Electrum vulnerability found today!

[TriplexXx]

Once you update your electrum wallet app to the next version you are safe. You are not the only one scared about the electrum latest vulnerability there are many people, though! 

[jerry0]

Does anyone here think it could be the mod or forum hacked getting you to download the new wallet though? 

When you guys did the update when downloading new electrum, did it require you to type down the 12 word seed or not?  I updated electrum few times and i don't recall if it did or not.  I assume yes because well you are creating a new wallet?  But no because well you are just upgrading from one to another?

[jseverson]

Does anyone here think it could be the mod or forum hacked getting you to download the new wallet though? 

When you guys did the update when downloading new electrum, did it require you to type down the 12 word seed or not?  I updated electrum few times and i don't recall if it did or not.  I assume yes because well you are creating a new wallet?  But no because well you are just upgrading from one to another?

Nah, it's legit. Electrum is open-source, and someone seems to have found the vulnerability and reported it.

I have not updated yet because I want to wait until the entire thing blows over, and if you're paranoid, you can do the same thing. What the vulnerability does is it allows a hacker to see your seeds, but having a wallet password encrypts those seeds, so you should be fine for the most part if you have a password. That being said, I strongly advise you to not use your older version at all anymore. Once you do decide to download, just make sure you verify its PGP signature, as theymos has stated.

[shamzblueworld]

Thanks to this notice that I saw in the morning and hurriedly updated my electrum, hopefully its all fine now.
Was quite worries as yesterday almost all day my electrum was open and it was the affected version too.

[cellard]

This is great. It points out at how SPV wallets are a waste of time and why you should run your own full Bitcoin client to process your own transactions and put your coins in cold storage.

This also points out at how big blockers are terrorists against Bitcoin, as they want to get the power away from the users running full Bitcoin clients and they want everyone using nodes only except corporations.

Roger Ver and co are the biggest threats to Bitcoin.

Is that really the overall message you take from this thread?  What an utterly shameful stance.  Particularly as you seem to be deliberately twisting what happened to suit some political narrative.  Even if you could distort the facts to suit your personal attacks (which you've utterly failed at doing, as BitcoinHodler pointed out), it's never "great" that users could have their wallets compromised due to a security vulnerability.  Running a full node won't be suitable for every user and it's not something people should be coerced into against their will.  Dismissing SPV users as some sort of worthless underclass is reprehensible behaviour.  All you achieve is creating further division in the community when that's the last thing we need right now.  

SPV users ARE underclass, and this wouldn't have happened if you were processing your own transactions in your full validating node. The further you are from the ideal of sovereign money, the more underclass you become within the bitcoin network. This is a fact.
They are not worthless, I didn't say that. They have worth, just like people using 0 confirmation transactions (back then when you could still do that), but they are second class citizens in the network, they always were.

It's never a bad time to remind people how Roger Ver et al want nobody but corporations to run full validating nodes, they want everyone else on SPV wallets being a cuck of someone else processing the transactions for you. Not gonna happen.

[jerry0]

Okay thanks for that information. So what if you open electrum now then but don't download new version.  Is that fine or not?  It says shut down electrum immediately but i assume only if you open the wallet?  Such as imagine you open electrum but don't put in your password to open the encryption?


What do you mean PGP signature?


Yes im going to wait as well in case this is a hack where the forum/mod got hacked.

[pooya87]

Okay thanks for that information. So what if you open electrum now then but don't download new version.  Is that fine or not?  It says shut down electrum immediately but i assume only if you open the wallet?  Such as imagine you open electrum but don't put in your password to open the encryption?

if you don't have a password set for your Electrum wallet (any version between 2.6 to 3.0.3) and open it, an attacker can use the JSONRPC of your wallet to get your private keys.
that is why the warning tells you to "close" your wallet and don't open it until you upgrade.

What do you mean PGP signature?

https://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://gnupg.org/download/integrity_check.html

Yes im going to wait as well in case this is a hack where the forum/mod got hacked.

what does the forum mod getting hacked has anything to do with this?!!!

[zoza14]

Have all the answers missed my initial post that I am using Trezor hardware wallet with Electrum? How can I even set up an Electrum password if I am using it with Trezor?

I already have a Trezor password that I type in every time I connect it to the Electrum.

Problem number 2 is that I would update Electrum wallet but I generally don't like updating, especially when I have 4 threats detected by scanning it on the VirusTotal. Yes, 4 threats on the newest Electrum 3.0.5

[satamusic]

tempted to setup a few VMs with the vulnerable Electrum version installed, no adblock or noscript, and let them run wild on the internet crawling the sleaziest sites i can imagine for a few hours, and just see what i catch

[hahay]

I just read about this here:

https://bitcointalk.org/index.php?topic=2702103.msg27624964#msg27624964

Can someone inform me should I worry if I am using Electrum with a Trezor?

Thanks

I've spended a coin from electrum from a couple of weeks ago, so I do not have to worry about the current situation. But to prevent things that are not desirable, then it is better we need to update the electrum wallet to the latest version, because after all they will improve their system to be better again.

[TheQuin]

Have all the answers missed my initial post that I am using Trezor hardware wallet with Electrum? How can I even set up an Electrum password if I am using it with Trezor?

I already have a Trezor password that I type in every time I connect it to the Electrum.

You are safe because the Trezor holds your seed, not Electrum. That is the whole point of using a hardware wallet, it signs the transactions and that cannot be done from the PC or other devices you connect it to. However, it is possible that the exploit could be used to compromise your privacy so you should still upgrade.

Problem number 2 is that I would update Electrum wallet but I generally don't like updating, especially when I have 4 threats detected by scanning it on the VirusTotal. Yes, 4 threats on the newest Electrum 3.0.5

This could be a false positive from VirusTotal or you may have downloaded from a phishing site, not the genuine https://electrum.org/#download
Always verify the signature before installing.

[zoza14]

Have all the answers missed my initial post that I am using Trezor hardware wallet with Electrum? How can I even set up an Electrum password if I am using it with Trezor?

I already have a Trezor password that I type in every time I connect it to the Electrum.

You are safe because the Trezor holds your seed, not Electrum. That is the whole point of using a hardware wallet, it signs the transactions and that cannot be done from the PC or other devices you connect it to. However, it is possible that the exploit could be used to compromise your privacy so you should still upgrade.

Problem number 2 is that I would update Electrum wallet but I generally don't like updating, especially when I have 4 threats detected by scanning it on the VirusTotal. Yes, 4 threats on the newest Electrum 3.0.5

This could be a false positive from VirusTotal or you may have downloaded from a phishing site, not the genuine https://electrum.org/#download
Always verify the signature before installing.

Finally thanks for the answer!

[jerry0]

Hey all.  So just to confirm.

Download the new electrum on the electrum.org site.

When you do this, do you need to copy/paste your 12 word seed when installing the new version?  I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?

[cellard]

Hey all.  So just to confirm.

Download the new electrum on the electrum.org site.

When you do this, do you need to copy/paste your 12 word seed when installing the new version?  I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?

You should be creating a new seed anyway since chances are you are new to this and don't know that if your seed ever saw the internet, your bitcoins are already compromised.

Get an OS that launches in a live OS like Tails for example and use that to generate the new wallet, of course disconnect your internet connection too, then you will guarantee that at least the seed was never saw online.

Now I don't know if it's normal behaviour if the new version should ask you to create a brand new seed, I would make sure that's normal before doing anything.

[Wulanayu]

I guess you do not have to worry because eletrum already know and have a way out to remove the vulnerability, you just asked to upgrade so that you safe from danger.
All have their respective duties you just ordered to obey if you want to be safe.
So you do not have to worry about what's happening now because the electrum has taken a good step.

[jerry0]

Hey all.  So just to confirm.

Download the new electrum on the electrum.org site.

When you do this, do you need to copy/paste your 12 word seed when installing the new version?  I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?

You should be creating a new seed anyway since chances are you are new to this and don't know that if your seed ever saw the internet, your bitcoins are already compromised.

Get an OS that launches in a live OS like Tails for example and use that to generate the new wallet, of course disconnect your internet connection too, then you will guarantee that at least the seed was never saw online.

Now I don't know if it's normal behaviour if the new version should ask you to create a brand new seed, I would make sure that's normal before doing anything.

Hi there.  I had an electrum wallet for a while so i'm not new to this.  I also updated electrum few times from their website when it was version 2.x to 2.x etc. 

So when i update it again on their website, i want to know, do they ask you for your 12 word seed to install the new version of electrum or not.  Because i do not recall if it did when asking me this the last few times i installed new electrum version.

[Kprawn]

I presume that you did this --> https://blog.trezor.io/using-trezor-with-electrum-v3-a0b9bcffe26e .... You should be fine, if

you just upgrade to the latest version of Electrum 3.0.5. The previous upgrade 3.0.4 did not solve the problem, so you MUST

upgrade to Electrum 3.0.5 to solve it. Just make sure you keep your Trezor seed safe. 

[jerry0]

Hey all.  So just to confirm.

Download the new electrum on the electrum.org site.

When you do this, do you need to copy/paste your 12 word seed when installing the new version?  I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?

You should be creating a new seed anyway since chances are you are new to this and don't know that if your seed ever saw the internet, your bitcoins are already compromised.

Get an OS that launches in a live OS like Tails for example and use that to generate the new wallet, of course disconnect your internet connection too, then you will guarantee that at least the seed was never saw online.

Now I don't know if it's normal behaviour if the new version should ask you to create a brand new seed, I would make sure that's normal before doing anything.

Hi there.  I had an electrum wallet for a while so i'm not new to this.  I also updated electrum few times from their website when it was version 2.x to 2.x etc. 

So when i update it again on their website, i want to know, do they ask you for your 12 word seed to install the new version of electrum or not.  Because i do not recall if it did when asking me this the last few times i installed new electrum version.

Hey all so just to confirm.  Download from

https://electrum.org/#download

Then download from windows installer right assuming you have windows?  I notice there is a word signature to it that you can click on but since its the real website, just click on windows installer and thats all?

Once you download it, do you need to copy/paste your 12 word seed to install the electrum 3.0.5 or not?

I want to make sure if this before i download it.

[TheQuin]

Once you download it, do you need to copy/paste your 12 word seed to install the electrum 3.0.5 or not?

No, you do not need to, Electrum will just open normally but with the new version. However, you should always have a safely stored copy of your seed written down. If anything went wrong in the upgrade process you may need it to restore.

[CONANEDO]

i have just download the new version from here=https://www.electrum.org/#download i clicked from my electrum wallet from help option and open this link.is this link the same with this link https://electrum.org/#download because i though it was the same because i clicked from my electrum wallet?

please tell me this is the same link because i am scared.i have download from here https://www.electrum.org/#download.