy.

Please note that it will regenerate all your addresses the first time you run it, due to a format update.
4  Bitcoin / Electrum / [VIDEO] Electrum - Thomas Voegtlin 7th September 2016 on: October 03, 2016, 06:16:10 AM
I was invited to give a talk at the Zurich Bitcoin meetup last month.
Here is the link:

Thanks to Lucas Betschart and Roger Darin for the video!
5  Bitcoin / Electrum / Electrum 2.7.0 on: October 03, 2016, 06:09:58 AM
EDIT: There was no major issue with the release candidate, so here is the official release.

Release notes:
# Release 2.7.0 (October 2016)

 * The wallet file format has been upgraded. This upgrade is not
   backward compatible, which means that a wallet upgraded to the 2.7
   format will not be readable by earlier versions of
   Electrum. Multiple accounts inside the same wallet are not
   supported in the new format; the Qt GUI will propose to split any
   wallet that has several accounts. Make sure that you have saved
   your seed phrase before you upgrade Electrum.
 * This version introduces a separation between wallets types and
   keystores types. 'Wallet type' defines the type of Bitcoin contract
   used in the wallet, while 'keystore type' refers to the method used
   to store private keys. Therefore, so-called 'hardware wallets' will
   be referred to as 'hardware keystores'.
 * Hardware keystores:
   - The Ledger Nano S is supported.
   - Hardware keystores can be used as cosigners in multi-signature
   - Multiple hardware cosigners can be used in the same multisig
     wallet. One icon per keystore is displayed in the satus bar. Each
     connected device will co-sign the transaction.
 * Replace-By-Fee: RBF transactions are supported in both Qt and
   Android. A warning is displayed in the history for transactions
   that are replaceable, have unconfirmed parents, or that have very
   low fees.
 * Dynamic fees: Dynamic fees are enabled by default. A slider allows
   the user to select the expected confirmation time of their
   transaction. The expected confirmation times of incoming
   transactions is also displayed in the history.
 * The install wizards of Qt and Kivy have been unified.
 * Qt GUI (Desktop):
   - A fee slider is visible in the in send tab
   - The Address tab is hidden by default, can be shown with Ctrl-A
   - UTXOs are displayed in the Address tab
 * Kivy GUI (Android):
   - The GUI displays the complete transaction history.
   - Multisig wallets are supported.
   - Wallets can be created and deleted in the GUI.
 * Seed phrases can be extended with a user-chosen passphrase. The
   length of seed phrases is standardized to 12 words, using 132 bits
   of entropy (including 2FA seeds). In the wizard, the type of the
   seed is displayed in the seed input dialog.
 * TrustedCoin users can request a reset of their Google Authenticator
   account, if they still have their seed.
6  Bitcoin / Electrum / Electrum is now on Google Play on: February 27, 2016, 01:55:10 PM
7  Bitcoin / Electrum / Electrum 2.6 release on: February 26, 2016, 06:16:27 PM
Version 2.6 was released today.

Release notes:

8  Bitcoin / Electrum / Electrum for Android - beta version on: February 09, 2016, 01:26:21 PM
A new version of Electrum for Android will be available on Google Play soon.
A beta version is already available here:

Note: To install it, you need to allow 'unknown source' in your preferences.

9  Bitcoin / Electrum / Electrum 2.5 released on: October 17, 2015, 11:59:56 AM
see release notes:

Please do update, as previous versions create signatures with high S values, which are nonstandard now.
10  Bitcoin / Electrum / Electrum 2.4 binaries on: August 17, 2015, 01:34:28 PM
Version 2.4.2 was released today, with OSX and Windows binaries.

However, hardware wallets (trezor, ledger) are not supported in the current Windows binaries.
If you use a hardware wallet, please wait until we have better binaries.
11  Bitcoin / Electrum / How to accept Bitcoin on a website using Electrum on: August 01, 2015, 05:32:50 AM
Electrum 2.4 can be used in to accept Bitcoin on a webserver, with signed payment requests.

I recently added this page to the documentation:

12  Bitcoin / Electrum / Security warning: OpenAlias plugin vunerability on: July 09, 2015, 08:04:30 AM
We recently discovered that the OpenAlias plugin, shipped in Electrum 2.0 to 2.3, does not correctly validate DNSSEC records.

A fixed version is in the works, and will be shipped in version 2.4. (ETA: a week)
In the meantime, please do not trust aliases verified by that plugin.

See the release notes for more details:
13  Bitcoin / Electrum / Electrum 2.3 is released on: June 12, 2015, 10:31:02 AM
release notes:

# Release 2.3
 * Improved logic for the network layer.
 * More efficient coin selection. Spend oldest coins first, and
   minimize the number of transaction inputs.
 * Plugins are loaded independently of the GUI. As a result, Openalias,
   TrustedCoin and Trezor wallets can be used with the command
   line. Example: 'electrum payto <openalias> <amount>'
 * The command line has been refactored:
  - Arguments are parsed with argparse.
  - The inline help includes a description of options.
  - Some commands have been renamed. Notably, 'mktx' and 'payto' have
    been merged into a single command, with a --broadcast option.
   Type 'electrum --help' for a complete overview.
 * The command line accepts the '!' syntax to send the maximum
   amount available. It can be combined with the '--from' option.
   Example: 'payto <destination> ! --from <from_address>'
 * The command line also accepts a '?' shortcut for private keys
   arguments, that triggers a prompt.
 * Payment requests can be managed with the command line, using the
   following commands: 'addrequest', 'rmrequest', 'listrequests'.
   Payment requests can be signed with a SSL certificate, and published
   as bip70 files in a public web directory. To see the relevant
   configuration variables, type 'electrum addrequest --help'
 * Commands can be called with jsonrpc, using the 'jsonrpc' gui. The
   jsonrpc interface may be called by php.
14  Bitcoin / Electrum / Electrum 2.0 release on: March 02, 2015, 01:54:29 PM
The website was updated with 2.0 source packages. Executables for windows and OSX will be released soon.

The release notes are a bit dense, due to the large amount of changes and new features in this release. In the coming weeks we will be adding more detailed documentation to the wiki and to the website.

There has been a very long hiatus in Electrum releases, because it took me a lot of time to decide about the new seed derivation method and wallet structure. Now that this part is done, I hope that we will resume to a faster release pace.

I would like to thank all the people who contributed to this release: developers, beta testers, and ordinary users who provided useful feedback.





# Release 2.0

* Before you upgrade, make sure you have saved your wallet seed on

* Documentation is now hosted on a wiki:

* New seed derivation method (not compatible with BIP39). The seed
phrase includes a version number, that refers to the wallet
structure. The version number also serves as a checksum, and it
will prevent the import of seeds from incompatible wallets. Old
Electrum seeds are still supported.

* New address derivation (BIP32). Standard wallets are single account
and use a gap limit of 20.

* Support for Multisig wallets using parallel BIP32 derivations and
P2SH addresses ("2 of 2", "2 of 3").

* Compact serialization format for unsigned or partially signed
transactions, that includes the BIP32 master public key and
derivation needed to sign inputs. Serialized transactions can be
sent to cosigners or to cold storage using QR codes (using Andreas
Schildbach's base 43 idea).

* Support for BIP70 payment requests:
- Verification of the chain of signatures uses tlslite.
- In the GUI, payment requests are shown in the 'Invoices' tab.

* Support for hardware wallets: Trezor (Satoshilabs) and Btchip (Ledger).

* Two-factor authentication service by TrustedCoin. This service uses
"2 of 3" multisig wallets and Google Authenticator. Note that
wallets protected by this service can be deterministically restored
from seed, without Trustedcoin's server.

* Cosigner Pool plugin: encrypted communication channel for multisig
wallets, to send and receive partially signed transactions.

* Audio Modem plugin: send and receive transactions by sound.

* OpenAlias plugin: send bitcoins to aliases verified using DNSSEC.

* New 'Receive' tab in the GUI:
- create and manage payment requests, with QR Codes
- the former 'Receive' tab was renamed to 'Addresses'
- the former Point of Sale plugin is replaced by a resizeable
window that pops up if you click on the QR code

* The 'Send' tab in the Qt GUI supports transactions with multiple
outputs, and raw hexadecimal scripts.

* The GUI can connect to the Electrum daemon: "electrum -d" will
start the daemon if it is not already running, and the GUI will
connect to it. The daemon can serve several clients. It times out
if no client uses if for more than 5 minutes.

* The install wizard can be used to import addresses or private
keys. A watching-only wallet is created by entering a list of
addresses in the wizard dialog.

* New file format: Wallets files are saved as JSON. Note that new
wallet files cannot be read by older versions of Electrum. Old
wallet files will be converted to the new format; this operation
may take some time, because public keys will be derived for each
address of your wallet.

* The client accepts servers with a CA-signed SSL certificate.

* ECIES encrypt/decrypt methods, availabe in the GUI and using
the command line:
encrypt <pubkey> <message>
decrypt <pubkey> <message>

* The Android GUI has received various updates and it is much more
stable. Another script was added to Android, called Authenticator,
that works completely offline: it reads an unsigned transaction
shown as QR code, signs it and shows the result as a QR code.

15  Bitcoin / Electrum / Electrum 2.0 beta version on: February 03, 2015, 03:58:13 PM
Packages are available here:
The first beta was released on Sunday. There was no thread in this forum because the forum was down.

Windows and OSX binaries will be available soon.
16  Bitcoin / Electrum / Twitter and GMX accounts compromised on: December 10, 2014, 10:14:08 AM
Hash: SHA1

I am Thomas Voegtlin, main developer of the Electrum Bitcoin

On Dec. 6th, 2014, my GMX email account has been compromised and its
password was reset. Using access to my GMX account, the attacker could
obtain a password reset of my @ElectrumWallet Twitter account, and
posted racist messages on it. I have since then regained control of my
GMX email account, and I hope that the Twitter situation will get
resolved soon.

The Electrum website, SSL certificate, Github account, were not
affected by the attack, and the source code of Electrum was not

At this point it is not known how my GMX account was compromised, so I
will consider that email address as permanently compromised, even if I
have regained access to the account. I will post more information once
the situation is fully resolved.

Version: GnuPG v1

17  Bitcoin / Electrum / Electrum 1.9.8 released on: March 16, 2014, 01:27:38 PM
I am happy to announce the release of Electrum 1.9.8.
This release includes some features initially planned for version 2.0.

Packages are available on (signed by me)
Binaries for windows and mac will be available in the coming days




# Release 1.9.8

(This release includes features initially planned for version 2.0)

* Electrum servers were upgraded to version 0.9. The new server stores
   a Patrica tree of all UTXOs, an idea proposed by Alan Reiner in the
   bitcointalk forum. This property allows the client to directly
   request the balance of any address. The new commands are:
      1. getaddressbalance <address>
      2. getaddressunspent <address>
      3. getutxoaddress <txid> <pos>

* Command-line commands that require a connection to the network spawn
   a daemon, that remains connected and handles subsequent
   commands. The daemon terminates itself if it remains unused for more
   than one minute. The purpose of this is to make scripting more
   efficient. For example, a bash script using many electrum commands
   will open only one connection.

edit: encrypt/decrypt methods were removed due to a bug
18  Bitcoin / Electrum / Electrum - State of the Alloy on: January 22, 2014, 07:28:16 PM
Dear Bitcoiners,

Since the 1st of january I have officially left my previous job (computer scientist at INRIA) in order to work full time on the development of Electrum. My plan is to create a company, Electrum Technologies, that will distribute the Electrum software, and sell related services. This company project is now officially supported by the incubator of the french region Lorraine ( ); we signed the contract yesterday.

I am now working on version 2.0 of Electrum. The following features are under development:

1. A Patricia tree data structure, also called "Ultimate Blockchain Compression", will be implemented in Electrum servers. This data structure allows a client to get the balance of any address instantly, and it will also generate a "proof of completeness" (the root hash of the patricia tree), that can be used to check that the server sent all UTXOs related to a given address to the client. A first implementation of this patricia tree was recently completed, and is available in the 'fulltree' branch of the Electrum server. This prototype uses a 256-way branching, and can import recent blocks at 2s/block. Following maaku's suggestion ( ), I plan to upgrade it with binary branching. I also look forward to maaku's C++ implementation, which should be much faster than Python.

2. Version 2.0 will use BIP32 wallets with multiple accounts (this feature was initially planned for 1.9, but it had to be postponed)
Some of these accounts will have no "gap limit", so that merchants can create arbitrary numbers of addresses without messing with the internal parameters of their wallet.

3. Version 2.0 will have a daemon mode, that remains always connected, and that can be queried with json-rpc. This means that shell scripts will be able to use multiple Electrum commands without without opening and closing sockets for each command.

4. A 2-factor authentication service using multisig addresses is under development, that will be available in Electrum through a paying plugin. I made a demonstration of that service in Barcelona last fall, during the meeting organized by genjix. I am now working with lawyers, in order to define the terms of use for that service.

The ETA for version 2.0 (including points 2 and 3) is about 1 month from now. The multisig service (4) will probably require an extra month in order to be finalized.

I am looking forward to the coming months, and I hope to deliver the best possible software.


Note: I will attend the Berlin conference in february; send me a note if you want to meet me there.
19  Bitcoin / Electrum / Warning: fake electrum website is distributing malware!! on: December 23, 2013, 08:35:10 AM
WARNING: a fake version of is out, distributing malware:

h t t p : / /

This was reported on reddit here:

The legitimate electrum website is
We are curently reporting this abuse to the domain registrar.
20  Bitcoin / Electrum / Electrum 1.9 released on: November 04, 2013, 11:26:51 AM
After several delays, version 1.9 is finally out!

Here is the changelog:
# Release 1.9
* The client connects to multiple servers in order to retrieve block headers and find the longest chain
* SSL certificate validation (to prevent MITM)
* Deterministic signatures (RFC 6979)
* Menu to create/restore/open wallets
* Create transactions with multiple outputs from CSV (comma separated values)
* New text gui: stdio
* Plugins are no longer tied to the qt GUI, they can reach all GUIs
* Proxy bugs have been fixed
Pages: [1] 2 3 4 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!