Critical Security Release: Please update to Electrum 3.0.5

[vlom]

i read this:

https://github.com/spesmilo/electrum/issues/3374

Hello, I'm not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy 😛.

I installed Electrum to look, and I'm confused why this isn't being treated as a critical and urgent vulnerability? If this bug wasn't already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.

The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.

I made you a demo. It's very basic, but you get the idea.

If you did set a password, some misdirection is required, but it's still game over, no?

Here is how I reproduced:

Install Electrum 3.0.3 on Windows.
Create a new wallet, all default settings. I left the wallet password blank - the default setting.
Visit in Chrome.
Wait a few seconds while it guesses the port, then an alert() appears with: seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
(Note: i dont use bitcoin, you can steal my empty wallet if you like)

he was able to see the seed.

but this wallet was not password protected. with a password protected wallet:

Even with encrypted wallets, you can still change options, change destination addresses, deanonymize users via listaddresses and so on.

so i think if your wallet was pw protected is was not possible to read the seed.

but if you are worried: install the newest version. create a new wallet and send all the coins to the new one.

[crairezx20]

Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?

[Darooghe]

Let me get something straight.

I simply installed v 3.0.4 to overwrite current version
Is this appropriate??

Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4  and then do a restore of the wallet

Yeah I have the same question. And would updating to 3.0.4 enough to be safe enough, or are the previous private keys compromised? And I need to transfer my coin?

This is my question either.

Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?

Is the bug only for 3.0.3 version or older versions are affected?

Thomas, we need you and your security advice. where are you Sir?

[adaseb]

Is there a log which shows if there were any recent connect attempts to the RPC ?

[Darooghe]

Is there a log which shows if there were any recent connect attempts to the RPC ?

Good question.

Having bitcoin is the most important and priority problem in my life recently

[inastorytold]

Apologies for basic question, but just wanted to check the following:

I have an older version (2.8.x)
I have not split my forked coins - everything has been untouched for some time.
Am I correct in thinking I can just download the latest version and it will open my current wallet by default, leaving all forked coins intact and accessible until I manage to stop being such a luddite and learn how to separate them?

Thanks in advance.

Yes, that would work fine. Always make sure you have written down your seed phrase before upgrading just in case. You'll find instructions on how to split the coins on this board of the forum when you're ready to do it. If you're not using Electrum then there is also no hurry to upgrade. Just don't open the old Electrum and surf the web at the same time.

Thanks for your help, and for your post, too, BitcoinSupremo. I've downloaded 3.0.4 and all looks good. Really must get round to sorting out splitting coins and buying a ledger s nano. Wasn't long ago it seemed like an extravagant purchase for the size of my stash. Quite a different story now...

[Abdussamad]

Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?

The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).

Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.

To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.

Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/

[BitMaxz]

Looks like i need to use the latest one instead i already installed the electrum 3.0.4 and works great in windows 7 os i thought that this will be the same as 3.0 not work in win7 os
and had many bugs. for now i just install it in virtual machine just to investigate and monitor if this is not affected by CORS

Is there a log which shows if there were any recent connect attempts to the RPC ?

I was looking in github but i couldn't find any post that if electrum has rpc logs to watch if someone attempting to scan ports or trying to bruteforce and retrieve the password
Try this electrum twitter page and maybe someone can give how to show rpc logs
https://twitter.com/ElectrumWallet/status/949795637792518144

The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).

Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.

To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.

Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/

Thanks for such a great information but would like to know why still need to block the localhost do you think if i block the localhost the other application in my laptop will be affected?
i already install the latest one and choose the segwit wallet instead and hope i don't experience any issue..

[Potent]

Hi people, having Electrum running and surfing web simultaneous makes the security breach. right?

I wanna know the attacker can surf my hard drive too? has he/she any access to my appdata content too?

Can he/she steal the wallet files from AppData\Roaming\Electrum and other wallets from AppData\Roaming\ too

[Ghostdoggoz]

Hi,

New to this all.

I had an older version of the wallet.

Saw the warning and installed new version.

I am trying to recover the wallet. I went through the steps, created new wallet and put the seed in and created new password.

I don't see anything in my balance.

I'm not sure if I have done everything correctly. Do I need to move anything across from old wallet cause I have already deleted all the old files and only have the new ones.

Any help would be greatly appreciated.

[Abdussamad]

3.0.5 was just released which fixes this bug completely.

[Ghostdoggoz]

Windows blocked the file soon as I tried to open it.

I don't know who to trust now, if even the official website files get blocked.

Also I get the pop up when I open Electrum wallet, http://puu.sh/yWxUb/329776e8f1.png .

[tehol_bedict]

I used electrum to sign an address that I have stored on my Trezor, does anybody know if this would this make me vulnerable?  I don't want to move the coins if I don't have to, since I signed up for an airdrop and would lose my spot in the queue.

I feel like probably not, but better safe than sorry?

[Potent]

Hi people, having Electrum running and surfing web simultaneous makes the security breach. right?

I wanna know the attacker can surf my hard drive too? has he/she any access to my appdata content too?

Can he/she steal the wallet files from AppData\Roaming\Electrum and other wallets from AppData\Roaming\ too

Should i make a new wallets for altcoins that have been at AppData\Roaming? Have other altcoins wallets leaked from this security bug?

[pooya87]

Windows blocked the file soon as I tried to open it.

I don't know who to trust now, if even the official website files get blocked.

Also I get the pop up when I open Electrum wallet, http://puu.sh/yWxUb/329776e8f1.png .

your Malwarebyte is not blocking the official website! nor is it blocking Electrum!

what it is blocking is an Electrum server called "us01.hamster.science". and that is a false positive that only Malwarebyte blocks for some reason.
just go to your Network settings (you can click on the circle at the bottom right corner of the Electrum window) and change your server from there. choose any other ones and you are good to go.

[Ghostdoggoz]

Windows blocked the file soon as I tried to open it.

I don't know who to trust now, if even the official website files get blocked.

Also I get the pop up when I open Electrum wallet, http://puu.sh/yWxUb/329776e8f1.png .

your Malwarebyte is not blocking the official website! nor is it blocking Electrum!

what it is blocking is an Electrum server called "us01.hamster.science". and that is a false positive that only Malwarebyte blocks for some reason.
just go to your Network settings (you can click on the circle at the bottom right corner of the Electrum window) and change your server from there. choose any other ones and you are good to go.

Thankyou. Now to figure out where my coins are lol.

[Mordaz]

This is kinda .... disappointing ... always air gap! though.

Ditto!  IMHO, air gap is more secure than a hardware wallet.

[xbtboss]

Hi
Use 3.0.3
What is the main danger? It is possible more in detail? If I use the wallet on a separate laptop without surfing on the Internet, for me there is still a threat?
+ ptotected by password strong

[jackg]

Hi
Use 3.0.3
What is the main danger? It is possible more in detail? If I use the wallet on a separate laptop without surfing on the Internet, for me there is still a threat?
+ ptotected by password strong

Providing there's a strong password your encrypted seed can be gathered but if the password is 15+ chars it can't be hacked.

It is recommended you upgrade but if you have a password and dont surf the web from that device there shouldn't be too much of a threat.

[jerry0]

Hey all.  Just want to make sure of this.

So download electrum from the website using windows installer like i did previously.  When i do this, would i need to copy and paste my 12 word seed?  I have updated electrum few times when it was in the 2.x version but i don't recall if i need to?  For example when you want to install electrum on a new device, you would install electrum and then click on i already have a seed and then you type the seed etc.

Thanks.