[2017-01-09] Electrum Bitcoin Wallets Were Vulnerable to Hackers for Two Years

[bbc.reporter]

I remember there was a thread in the forum that claimed his bitcoins were stolen from his Electrum wallet. I do not remember who it was but this happened a long time ago, maybe 2 years. I did not believe him because he was using a new account and I assumed he was trolling. Is it possible that some hackers already knew about the vulnerability?

In any case, update your wallets now if you are an Electrum user.



For almost two years, hackers could have easily stolen your prized stash of bitcoins if you were keeping them in the popular software wallet Electrum, thanks to a critical security vulnerability that went unpatched until now.

The vulnerability allowed any website (and anyone controlling the site a victim browsed, like a hacker) to steal bitcoins stored using Electrum, as long as the software was running and there was no encryption password set up, according to security researchers. The bug was initially reported by Github user “jsmad” on November 24, 2017. Electrum, however, didn’t fully patch the bug until Sunday, January 7, and only after Google security researcher alerted them to how serious the bug really was.

“The bitcoin wallet Electrum allows any website to steal your Bitcoins,” Ormandy tweeted on Saturday. “I was gonna report it… but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours.”

Read the full article https://motherboard.vice.com/en_us/article/ev55na/electrum-bitcoin-wallets-were-vulnerable-to-hackers-for-two-years-json-rpc

[TagaMungkahi]

It's sad, I am also using electrum wallet and that news almost gave me an heart attack, glad it was posted on the forum's front page, announced by Theymos. Thanks to that i was able to protect my coins on my wallet. On the hacked account, I am not 2 years old hear but i know somewhere last 2017 ,Do you remember the person who claimed that someone sent coin from his electrum account? we can assume that a hacker used that vulnerable wallet - as far as i know it doesn't have password enabled.

[Theb]

I didn't know it will happen to a well known Desktop Wallet like Electrum, they even have supported Bitcoin Cash last year and finding out that they were vulnerable made me feel so relieve that I have transferred my Bitcoin to another wallet. Lessons should be learned from this that your money won't be safe not until you provided extra protection for it. We should be aware of the dangers that hackers since day 1 are attracted to Bitcoin now with Bitcoin being more expensive many people with bad intentions are now trying to get it.

[Lucius]

Unfortunately maybe some users lost their coins because of this vulnerability,there is many reports in last few months that coins simply disappeared from wallet.But in most cases users lost their coins just because they download fake Electrum wallet or they expose seed/private key.Every Electrum wallet with strong password was pretty safe,but I agree that this should be fixed at least when it was first reported.

I see that many users looking for new wallets after this was discovered,which is quite understandable-but If your BTC is intact then only upgrade to 3.0.5 and maybe set up new stronger password for wallet should be enough.

For those who still feel insecure only way is to search for hardware wallet or to start keep their coins in paper wallets.

[bbc.reporter]

I didn't know it will happen to a well known Desktop Wallet like Electrum, they even have supported Bitcoin Cash last year and finding out that they were vulnerable made me feel so relieve that I have transferred my Bitcoin to another wallet. Lessons should be learned from this that your money won't be safe not until you provided extra protection for it. We should be aware of the dangers that hackers since day 1 are attracted to Bitcoin now with Bitcoin being more expensive many people with bad intentions are now trying to get it.

Electrum or its maker, ThomasV, does not support bitcoin cash. The wallet's code was forked by another developer, I reckon it was someone here in Bitcointalk, and he called it Electron Cash, an SPV wallet for bitcoin cash.

[richardsNY]

That's how things go. It's basically the same as with the vulnerability that the majority of the chips have within them that made it to the news very recently. It has been pointed out that you should do this or that to avoid getting hacked, but who knows for how long the vulnerability was known to entities looking to exploit it for their personal gains. I only use Electrum to import private keys that are coming from the Chips I withdraw from ChipMixer. Core takes hours and hours to do a complete scan, while Electrum does it instantly. It's a convenience case for me, but glad I always send the funds directly to a Core created private key afterwards. I have updated to the latest version, so I hope it's done now....