Bitcoin Forum
February 28, 2020, 09:43:01 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: 1 2 [All]
  Print  
Author Topic: PSA: Electrum has a critical security vulnerability  (Read 213 times)
squatter
Legendary
*
Offline Offline

Activity: 1386
Merit: 1095


STOP SNITCHIN'


View Profile
January 07, 2018, 04:30:34 AM
 #1

Tavis Ormandy, security researcher at Google, pointed out a critical vulnerability to the Electrum team earlier today. They immediately pushed a security update. It's advisable to shut down immediately if you are running Electrum.

Quote from: Theymos
A vulnerability was found in the Electrum wallet software which potentially allows random websites to steal your wallet via JavaScript. The bug presumably also affects altcoin derivatives of Electrum such as Electron Cash. If you don't use Electrum or a derivative, then you are not affected and you can ignore this.

Action steps:

 1. If you are running Electrum, shut it down right this second.
 2. Upgrade to 3.0.4 (making sure to verify the PGP signature).

You don't necessarily need to rush to upgrade. In fact, in cases like this it can be prudent to wait a while just to make sure that everything is settled. The important thing is to not use the old versions.

It's a bit disappointing to see that the vulnerability was already an open issue from last year. I guess they didn't realize how severe it was.

1582926181
Hero Member
*
Offline Offline

Posts: 1582926181

View Profile Personal Message (Offline)

Ignore
1582926181
Reply with quote  #2

1582926181
Report to moderator
1582926181
Hero Member
*
Offline Offline

Posts: 1582926181

View Profile Personal Message (Offline)

Ignore
1582926181
Reply with quote  #2

1582926181
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1582926181
Hero Member
*
Offline Offline

Posts: 1582926181

View Profile Personal Message (Offline)

Ignore
1582926181
Reply with quote  #2

1582926181
Report to moderator
1582926181
Hero Member
*
Offline Offline

Posts: 1582926181

View Profile Personal Message (Offline)

Ignore
1582926181
Reply with quote  #2

1582926181
Report to moderator
zhekinsp
Full Member
***
Offline Offline

Activity: 882
Merit: 126


★777Coin.com★ Fun BTC Casino!


View Profile
January 07, 2018, 05:32:23 AM
 #2

Tavis Ormandy, security researcher at Google, pointed out a critical vulnerability to the Electrum team earlier today. They immediately pushed a security update. It's advisable to shut down immediately if you are running Electrum.

Quote from: Theymos
A vulnerability was found in the Electrum wallet software which potentially allows random websites to steal your wallet via JavaScript. The bug presumably also affects altcoin derivatives of Electrum such as Electron Cash. If you don't use Electrum or a derivative, then you are not affected and you can ignore this.

Action steps:

 1. If you are running Electrum, shut it down right this second.
 2. Upgrade to 3.0.4 (making sure to verify the PGP signature).

You don't necessarily need to rush to upgrade. In fact, in cases like this it can be prudent to wait a while just to make sure that everything is settled. The important thing is to not use the old versions.

It's a bit disappointing to see that the vulnerability was already an open issue from last year. I guess they didn't realize how severe it was.
Mr.Theymos also informed about this issue in the headlines of our forum.

So people who are using electrum immediately upgrade to 3.0.4 version to keep secured from those thieves who are stealing everyone's bitcoin already.But electrum is considered as one of the secured wallet for bitcoin but it faces the security issues will decrease the trust about the wallet among users.
So if people who are having large amount of investments it is necessary to buy a hardware wallet to keep safe all our coins for future.

Rahar02
Hero Member
*****
Offline Offline

Activity: 868
Merit: 523


ChipMixer.com | ChipMixerwzxtzbw.onion


View Profile
January 07, 2018, 05:35:06 AM
 #3

I've updated electrum 3.0.3 for 2-3 weeks and just seen the critical news an hour ago that makes me like panic to update electrum 3.0.4. Even don't dare to open my own wallet now Cheesy and consider to send all of my funds out of electrum.
Yes, it's a big mistake since the vulnerability has been reported on Github since November 2017 but electrum devs didn't pay attention to it or maybe they just missed it? However, I've never heard someone lost bitcoin due to electrum wallet security breach.
bL4nkcode
Copper Member
Hero Member
*****
Offline Offline

Activity: 1470
Merit: 895


Crypto Mixer - https://bitmix.biz


View Profile
January 07, 2018, 05:47:55 AM
 #4

Can someone tell me if an imported private keys on electrum is affected too with this vulnerability or only to those wallet that is generated using electrum?

..bustadice..         ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
                     ▄▄███████▄▄
                  ▄███████████████▄
   ███████████  ▄████▀▀       ▀▀████▄
               ████▀      ██     ▀████
 ███████████  ████        ██       ████
             ████         ██        ████
███████████  ████     ▄▄▄▄██        ████
             ████     ▀▀▀▀▀▀        ████
 ███████████  ████                 ████
               ████▄             ▄████
   ███████████  ▀████▄▄       ▄▄████▀
                  ▀███████████████▀
                     ▀▀███████▀▀
           ▄██▄
           ████
            ██
            ▀▀
 ▄██████████████████████▄
██████▀▀██████████▀▀██████
█████    ████████    █████
█████▄  ▄████████▄  ▄█████
██████████████████████████
██████████████████████████
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ████████████
......Play......
keyboard warrior
Sr. Member
****
Offline Offline

Activity: 268
Merit: 251


View Profile
January 07, 2018, 06:01:34 AM
 #5

Can someone tell me if an imported private keys on electrum is affected too with this vulnerability or only to those wallet that is generated using electrum?

The vulnerability potentially affects any wallet below version 3.0.4 if no wallet passphrase was set and if it ever been online at the same time a webpage in a browser was open.

Theymos's warning explains it all.

https://bitcointalk.org/index.php?topic=2702103.0

manchester93
Sr. Member
****
Offline Offline

Activity: 251
Merit: 256



View Profile
January 07, 2018, 06:34:49 AM
 #6

What's the proper way to update? If I download and install the new version, is there any chance of losing my wallet files? Will the 3.0.4 version be able to read my wallet files, or will I need to import my seed?

I assume I'll lose all of my notes if I import from seed, right? That's sort of a bummer. I was using it to keep records of the transactions, but now I'm afraid to open my wallet. Undecided
VitKoyn
Full Member
***
Offline Offline

Activity: 490
Merit: 106


View Profile
January 07, 2018, 07:55:42 AM
 #7

Yes it's really disappointing to hear a vulnerability like this, given that there are lots of people using electrum wallet to store their Bitcoins for a long time now. I also personally use electrum but the previous version which is 3.0.3 but immediately updated it to 3.0.4 and created a new wallet to use for storing my coins after seeing the announcement made by theymos today. But I just want to know if the android version of electrum is also affected by this vulnerabilities? because I also use that wallet and have some of my Bitcoin on it.
akram143
Full Member
***
Offline Offline

Activity: 854
Merit: 138


★777Coin.com★ Fun BTC Casino!


View Profile
January 07, 2018, 08:38:22 AM
 #8

Electrum is considered as one of the best and secured wallet for bitcoin but now it made this kind of issue many investors are going to suffer with these issues.So people immediately upgrade to 3.0.4 version or else you will lose your bitcoins.

teddy5145
Hero Member
*****
Offline Offline

Activity: 714
Merit: 523


View Profile
January 07, 2018, 10:12:14 AM
 #9

What's the proper way to update? If I download and install the new version, is there any chance of losing my wallet files? Will the 3.0.4 version be able to read my wallet files, or will I need to import my seed?

I assume I'll lose all of my notes if I import from seed, right? That's sort of a bummer. I was using it to keep records of the transactions, but now I'm afraid to open my wallet. Undecided
You wallet are stored inside Appdata folder on your windows, even if you upgraded your electrum to latest version it will still search that location for your wallet file, so yea no need to be afraid of losing access to your coins.
If somehow through sheer miracle that you can't access your wallet you can always restore from seed, and If I'm not wrong electrum will keep listing your transaction history.

Any list of websites that uses this vulnerability to steal our seed though?
So far there hasn't any reports of stolen coins from Electrum through this exploits
BrewMaster
Hero Member
*****
Offline Offline

Activity: 1470
Merit: 975


There is trouble abrewing


View Profile
January 07, 2018, 03:57:31 PM
 #10

this is going to cause some issues for many users. specifically those that are on older versions of Windows like windows 7 have had a tough time upgrading to versions above 3.0 because of the migration to python3.

does anyone have any solution for that that doesn't involve dropping windows?

Murloc
Full Member
***
Offline Offline

Activity: 322
Merit: 103



View Profile
January 07, 2018, 04:46:53 PM
 #11

Can anyone explain me once more how this issue works? Directly interested is it possoble to steal my data via already passed JavaScript? For example can someone get my keys after I've visited his vebsite several month ago? Pretty sure that after this info came public many scammers will try to use the exploit on those who didn't know about it.
Thanks a lot to Theymos fot pinning his post at the head of the forum.

Samarkand
Sr. Member
****
Offline Offline

Activity: 630
Merit: 278


View Profile
January 07, 2018, 08:29:42 PM
 #12

this is going to cause some issues for many users. specifically those that are on older versions of Windows like windows 7 have had a tough time upgrading to versions above 3.0 because of the migration to python3.

does anyone have any solution for that that doesn't involve dropping windows?

You could install a newer Python version on your old windows version (if Windows 7
indeed doesn´t support Python3?).

Alternatively, there is always the Electrum Android app or you could simply
switch to another wallet. Preferably another wallet that already supports
SegWit.

A good overview of SegWit wallets can be found in this thread:
https://bitcointalk.org/index.php?topic=2657620.0

949miner
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


Stake & Vote or Become a IoTeX Delegate!


View Profile
January 07, 2018, 09:27:59 PM
 #13

Theymos has already explained that, but i think that it won affect you as long as you do not have an electroneum version that is quite old..

Anyway, why do not you use a hardware wallet? I have been using electrum for a while, and i stopped using it because i knew that it was a little bit vulnerable, that is why i prefered to invest $70 and buy a ledger.

Guys, just stop risking your asses just invest some money and protect all your assets.

Can someone tell me if an imported private keys on electrum is affected too with this vulnerability or only to those wallet that is generated using electrum?


               `^cder.         
          '-`ryRQQ#@@#O}-      
       .)ydi`!]PQQ#@@@@@#d}!   
  `:'`rU9660ZL:')TZ@@@@@@####O)
  `lVx<,:xWg@@@#g)iQB##@@##@@@M
  `lVcyWRBsy@@Q8Z*iQQQQB##@@@@M
  `x|G#@@@m)T<:<v~iB##@@#QQB#@M
     `)I$#m,-' `>]ZB#@@@#QQQB#3
  .>LKlxxxx_`<YUaKOQQQB#BB####P
:V5MMMTx^=*` .~xeaOQQg$RB@@@##P
 .<}ab*' .QQK\_`;<YMRO66B@@@@B}
     .`  .Q#@#Q3v`rcvvY3B#Mx_  
         .OKx*rxv`x66OX]=`     
               .!`xRdyr,       
                  !<'

IoTeX





▬▬INTERNET OF TRUSTED THINGS▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬.
▬▬▬BECOME A MEMBER TODAY▬▬▬▬.





        ▄███████████████████▄
        █████████████████████
▄█████  █████████████████████
██████  ████             ████
███     █████████████████████
██████  ████             ████
██████  █████████████████████
███     █████████████████████
███████ ▀███████████████████▀
▀███████▄▄▄▄▄▄▄       ▀████
  ████▌                 ██  
  ▐██▌                      
   █▌








TWITTER
MEDIUM
REDDIT
TELEGRAM
FORUM
BITCOINTALK
figmentofmyass
Legendary
*
Offline Offline

Activity: 1316
Merit: 1153



View Profile
January 07, 2018, 11:56:50 PM
 #14

If somehow through sheer miracle that you can't access your wallet you can always restore from seed, and If I'm not wrong electrum will keep listing your transaction history.

i'm also curious about how this works, though. do new versions retain the descriptions that we have kept on all our addresses and UTXOs? i'd rather not try to re-piece everything from memory. i'm bound to fuck up my privacy somewhere.

Any list of websites that uses this vulnerability to steal our seed though?
So far there hasn't any reports of stolen coins from Electrum through this exploits

i'm sure that reports will start coming in over the next few weeks. now that the vulnerability is exposed, people are probably building websites to exploit it as we speak. and you know how slow people are to upgrade. i would also expect phishing attempts since there is a panic to download the patched version.

i'm waiting until the dust settles. i'm hesitant to rush anything. in the meantime, i have a very strong password. i'll migrate everything in an offline environment over the next few days.

TryNinja
Legendary
*
Offline Offline

Activity: 1302
Merit: 1839



View Profile
January 08, 2018, 03:37:08 AM
 #15

Again a new update...

Quote
New release: 3.0.5. (security update). https://electrum.org/#download  
Please upgrade; release 3.0.4 did not completely address the vulnerability.
https://twitter.com/ElectrumWallet/status/950163143082299392

And from theymos' post:
Quote
Update 2: Version 3.0.5 was just released, which further protects the component of Electrum which was previously vulnerable. It is not critically necessary to upgrade from 3.0.4 to 3.0.5, though upgrading would be a good idea. Also, I've heard some people saying that only versions 3.0.0-3.0.3 are affected, but this is absolutely wrong; all versions from 2.6 to 3.0.3 are affected by the vulnerability.
https://bitcointalk.org/index.php?topic=2702103.0

Be sure to download the latest version (again) to be 100% safe against the vulnerabilities.

ChipMixer
Sr. Member
****
Offline Offline

Activity: 356
Merit: 293


ChipMixer.com | ChipMixerwzxtzbw.onion


View Profile WWW
January 08, 2018, 08:01:32 AM
 #16

Can someone tell me if an imported private keys on electrum is affected too with this vulnerability or only to those wallet that is generated using electrum?
If you use wallet with imported private keys - your current private keys may be known to attacker. Even if they have not been spent, they can still be.
If you use wallet with seed - your current and future private keys may be known to attacker. You should generate new seed and move your funds.

i'm also curious about how this works, though. do new versions retain the descriptions that we have kept on all our addresses and UTXOs? i'd rather not try to re-piece everything from memory. i'm bound to fuck up my privacy somewhere.
Descriptions are stored in wallet.json file with your seed / private keys. Instead of using one wallet with descriptions for all UTXOs and tracking where you spend what - you may create multiple electrum wallets for different personas.

BrewMaster
Hero Member
*****
Offline Offline

Activity: 1470
Merit: 975


There is trouble abrewing


View Profile
January 08, 2018, 04:27:12 PM
 #17

Anyway, why do not you use a hardware wallet? I have been using electrum for a while, and i stopped using it because i knew that it was a little bit vulnerable, that is why i prefered to invest $70 and buy a ledger.

Guys, just stop risking your asses just invest some money and protect all your assets.

there also has been bugs in hardware wallets. that is why some people say there is no 100% safe thing.

in any case i personally don't use hardware wallets because i was capable of simply creating a secure setup for my bitcoins in a cold storage. i have them on a Linux OS with multiple encryptions and its network cut off for good.

Samarkand
Sr. Member
****
Offline Offline

Activity: 630
Merit: 278


View Profile
January 08, 2018, 07:13:24 PM
 #18

...

there also has been bugs in hardware wallets. that is why some people say there is no 100% safe thing.

in any case i personally don't use hardware wallets because i was capable of simply creating a secure setup for my bitcoins in a cold storage. i have them on a Linux OS with multiple encryptions and its network cut off for good.

This could be a barrier for mainstream adoption. Most people are not tech-savvy enough
to set up a Linux installation and don´t get me started on disk encryption. The people,
who discovered Bitcoin in its early days on average are way more sophisticated in terms of computer security
than the people, who bought BTC during the 2017 bull run.

I think hardware wallets are still a good choice for most people even though they have their issues as well.
E.g. I remember reading somewhere that parts of the Ledger firmware are closed-source, which deterred
me from buying a Ledger Nano S back in the day.
figmentofmyass
Legendary
*
Offline Offline

Activity: 1316
Merit: 1153



View Profile
January 08, 2018, 11:17:17 PM
 #19

Most people are not tech-savvy enough
to set up a Linux installation and don´t get me started on disk encryption. The people,
who discovered Bitcoin in its early days on average are way more sophisticated in terms of computer security
than the people, who bought BTC during the 2017 bull run.

the scary thing is that if we are truly seeing "the s-curve" of technology adoption (like with televisions or phones), this problem is going to get much worse. at any given time, the average user is becoming less knowledgeable about cryptocurrencies and computer security. that's the nature of exponential adoption. the entrances have been flooded by more noobs than ever before.

I think hardware wallets are still a good choice for most people even though they have their issues as well.
E.g. I remember reading somewhere that parts of the Ledger firmware are closed-source, which deterred
me from buying a Ledger Nano S back in the day.

i don't know the specifics, but i have heard of hardware wallet bugs where private keys were exposed. personally, i'm a bit paranoid to use them. but i was relying on electrum too, which has now just seen this critical vulnerability. still, i feel more comfortable signing transactions offline than using a hardware wallet as recommended.

whirlcoin
Full Member
***
Offline Offline

Activity: 602
Merit: 111


View Profile
January 09, 2018, 06:40:09 PM
 #20

Even if we have to upgrade to 3.0.4 version already it is important to upgrade 3.0.5 because the old version even 3.0.4 maybe attacked by the attackers.But in my knowledge it is better to move all our bitcoins into other bitcoin wallet like blockchain wallet or to hardware wallets to keep our coins secured.
MiningSensei
Hero Member
*****
Offline Offline

Activity: 767
Merit: 509


View Profile
January 09, 2018, 06:42:40 PM
 #21

Just update it through your wallet, there is a button to update it, otherwise, just download the proper version (the latest one) from the official page of Electrum, it is not difficult to do so.
What's the proper way to update? If I download and install the new version, is there any chance of losing my wallet files? Will the 3.0.4 version be able to read my wallet files, or will I need to import my seed?
What do you mean by "your notes"? You are not going to lose anything, and if you import through your seed, you are going to recover your whole balance at the moment, it is just like importing a private key.
I assume I'll lose all of my notes if I import from seed, right? That's sort of a bummer. I was using it to keep records of the transactions, but now I'm afraid to open my wallet. Undecided
Guys, do not use electrum anymore, if this happened before, it can really happen one more time.

Hello
Davinus
Full Member
***
Offline Offline

Activity: 258
Merit: 104



View Profile
January 09, 2018, 06:52:07 PM
 #22

Electrum is a good wallet, but i do not know it has been having a lot of vulnerabilities during the last few days, and honestly, there are too many malwares at the moment, i dont know why everybody, or almost all the hackers are sick for stealing other people's money.
This really needs to end.
teddy5145
Hero Member
*****
Offline Offline

Activity: 714
Merit: 523


View Profile
January 10, 2018, 12:46:40 AM
 #23

Electrum is a good wallet, but i do not know it has been having a lot of vulnerabilities during the last few days, and honestly, there are too many malwares at the moment, i dont know why everybody, or almost all the hackers are sick for stealing other people's money.
This really needs to end.

Actually, this vulnerability has been there for past few years, since electrum 2.9-ish if I'm not wrong.
It just that at the time there were no known exploit that uses this vulnerability, until a guy from google showed how to use this vulnerability to steal your seed.
Every software has its bugs, just update your electrum to the newest version or change your wallet completely if you think electrum are not safe anymore Smiley
DarkStar_
Legendary
*
Offline Offline

Activity: 1624
Merit: 2242


https://bitcoin.watfordfc.com


View Profile WWW
January 10, 2018, 01:01:41 AM
 #24

I assume I'll lose all of my notes if I import from seed, right? That's sort of a bummer. I was using it to keep records of the transactions, but now I'm afraid to open my wallet. Undecided
Guys, do not use electrum anymore, if this happened before, it can really happen one more time.

Every wallet can have bugs, including Bitcoin Core and hardware ones. This vulnerability only really affects you if you didn't set a passphrase, which is something everyone should be doing anyway for some basic protection. If you want really good protection, you shouldn't be using Electrum on an online computer anyway. The issue was also fixed a few hours after it was found, which (imo) shows that Electrum is a good wallet to use. What's the wallet you suggest?

Even if we have to upgrade to 3.0.4 version already it is important to upgrade 3.0.5 because the old version even 3.0.4 maybe attacked by the attackers.But in my knowledge it is better to move all our bitcoins into other bitcoin wallet like blockchain wallet or to hardware wallets to keep our coins secured.

Great spam post. Blockchain.info's wallet is even less secure. Blockchain.info could feed you malicious javascript and compromise your keys, they've had a few bugs with things like address generation that has caused a loss of funds, and people can attempt to bruteforce into your wallet.

Pages: 1 2 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!