Bitcoin Forum
January 17, 2019, 08:02:58 AM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ... 95 »
1  Bitcoin / Electrum / Re: Vulnerability discovered in Electrum 2.6 to 3.0.4: please upgrade on: January 19, 2018, 10:50:46 AM
...

Sorry for your loss, but this is nonsense. We fixed the vulnerability on the day we learned about it.
If your wallet was protected with a password, there is no way this vulnerability could be related to the theft.
You have to look for another cause for that theft.
2  Bitcoin / Electrum / Re: Electrum BUG - all Bitcoins stolen on: January 15, 2018, 04:05:23 PM
I checked alle downloads with an Electrum developer, all downloads are ok.

For the record: I am the Electrum developer who answered this user's emails, and we only checked his 3.0.5 download, because he claims to have deleted 3.0.3

3  Bitcoin / Electrum / Re: Electrum users must upgrade to 3.0.5 if they haven't already. on: January 15, 2018, 10:39:15 AM
I installed the new update and am now getting failed to execute script electrum. Any one know how to fix it? Using windows 7 here. 
Some old versions of Windows might need to install the KB2999226 Windows update.
4  Bitcoin / Electrum / Re: Electrum BUG - all Bitcoins stolen on: January 15, 2018, 10:37:46 AM
since your wallet was protected with a password, it is unlikely that this theft is related to the vulnerability exposed last week.

Quote
In the other Version of Electrum 3.0.3 my bitcoins are still there (Friday night, after the alleged transfer !!!), my bitcoins are ok at this moment. After I opened in Electrum 3.0.5 all is lost, 3 days later.

you should definitely explain what you mean by that.
did 3.0.3 display a history where the theft transaction is missing?

is version 3.0.3 still installed on your machine?
if yes, please check the sha256 of the file you downloaded.

also, better stop using that computer and have it investigated by a security expert.
5  Bitcoin / Electrum / Re: Vulnerability discovered in Electrum 2.6 to 3.0.4: please upgrade on: January 14, 2018, 09:48:36 AM
Are there any estimations for how many users were critically vulnerable to this potential attack, i.e. had unencrypted seeds in their wallet files? I've tried to do some research, but failed to determine if Electrum was always asking for password during new wallet creation process, or this feature was added with some version? Also, is password optional during creation?
Some users and media have misunderstood this vulnerability and started claiming that "Electrum is completely broken and anyone can steal your coins when you run it", which is simply not true, so it's better to clear this misunderstanding.

The password feature has always been there, but it has always been optional, because some systems require automated payments. We are closely monitoring how fast users are updating their wallet software. Media reports were useful in spreading awareness, but it is true that they also created misunderstanding.

At this point, there is no evidence that bitcoins have been stolen because of this vulnerability. Two users have reported bitcoin theft and attributed it to the vulnerability, but these cases are more likely to have been caused by malware downloaded from fake electrum websites, or by keyloggers, because these wallets were protected with strong passwords.

We received one suspicious report by a user who sent bitcoins from an exchange to a wrong address. This user was trying fund his Electrum wallet, and he used an address that was in the "send" tab of his wallet, instead of the "receive" tab. This user did not answer our questions regarding whether the presence of an address in the "send" tab was resulting from his own actions, or could have been put there by a malicious website.
6  Bitcoin / Electrum / Re: Victim of now-known exploitation in versions 3.0.4 and under on: January 13, 2018, 09:59:19 AM
Original Reddit Post:
So on the 6th of January I spent around half my wallet online time stamped at 18:53. After returning to my wallet yesterday on the 8th there was a transaction made from my wallet on the 7th time stamped 00:56 that I never sent. I use Electrum Wallet version 2.7.12 and note all my transactions hence I know this is not me. How can I have lost bitcoin? Has my computer been accessed remotely? Can you even hack a bitcoin wallet? I can confess I am a newbie when it comes to this, so don't even know where to start to try and get my money back, if I can, and how to prevent whatever has happened from happening again.

Update:


Been told to search on here for more answers, and learnt about this exploit that exists in anything below version 3.0.4 of Electrum. Where do I go from here? Obviously I am now updating my wallet, however how can I retrieve my stolen bitcoin?


I had email interaction with the author of that report (user dimme78 in this forum).
There is no reason to believe that this user was a victim of the recently discovered vulnerability.
It seems more likely that he downloaded software from a fake Electrum website.
7  Bitcoin / Electrum / Re: 2FA help please! on: January 12, 2018, 10:02:01 AM
you can restore your wallet from seed, and request a new Google Authenticator code during the restore process.
8  Bitcoin / Electrum / Re: Critical Security Release: Please update to Electrum 3.0.4 on: January 11, 2018, 03:23:06 PM
So, to recap, if we upgrade to 3.0.5. we can run Electrum and browse the web or run other apps at the same time safely, with no worries, right?
Also, why Thomas is not speaking in this thread? This is one of the worst problems in the whole Electrum history and it's strange its main developer wrote nothing about that here on bitcointalk...

I opened another thread, which is pinned.
9  Bitcoin / Electrum / Vulnerability discovered in Electrum 2.6 to 3.0.4: please upgrade on: January 10, 2018, 12:50:46 PM
A vulnerability has been found in Electrum, and patched in version 3.0.5.
Please update your software if you are running an earlier version.

Below is a copy of the satement we put on our website.
The original can be found here: https://github.com/spesmilo/electrum-docs/blob/master/cve.rst

Thanks to Theymos for displaying a notice on this website.




JSONRPC vulnerability in Electrum 2.6 to 3.0.4
==============================================

On January 6th, a vulnerability was disclosed in the Electrum wallet
software, that allows malicious websites to execute wallet commands
through JSONRPC executed in a web browser. The bug affects versions
2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of
Electrum such as Electron Cash.


Can funds be stolen?
--------------------

Wallets that are not password protected are at risk of theft, if they
are opened with a version of Electrum older than 3.0.5 while a web
browser is active.

In addition, the vulnerability allows an attacker to modify user
settings, the list of contacts in a wallet, and the "payto" and
"amount" fields of the user interface while Electrum is running.

Although there is no known occurrence of Bitcoin theft occurring
because of this vulnerability, the risk increases substantially now
that the vulnerability has been made public.


Can wallet data be leaked?
--------------------------

Yes, an attacker can obtain private data, such as: Bitcoin addresses,
transaction labels, address labels, wallet contacts and master public
keys.


Can a password-protected wallet be bruteforced?
-----------------------------------------------

Not realistically. The vulnerability does not allow an attacker to
access encrypted seed or private keys, which would be needed in order
to perform an efficient brute force attack. Without the encrypted
seed, an attacker must try passwords using the JSONRPC interface,
while the user is visiting a malicious page. This is several orders of
magnitude slower than an attack with the encrypted seed, and
restricted in time. Even a weak password will protect against that.


What should users do?
---------------------

All users should upgrade their Electrum software, and stop using old
versions.

Users who did not protect their wallet with a password should create a
new wallet, and move their funds to that wallet. Even if it never
received any funds, a wallet without password should not be used
anymore, because its seed might have been compromised.

In addition, users should review their settings, and delete all
contacts from their contacts list, because the Bitcoin addresses of
their contacts might have been modified.


How to upgrade Electrum
-----------------------

Stop running any version of Electrum older than 3.0.5, and install
Electrum the most recent version. On desktop, make sure you download
Electrum from https://electrum.org and no other website. On Android,
the most recent version is available in Google Play.

If Electrum 3.0.5 (or any later version) cannot be installed or does
not work on your computer, stop using Electrum on that computer, and
access your funds from a device that can run Electrum 3.0.5. If you
really need to use an older version of Electrum, for example in order
to access wallet seed, make sure that your computer is offline, and
that no web browser is running on the computer at the same time.


Should all users move their funds to a new address?
---------------------------------------------------

We do not recommend moving funds from password protected wallets. For
wallets that were not password protected, moving funds is an extreme
precaution, that might not be necessary; indeed, if a wallet was
compromised, it is very likely that the attacker would have stolen the
funds immediately.


When was the issue reported and fixed?
--------------------------------------

The absence of password protection in the JSONRPC interface was
reported on November 25th, 2017 by user jsmad:
https://github.com/spesmilo/electrum/issues/3374

jsmad's report was about the Electrum daemon, a piece of software that
runs on web servers and is used by merchants in order to receive
Bitcoin payments. In that context, connections to the daemon from the
outside world must be explicitly authorized, by setting 'rpchost' and
'rpcport' in the Electrum configuration.                                                                                                                                                                          

On January 6th, 2018, Tavis Ormandy demonstrated that the JSONRPC
interface could be exploited against the Electrum GUI, and that the
attack could be carried out by a web browser running locally, visiting
a webpage with specially crafted JavaScript.

We released a new version (3.0.4) in the hours following Tavis' post,
with a patch written by mithrandi (Debian packager), that addressed
the attack demonstrated by Tavis. In addition, the Github issue
remained open, because mithrandi's patch was not adding password
protection to the JSONRPC interface.
10  Alternate cryptocurrencies / Tokens (Altcoins) / Re: [ANN] [PRE-TOKEN SALE] TontineTrust - The Future of Retirement is Peer to Peer on: November 16, 2017, 10:58:47 AM
interesting
11  Economy / Service Discussion / Re: URGENT! Anyone heard of abitsky.com? on: October 30, 2017, 11:31:53 AM
Not a scam; I have used them several times successfully.

"operating since 2002" refers to other websites run by the same company.
12  Alternate cryptocurrencies / Altcoin Discussion / Re: Do Not Use Electron Cash! on: August 01, 2017, 07:38:54 PM
Electron Cash has a "peer list poisoning" bug, see https://twitter.com/ElectrumWallet/status/892433256385261568
This is probably what you are experiencing.
To fix that, disable auto-connect, and select a server that you trust to be a BCC server.
13  Bitcoin / Electrum / Electrum 2.9 was released today on: July 27, 2017, 03:52:00 PM
Release Notes:

# Release 2.9 - Independence (July 27th, 2017)
  * Multiple Chain Validation: Electrum will download and validate
    block headers sent by servers that may follow different branches
    of a fork in the Bitcoin blockchain. Instead of a linear sequence,
    block headers are organized in a tree structure. Branching points
    are located efficiently using binary search. The purpose of MCV is
    to detect and handle blockchain forks that are invisible to the
    classical SPV model.
  * The desired branch of a blockchain fork can be selected using the
    network dialog. Branches are identified by the hash and height of
    the diverging block. Coin splitting is possible using RBF
    transaction (a tutorial will be added).
  * Multibit support: If the user enters a BIP39 seed (or uses a
    hardware wallet), the full derivation path is configurable in the
    install wizard.
  * Option to send only confirmed coins
  * Qt GUI:
    - Network dialog uses tabs and gets updated by network events.
    - The gui tabs use icons
  * Kivy GUI:
    - separation between network dialog and wallet settings dialog.
    - option for manual server entry
    - proxy configuration
  * Daemon: The wallet password can be passed as parameter to the
    JSONRPC API.
  * Various other bugfixes and improvements.
14  Bitcoin / Electrum / Re: android electrum - how to disable BTC change address? on: July 27, 2017, 01:16:08 PM
upgrade; we just released version 2.9 on Google Play, it has that setting.
15  Bitcoin / Electrum / Re: Audited Electrum - Found a potential issue on: July 12, 2017, 08:52:24 AM
The first issue is not with the code, but with the user's assumptions.
That is the very reason why custom entropy is not proposed in the GUI.

The second issue with custom entropy and the multiplication is real; thank you for pointing it out.

I too believe that the custom entropy option should be removed from the code.
Actually, I did remove it 6 months ago:
https://github.com/spesmilo/electrum/commit/e0c38b31b40b42138527e9fd3f4bad78e0b12802

and I later reverted that commit because users were complaining.
16  Bitcoin / Electrum / Re: Lost My Electrum Bitcoins on: June 05, 2017, 07:45:30 AM
more likely, your wallet was not fully synchronized.
to know your balance, you need to wait until it is displayed in the bottom status bar.
17  Bitcoin / Electrum / Re: Remove 2FA on: June 05, 2017, 07:43:12 AM
Ok, I'll up the old theme so to not create newone.
How can I remove 2fa from the wallet I have some btc up, I mean when I was creating it I choosed 2fa, but there where no information that it will cost me ridiculous 5$ per transaction.
I tried to restore from seed choosing no 2fa wallet but it seems not working coz I get endless "Please wait.." on the last step, so what should I do?

upgrade to latest version; it should solve your issue with restore.

Note that the current price per transaction is 0.2 mBTC or 0.1mBTC, depending on how many you prepay (10 or 100).
This is lower than your typical mining fees.

18  Bitcoin / Electrum / Re: Electrum and Gpg4win on: May 07, 2017, 06:23:19 PM
Huh... I did not notice that... :/

Honestly, I have no idea... maybe related to different SKS versions? or different keyservers? or perhaps it is because ThomasV updated his key and added in a new email address? I honestly don't know... Huh

I have to admit that my knowledge of PGP is relatively limited on how or why the key files would be different, but the beginning and end bytes of the key would be the same??

no, he just screwed up with his copy-paste.
19  Bitcoin / Electrum / Re: After instalation and type passworld the program turn OFF on: March 26, 2017, 05:15:17 PM

It`s the same. When hit next the program close .


you are way too vague.
it cannot be "the same" if you did not encrypt the wallet as instructed, because you are not in the same screen.

where are you when it closes? are you in the wizard screen? or are you trying to open the first wallet over again?
20  Bitcoin / Electrum / Re: Importing Private Keys on: March 26, 2017, 04:23:39 PM
Hi,

I have created a new Electrum wallet by importing private keys from another client.
A few of the addresses are highlighted with a bright red colour in the background.
Is there anything I should know before using these addresses?


which version of Electrum are you using?
could you please post a screenshot of your addresses tab?
(blur the addresses if you want)
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ... 95 »
Bitcointalk.org is not available or authorized for sale. Do not believe any fake listings.
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!