|
adaseb
Legendary
Offline
Activity: 3878
Merit: 1733
|
|
January 07, 2018, 07:05:57 AM |
|
So if you are using cold storage this shouldn't be much of an issue?
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
January 07, 2018, 07:12:46 AM |
|
In theory, no more than any other vulnerability/virus/malware... if the system with the private keys/seed is running on an offline system, then the opportunity for "leaks" is pretty minimal... there ARE still attack vectors (compromised USB key etc), so it would probably be prudent to update.
Additionally, the "vulnerable" Electrum on your online computer, could still leak "private" data like your addresses/wallet info etc. (as opposed to "sensitive" data like the private keys/seed)
|
|
|
|
aso118
Legendary
Offline
Activity: 1918
Merit: 1012
★Nitrogensports.eu★
|
|
January 07, 2018, 07:34:48 AM |
|
It is good that Theymos created an announcement ticker which flashes whenever somebody visits bitcointalk. Electrum is one of the most popular wallets among newbies, because of its light-weight nature. The headline news regarding internet security has really been bad this week - first the security flaws in intel chips and now this.
|
|
|
|
xdrpx
|
|
January 07, 2018, 08:33:15 AM |
|
I had a couple of questions regarding the type of attack using JSONRPC to fetch wallet details and to perform transactions: 1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions? 2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though). Edit: I've raised a bug for TAILS to update their electrum version to 3.0.4 https://labs.riseup.net/code/issues/15151
|
|
|
|
jubalix
Legendary
Offline
Activity: 2632
Merit: 1023
|
|
January 07, 2018, 08:54:17 AM |
|
This is kinda .... disappointing ... always air gap! though.
I would like to know the history of how this was missed and included in the code!
|
|
|
|
investorpgroovy
Newbie
Offline
Activity: 58
Merit: 0
|
|
January 07, 2018, 09:13:25 AM |
|
Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.
|
|
|
|
vlom
Legendary
Offline
Activity: 1498
Merit: 1117
|
|
January 07, 2018, 09:22:28 AM Last edit: January 07, 2018, 09:36:29 AM by vlom |
|
keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins. this looks good, doesn't it? gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg gpg: Signature made Sat Jan 6 23:59:14 2018 CET gpg: using RSA key 2BD5824B7F9470E6 gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: next trustdb check due at 2018-08-19 gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown] gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
|
|
|
|
jubalix
Legendary
Offline
Activity: 2632
Merit: 1023
|
|
January 07, 2018, 10:03:12 AM |
|
keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins. this looks good, doesn't it? gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg gpg: Signature made Sat Jan 6 23:59:14 2018 CET gpg: using RSA key 2BD5824B7F9470E6 gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: next trustdb check due at 2018-08-19 gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown] gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 wait wait wait so....its possible [1] there is no error, and the site has been hacked to get everyone to down load the 3.0.4 which may have a backdoor in it..... [2] or there is an error and the 3.0,4 site is hacked as well? WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
|
|
|
|
DooMAD
Legendary
Offline
Activity: 3934
Merit: 3190
Leave no FUD unchallenged
|
|
January 07, 2018, 10:18:32 AM |
|
Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.
It's also recommended that all Firefox (or other Mozilla-based browser) users install the ' NoScript' browser extension. The website itself might look a little dated, but it's a good little plugin. It does take a while to get used to, but the extra security is worth the small learning curve. This will greatly reduce the general threat from malicious JavaScript while browsing online. Every website you visit can potentially allow any number of other linked websites to run malicious code through your browser. NoScript allows you to ensure that only the website you want to see can run code (and even then, only if you want it to) and block all the other, possibly dangerous, third party sites that might be linked through it.
|
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5376
Merit: 13348
|
|
January 07, 2018, 10:26:41 AM |
|
1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?
That won't help. 2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).
There is no known way for them to steal your BTC in that case, though they can see your addresses/transactions and change your settings. I'm not sure (and maybe nobody yet fully knows) exactly how much damage they can do by changing your settings. So you should absolutely still update. WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
That's normal, it means that his key isn't connected to your GPG trust graph. Typically you would --lsign-key the key after verifying it through some other method. PGP is kind of weird.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
tryer12
Member
Offline
Activity: 147
Merit: 10
|
|
January 07, 2018, 10:43:04 AM |
|
Say I didn't touch my wallet or entered the password while the computer was connected to the internet, Am I considered safe? And If I don't touch it now untill I actually feel like I have to move some funds should I update to 3.0.4 and just use my normal wallet using the passphrase? So basically if I don't leave my electrum software on while in browser I'm basically safe?
|
|
|
|
oseventwenty
Member
Offline
Activity: 294
Merit: 29
|
|
January 07, 2018, 11:03:32 AM |
|
All my wallets have a strong password, and I only use electrum on a Linux machine.
Am I pretty safe?
|
|
|
|
asdlolciterquit
|
|
January 07, 2018, 11:12:02 AM |
|
one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?
|
|
|
|
Lucius
Legendary
Offline
Activity: 3416
Merit: 6135
Crypto Swap Exchange🈺
|
|
January 07, 2018, 11:34:16 AM |
|
Very bad news for Electrum users,there is a fix but I think in process of upgrade many may become victims of phishing sites which are shown sometimes at the top of search results like add from Google.So use only legit Electrum site : https://electrum.org/#homeI use Electrum only in combination with Ledger,is old version of Electrum can in any way compromise Ledger?I think answer is no,but I know that Electrum v3 is not working on Windows 7&8,any info is this fixed with 3.0.4 version? If you use ElectronCash there is also upgrade to 3.1.1 with note that old version are not safe,probably Electrum for LTC&DASH need update too and before that it is not advisable to use them.
|
|
|
|
DooMAD
Legendary
Offline
Activity: 3934
Merit: 3190
Leave no FUD unchallenged
|
|
January 07, 2018, 11:36:46 AM |
|
one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?
My understanding is that since the exploit utilises CORS, 3.0.4 simply disables CORS until a more permanent solution is found. It will make your wallet safe, but it's more of a stopgap than a solution. I think they use the word "mitigate" because it's possible some wallets may have already been compromised if they didn't have a password. This update obviously won't be able to undo any damage that has already been done.
|
|
|
|
aoluain
Legendary
Offline
Activity: 2436
Merit: 1358
|
|
January 07, 2018, 11:39:30 AM |
|
All my wallets have a strong password, and I only use electrum on a Linux machine.
Am I pretty safe?
Say I didn't touch my wallet or entered the password while the computer was connected to the internet, Am I considered safe? And If I don't touch it now untill I actually feel like I have to move some funds should I update to 3.0.4 and just use my normal wallet using the passphrase? So basically if I don't leave my electrum software on while in browser I'm basically safe?
as from the announcement by theymos if we dont use the electrum wallet without upgrading it will be fine and if we have a strong passphrase set up we are marginally less at risk. Lets see how this pans out but a safe bet would be to upgrade as per above advice. **THANKS TO THEYMOS AND THE ADMINISTRATORS FOR ALL THE BACKGROUND WORK THAT GOES INTO THE WORKINGS OF THE FORUM AND FOR KEEPING EVERYONE SAFE!!
|
|
|
|
R |
▀▀▀▀▀▀▀██████▄▄ ████████████████ ▀▀▀▀█████▀▀▀█████ ████████▌███▐████ ▄▄▄▄█████▄▄▄█████ ████████████████ ▄▄▄▄▄▄▄██████▀▀ | LLBIT | | | 4,000+ GAMES███████████████████ ██████████▀▄▀▀▀████ ████████▀▄▀██░░░███ ██████▀▄███▄▀█▄▄▄██ ███▀▀▀▀▀▀█▀▀▀▀▀▀███ ██░░░░░░░░█░░░░░░██ ██▄░░░░░░░█░░░░░▄██ ███▄░░░░▄█▄▄▄▄▄████ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | █████████ ▀████████ ░░▀██████ ░░░░▀████ ░░░░░░███ ▄░░░░░███ ▀█▄▄▄████ ░░▀▀█████ ▀▀▀▀▀▀▀▀▀ | █████████ ░░░▀▀████ ██▄▄▀░███ █░░█▄░░██ ░████▀▀██ █░░█▀░░██ ██▀▀▄░███ ░░░▄▄████ ▀▀▀▀▀▀▀▀▀ |
| | | | | | .
| | | ▄▄████▄▄ ▀█▀▄▀▀▄▀█▀ ▄▄░░▄█░██░█▄░░▄▄ ▄▄█░▄▀█░▀█▄▄█▀░█▀▄░█▄▄ ▀▄█░███▄█▄▄█▄███░█▄▀ ▀▀█░░░▄▄▄▄░░░█▀▀ █░░██████░░█ █░░░░▀▀░░░░█ █▀▄▀▄▀▄▀▄▀▄█ ▄░█████▀▀█████░▄ ▄███████░██░███████▄ ▀▀██████▄▄██████▀▀ ▀▀████████▀▀ | . ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ░▀▄░▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄░▄▀ ███▀▄▀█████████████████▀▄▀ █████▀▄░▄▄▄▄▄███░▄▄▄▄▄▄▀ ███████▀▄▀██████░█▄▄▄▄▄▄▄▄ █████████▀▄▄░███▄▄▄▄▄▄░▄▀ ████████████░███████▀▄▀ ████████████░██▀▄▄▄▄▀ ████████████░▀▄▀ ████████████▄▀ ███████████▀ | ▄▄███████▄▄ ▄████▀▀▀▀▀▀▀████▄ ▄███▀▄▄███████▄▄▀███▄ ▄██▀▄█▀▀▀█████▀▀▀█▄▀██▄ ▄██▀▄███░░░▀████░███▄▀██▄ ███░████░░░░░▀██░████░███ ███░████░█▄░░░░▀░████░███ ███░████░███▄░░░░████░███ ▀██▄▀███░█████▄░░███▀▄██▀ ▀██▄▀█▄▄▄██████▄██▀▄██▀ ▀███▄▀▀███████▀▀▄███▀ ▀████▄▄▄▄▄▄▄████▀ ▀▀███████▀▀ | | OFFICIAL PARTNERSHIP SOUTHAMPTON FC FAZE CLAN SSC NAPOLI |
|
|
|
schyter
|
|
January 07, 2018, 11:47:17 AM |
|
one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug? kind of. but it was just a quick fix. They removed CORS till they release update which will protect the JSON RPC with password
|
|
|
|
audaciousbeing
|
|
January 07, 2018, 11:55:35 AM |
|
I don't know about the technicalities or how they are to hack the software with all the mnemonics attached. When I saw the flash message early in the day, I upgraded immediately and my wallet is already password protected. I hope everything is safe and everyone is able to stop panicking especially those who are not on the forum to read the warning and the progress that has been made. Electrum is one wallet that to a large extent has been able to create a niche for itself and I think vulnerability at this time will tarnish the over the years reputation.
|
|
|
|
|