Bitcoin Forum
June 22, 2024, 08:49:14 AM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Warning about imported private keys !  (Read 1450 times)
ciapheap (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
July 16, 2013, 08:07:05 PM
Last edit: July 16, 2013, 08:45:44 PM by ciapheap
 #1

If you import a private key into an Electrum wallet, and also assign a password for that wallet to be encrypted, because of a bug, that private key probably will not be safe yet.

You could either import a private key through the setting panel, or do that from the console.
The problem is that if you have used the console, the history of console which is saved in your 'electrum.dat' file, will reveal entered commands in PLAIN TEXT !!!

So anybody with access to your electrum.dat file could get those imported private keys in PLAIN TEXT, although there is an encrypted version of that key saved in the file as well.


Note: By 'import from console' I mean something like this:
     >>importprivkey('5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS')
     this command would be saved in 'electrum.dat'
ciapheap (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
July 16, 2013, 08:18:24 PM
 #2

1.Close Electrum, then backup electrum.dat

2.open the file in a hex-editor

3.Find 'console-history' in the file. It should look something like this :
...   0ed8', 'console-history': [u"importprivkey('5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS')", u"dumpprivkey('1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T')"], 'num_zer  ...


4.Carefully remove all fields involving 'importprivkey', e.g. the above history after correction should look like:

...   0ed8', 'console-history': [u"dumpprivkey('1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T')"], 'num_zer  ...

- Alternatively you may clear entire history like this:

...   0ed8', 'console-history': [], 'num_zer  ...

5.Save electrum.dat.

Note: If you want to import any private keys, I suggest that you use import button in settings panel.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
July 17, 2013, 03:28:35 AM
 #3

Is this by design, or would this be a security issue that should be fixed (by not logging or obfuscating the importprivkey command)?

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


ThomasV
Moderator
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
July 17, 2013, 09:16:43 AM
 #4

Is this by design, or would this be a security issue that should be fixed (by not logging or obfuscating the importprivkey command)?

This point has been discussed in the past. There's no easy way to 'fix' this...

First, note that the same issue arises when you use Electrum (or bitcoind) from the command line;
if you are not careful, private keys will end up in your bash_history (or wherever your OS stores shell histories).
Thus, the Electrum python console does not create a new risk, with respect to that issue; it only displaces the risk.

It would indeed be possible to obfuscate commands like importprivkey in the history. However, the user can do something like this:
Code:
mykey="foo"
...
importprivkey(mykey)
... and this can be varied ad infinitum; there's no way to predict all the possible ways to use the console.
Therefore, obfuscating some commands will never be 100% safe, because the very point of this console is to be programmable.

The console is useful for debugging and programming Electrum; thus, I am assuming that users who use the python console instead of the gui are geek types, so they are able to understand that issue. But if you have a better solution, please let me know.

Electrum: the convenience of a web wallet, without the risks
ThomasV
Moderator
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
July 17, 2013, 09:39:09 AM
 #5

Note:

1. to clean your console history, you just need to do this:
Code:
gui.console.history = []

2. use the console if you feel like programming/testing things, but do not put sensitive information in it.


Electrum: the convenience of a web wallet, without the risks
tnkflx
Sr. Member
****
Offline Offline

Activity: 349
Merit: 250


View Profile
July 17, 2013, 02:49:17 PM
 #6

Note:

1. to clean your console history, you just need to do this:
Code:
gui.console.history = []

2. use the console if you feel like programming/testing things, but do not put sensitive information in it.

Possible solution:
- Display the server MOTD somewhere in a tab titled "MOTD".
- Make the console optional with a setting?

On the other hand, like you said, the bash_history contains some private stuff as well sometimes...

| Operating electrum.be & us.electrum.be |
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!