Bitcoin Forum
June 25, 2018, 02:24:29 PM *
News: Latest stable version of Bitcoin Core: 0.16.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Critical Security Release: Please update to Electrum 3.0.5  (Read 718 times)
Abdussamad
Legendary
*
Offline Offline

Activity: 1778
Merit: 1035



View Profile WWW
January 07, 2018, 01:46:26 AM
 #1

A new release was made to mitigate the impact of this bug: https://github.com/spesmilo/electrum/issues/3374

See release notes here: https://github.com/spesmilo/electrum/compare/fdd10bfb6083%5E...063ec0a758dd

Edit: 3.0.5 has now been released which  fixes the bug.

Download from electrum.org/#download

1529936669
Hero Member
*
Offline Offline

Posts: 1529936669

View Profile Personal Message (Offline)

Ignore
1529936669
Reply with quote  #2

1529936669
Report to moderator
1529936669
Hero Member
*
Offline Offline

Posts: 1529936669

View Profile Personal Message (Offline)

Ignore
1529936669
Reply with quote  #2

1529936669
Report to moderator
1529936669
Hero Member
*
Offline Offline

Posts: 1529936669

View Profile Personal Message (Offline)

Ignore
1529936669
Reply with quote  #2

1529936669
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
adaseb
Legendary
*
Offline Offline

Activity: 1638
Merit: 1058



View Profile
January 07, 2018, 07:05:57 AM
 #2

So if you are using cold storage this shouldn't be much of an issue?

.FORTUNE.JACK.
      ▄▄███████▄▄
   ▄████▀▀ ▄ ██████▄
  ████ ▄▄███ ████████
 █████▌▐███▌ ▀▄ ▀█████
███████▄██▀▀▀▀▄████████
█████▀▄▄▄▄█████████████
████▄▄▄▄ █████████████
 ██████▌ ███▀████████
  ███████▄▀▄████████
   ▀█████▀▀███████▀
      ▀▀██████▀▀
         
         █
...FortuneJack.com                                             
...THE BIGGEST BITCOIN GAMBLING SITE
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄██
█████████▀███████████▄
██████████▀   ▀██████████
█████████▀       ▀█████████
████████           ████████
████████▄   ▄ ▄   ▄████████
██████████▀   ▀██████████
 ▀██
█████████████████████▀
  ▀██
███████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
#JACKMATE
WIN 1 BTC
▄█████████████████████████▄
███████████████████████████
███████████████████████████
██████████▀█████▀██████████
███████▀░░▀░░░░░▀░░▀███████
██████▌░░░░░░░░░░░░░▐██████
██████░░░░██░░░██░░░░██████
█████▌░░░░▀▀░░░▀▀░░░░▐█████
██████▄░░▄▄▄░░░▄▄▄░░▄██████
████████▄▄███████▄▄████████

███████████████████████████
███████████████████████████
▀█████████████████████████▀
HCP
Hero Member
*****
Offline Offline

Activity: 644
Merit: 823

<insert witty quote here>


View Profile
January 07, 2018, 07:12:46 AM
 #3

In theory, no more than any other vulnerability/virus/malware... if the system with the private keys/seed is running on an offline system, then the opportunity for "leaks" is pretty minimal... there ARE still attack vectors (compromised USB key etc), so it would probably be prudent to update.

Additionally, the "vulnerable" Electrum on your online computer, could still leak "private" data like your addresses/wallet info etc. (as opposed to "sensitive" data like the private keys/seed)

aso118
Legendary
*
Offline Offline

Activity: 1834
Merit: 1010


★Nitrogensports.eu★


View Profile
January 07, 2018, 07:34:48 AM
 #4

It is good that Theymos created an announcement ticker which flashes whenever somebody visits bitcointalk. Electrum is one of the most popular wallets among newbies, because of its light-weight nature. The headline news regarding internet security has really been bad this week - first the security flaws in intel chips and now this.


           █████████████████     ████████
          █████████████████     ████████
         █████████████████     ████████
        █████████████████     ████████
       ████████              ████████
      ████████              ████████
     ████████     ███████  ████████     ████████
    ████████     █████████████████     ████████
   ████████     █████████████████     ████████
  ████████     █████████████████     ████████
 ████████     █████████████████     ████████
████████     ████████  ███████     ████████
            ████████              ████████
           ████████              ████████
          ████████     █████████████████
         ████████     █████████████████
        ████████     █████████████████
       ████████     █████████████████
▄▄
██
██
██
██
██
██
██
██
██
██     
██
██
▬▬ THE LARGEST & MOST TRUSTED ▬▬
      BITCOIN SPORTSBOOK     
   ▄▄
██
██
██
██
██
██
██
██
██
██     
██
██
             ▄▄▄▄▀▀▀▀▄
     ▄▄▄▄▀▀▀▀        ▀▄▄▄▄           
▄▀▀▀▀                 █   ▀▀▀▀▀▀▀▄▄
█                    ▀▄          █
 █   ▀▌     ██▄        █          █               
 ▀▄        ▐████▄       █        █
  █        ███████▄     ▀▄       █
   █      ▐████▄█████████████████████▄
   ▀▄     ███████▀                  ▀██
    █      ▀█████    ▄▄        ▄▄    ██
     █       ▀███   ████      ████   ██
     ▀▄        ██    ▀▀        ▀▀    ██
      █        ██        ▄██▄        ██
       █       ██        ▀██▀        ██
       ▀▄      ██    ▄▄        ▄▄    ██
        █      ██   ████      ████   ██
         █▄▄▄▄▀██    ▀▀        ▀▀    ██
               ██▄                  ▄██
                ▀████████████████████▀




  CASINO  ●  DICE  ●  POKER   
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
   24 hour Customer Support   

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
xdrpx
Hero Member
*****
Offline Offline

Activity: 616
Merit: 582


View Profile
January 07, 2018, 08:33:15 AM
 #5

I had a couple of questions regarding the type of attack using JSONRPC to fetch wallet details and to perform transactions:

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

Edit: I've raised a bug for TAILS to update their electrum version to 3.0.4 https://labs.riseup.net/code/issues/15151
jubalix
Legendary
*
Offline Offline

Activity: 1820
Merit: 1002


View Profile WWW
January 07, 2018, 08:54:17 AM
 #6

This is kinda .... disappointing ... always air gap! though.


I would like to know the history of how this was missed and included in the code!

Admitted Practicing Lawyer::BTC/Crypto Specialist. B.Engineering/B.Laws

https://www.binance.com/?ref=10062065
investorpgroovy
Jr. Member
*
Offline Offline

Activity: 40
Merit: 0


View Profile
January 07, 2018, 09:13:25 AM
 #7

Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.
vlom
Legendary
*
Offline Offline

Activity: 1036
Merit: 1045


The Movement — Freedom Organization


View Profile WWW
January 07, 2018, 09:22:28 AM
 #8

keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins.

this looks good, doesn't it?

Code:
gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg
gpg: Signature made Sat Jan  6 23:59:14 2018 CET
gpg:                using RSA key 2BD5824B7F9470E6
gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

Trade crypto like a boss: Gunbot enables you to make daily automatic profits!
|\¯¯ \   /¯¯/| |¯¯¯|__'  /¯¯,¯¯\     /¯¯\/¯ \'  
\  \__\/__/ /' |_____'| |\____ /|'  /__ (\/)__\
  '\|____ |/'   |_____'|  \|___ |/ °|___ |v|___|
    '                                             
jubalix
Legendary
*
Offline Offline

Activity: 1820
Merit: 1002


View Profile WWW
January 07, 2018, 10:03:12 AM
 #9

keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins.

this looks good, doesn't it?

Code:
gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg
gpg: Signature made Sat Jan  6 23:59:14 2018 CET
gpg:                using RSA key 2BD5824B7F9470E6
gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
wait wait wait

so....its possible

[1] there is no error, and the site has been hacked to get everyone to down load the 3.0.4 which may have a backdoor in it.....

[2] or there is an error and the 3.0,4 site is hacked as well?

WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

Admitted Practicing Lawyer::BTC/Crypto Specialist. B.Engineering/B.Laws

https://www.binance.com/?ref=10062065
DooMAD
Legendary
*
Offline Offline

Activity: 1652
Merit: 1107



View Profile WWW
January 07, 2018, 10:18:32 AM
 #10

Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.

It's also recommended that all Firefox (or other Mozilla-based browser) users install the 'NoScript' browser extension.  The website itself might look a little dated, but it's a good little plugin.  It does take a while to get used to, but the extra security is worth the small learning curve.  This will greatly reduce the general threat from malicious JavaScript while browsing online.  Every website you visit can potentially allow any number of other linked websites to run malicious code through your browser.  NoScript allows you to ensure that only the website you want to see can run code (and even then, only if you want it to) and block all the other, possibly dangerous, third party sites that might be linked through it.

investorpgroovy
Jr. Member
*
Offline Offline

Activity: 40
Merit: 0


View Profile
January 07, 2018, 10:20:17 AM
 #11

I believe Thomas is ecdsa on github..

https://github.com/spesmilo/electrum/issues/3374

Looks like mithrandi wrote the patch, maybe thats why the sig doesnt match


theymos
Administrator
Legendary
*
Offline Offline

Activity: 3066
Merit: 3206


View Profile
January 07, 2018, 10:26:41 AM
 #12

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

That won't help.

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

There is no known way for them to steal your BTC in that case, though they can see your addresses/transactions and change your settings. I'm not sure (and maybe nobody yet fully knows) exactly how much damage they can do by changing your settings. So you should absolutely still update.

WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

That's normal, it means that his key isn't connected to your GPG trust graph. Typically you would --lsign-key the key after verifying it through some other method. PGP is kind of weird.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
tryer12
Member
**
Offline Offline

Activity: 147
Merit: 10


View Profile
January 07, 2018, 10:43:04 AM
 #13

Say I didn't touch my wallet or entered the password while the computer was connected to the internet, Am I considered safe?  And If I don't touch it now untill I actually feel like I have to move some funds should I update to 3.0.4 and just use my normal wallet using the passphrase? So basically if I don't leave my electrum software on while in browser I'm basically safe?
oseventwenty
Member
**
Offline Offline

Activity: 196
Merit: 29


View Profile
January 07, 2018, 11:03:32 AM
 #14

All my wallets have a strong password, and I only use electrum on a Linux machine.

Am I pretty safe?

asdlolciterquit
Hero Member
*****
Offline Offline

Activity: 798
Merit: 504


Blockchain Just Entered The Real World


View Profile
January 07, 2018, 11:12:02 AM
 #15

A new release was made to mitigate the impact of this bug: https://github.com/spesmilo/electrum/issues/3374

See release notes here: https://github.com/spesmilo/electrum/compare/fdd10bfb6083%5E...063ec0a758dd

Download from electrum.org/#download

one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?

▄█▀▀▀▀▀▀▀▀▀▀▀█▄
▄█▀▄███████████▄▀█▄
▄█▀▄███████████████▄▀█▄
▄█▀▄███████ ██ ████████▄▀█▄
█ ███████▄▄ ▌ ▄▄▄ ▀██████ █
█ █████████ ▌ ████ ██████ █
█ █████████ ▌ ▄▄▄▄ ▀█████ █
█ █████████ ▌ █████ █████ █
█ █████▄▀▀  ▌ ▀▀▀▀ ▄█████ █
▀█▄▀███████ ██ ████████▀▄█▀
▀█▄▀███████████████▀▄█▀
▀█▄▀███████████▀▄█▀
▀█▄▄▄▄▄▄▄▄▄▄▄█▀
.JINBI..

merges gold’s investment
holding value
with
blockchain technology
.
...T H E   G O L D E N   I C O...
.────────     WHITEPAPER     ────────.
▄█▀▀▀▀▀▀▀▀▀▀▀█▄
▄█▀▄███████████▄▀█▄
▄█▀▄███████████████▄▀█▄
▄█▀▄███████ ██ ████████▄▀█▄
█ ███████▄▄ ▌ ▄▄▄ ▀██████ █
█ █████████ ▌ ████ ██████ █
█ █████████ ▌ ▄▄▄▄ ▀█████ █
█ █████████ ▌ █████ █████ █
█ █████▄▀▀  ▌ ▀▀▀▀ ▄█████ █
▀█▄▀███████ ██ ████████▀▄█▀
▀█▄▀███████████████▀▄█▀
▀█▄▀███████████▀▄█▀
▀█▄▄▄▄▄▄▄▄▄▄▄█▀
Lucius
Legendary
*
Online Online

Activity: 1092
Merit: 1044


Fortis Fortuna Adiuvat


View Profile WWW
January 07, 2018, 11:34:16 AM
 #16

Very bad news for Electrum users,there is a fix but I think in process of upgrade many may become victims of phishing sites which are shown sometimes at the top of search results like add from Google.So use only legit Electrum site : https://electrum.org/#home

I use Electrum only in combination with Ledger,is old version of Electrum can in any way compromise Ledger?I think answer is no,but I know that Electrum  v3 is not working on Windows 7&8,any info is this fixed with 3.0.4 version?

If you use ElectronCash there is also upgrade to 3.1.1 with note that old version are not safe,probably Electrum for LTC&DASH need update too and before that it is not advisable to use them.

DooMAD
Legendary
*
Offline Offline

Activity: 1652
Merit: 1107



View Profile WWW
January 07, 2018, 11:36:46 AM
 #17

one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?

My understanding is that since the exploit utilises CORS, 3.0.4 simply disables CORS until a more permanent solution is found.  It will make your wallet safe, but it's more of a stopgap than a solution.  I think they use the word "mitigate" because it's possible some wallets may have already been compromised if they didn't have a password.  This update obviously won't be able to undo any damage that has already been done.

aoluain
Sr. Member
****
Offline Offline

Activity: 490
Merit: 264


View Profile
January 07, 2018, 11:39:30 AM
 #18

All my wallets have a strong password, and I only use electrum on a Linux machine.

Am I pretty safe?

Say I didn't touch my wallet or entered the password while the computer was connected to the internet, Am I considered safe?  And If I don't touch it now untill I actually feel like I have to move some funds should I update to 3.0.4 and just use my normal wallet using the passphrase? So basically if I don't leave my electrum software on while in browser I'm basically safe?

as from the announcement by theymos if we dont use the electrum wallet without upgrading
it will be fine and if we have a strong passphrase set up we are marginally less at risk.
Lets see how this pans out but a safe bet would be to upgrade as per above advice.

**THANKS TO THEYMOS AND THE ADMINISTRATORS FOR ALL THE BACKGROUND WORK THAT GOES INTO THE WORKINGS OF THE FORUM AND FOR KEEPING EVERYONE SAFE!!

░░░░░░░▄▄▄▄▄▄
░░░░▄██████████▄
░░░██████████████
░░██████▐▌██████
█████░░░░░░░▀█████
██████▄▄░░▄▄░░██████
████████░░▀▀▄██████
████████░░▄▄▄░░█████
██████▀▀░░▀▀▀░░█████
█████░░░░░░░░█████
░░██████▐▌██████
░░░██████████████
░░░░▀██████████▀
░░░░░░░▀▀▀▀▀▀
░░░

                   BitCloak Bitcoin Mixer  
  BTC & BCH | API| MULTIADDRESS| PGP PROOF|  FAST MIX |  ESCROW|  MORE !

░░░░░░░▄▄▄▄▄▄
░░░░▄██████████▄
░░░██████████████
░░██████▐▌██████
█████░░░░░░░▀█████
██████▄▄░░▄▄░░██████
████████░░▀▀▄██████
████████░░▄▄▄░░█████
██████▀▀░░▀▀▀░░█████
█████░░░░░░░░█████
░░██████▐▌██████
░░░██████████████
░░░░▀██████████▀
░░░░░░░▀▀▀▀▀▀
░░░

schyter
Sr. Member
****
Offline Offline

Activity: 333
Merit: 252


Open to any CryptoBusiness idea you have for Ghana


View Profile WWW
January 07, 2018, 11:47:17 AM
 #19

A new release was made to mitigate the impact of this bug: https://github.com/spesmilo/electrum/issues/3374

See release notes here: https://github.com/spesmilo/electrum/compare/fdd10bfb6083%5E...063ec0a758dd

Download from electrum.org/#download

one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?
kind of.
but it was just a quick fix.
They removed CORS till they release update which will protect the JSON RPC with password

Time4VPS, the best VPS for your MASTERNODE Wink
▬▬  Time4VPS  ▬▬▬▬▬█   BCT Forum   █   SignUp   █   Time4VPS   █▬▬▬▬▬
audaciousbeing
Hero Member
*****
Offline Offline

Activity: 658
Merit: 547


View Profile
January 07, 2018, 11:55:35 AM
 #20

I don't know about the technicalities or how they are to hack the software with all the mnemonics attached. When I saw the flash message early in the day, I upgraded immediately and my wallet is already password protected. I hope everything is safe and everyone is able to stop panicking especially those who are not on the forum to read the warning and the progress that has been made. Electrum is one wallet that to a large extent has been able to create a niche for itself and I think vulnerability at this time will tarnish the over the years reputation.

Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!