Electrum vulnerability found today!

[anitaraymonds]

I think if you followed the instruction and do the necessary updates including passwording  your wallet there should be no more worries. Please just follow instructions.

[khaled0111]

If you have a strong password or use your device just to open your wallet (you don't use it to browse the Internet) you will be safe.
the vulnerability uses some malicious JavaScript codes that can be only executed through your browser.

If you didn't lose any funds just send it to another wallet or update your electrum wallet to the latest version.

[xlcus]

Is the red light for electrum wallet over? I saw there is another upgrade for the wallet.
I am scared about it as I have all my btc on electrum.
 

[xlcus]

And also when I upgrade, I verify the signature of Electrum wallet I downloaded from https://electrum.org/#download

I got a warning. Is it legit?

[Cherylstar86]

I just read about this here:

https://bitcointalk.org/index.php?topic=2702103.msg27624964#msg27624964

Can someone inform me should I worry if I am using Electrum with a Trezor?

Thanks

Well, if you are users electrum site today you should upgrade to .3 to avoid of conflict in signing. But for those users are not connected to electrum you don't have to worry because we are safe in accessing the bitcoin forum index. Right this day we can see that it's already done fixing those cautions in electrum found at the top of our account.
 

[jerry0]

Can someone here confirm that downloading electrum from the official electrum website now with the windows installer is fine?

Anyone here still using the old electrum and opened it and have no issues at all even though it was recommended by theymos to not do it?

The other thing is what percentage of electrum users even know about this?  Because even if you use electrum a bit, the only way to know about this would be either visiting this forum or going to their website.  And obviously someone isn't going to check electrum website everyday to check for the new update etc. 

[TheQuin]

Can someone here confirm that downloading electrum from the official electrum website now with the windows installer is fine?

Yes, I've done it and it is fine. As long as you make sure it is the official website and not a phishing one. Verify the signature to be extra safe and protect yourself from the extremely unlikely event that the site has been hacked.

Anyone here still using the old electrum and opened it and have no issues at all even though it was recommended by theymos to not do it?

I had Electrum open when I first saw theymos message. All my BTC are safe. The vulnerability was reported to Electrum rather than being discovered by someone exploiting it. The exploit would be via a website running javascript so you would have to not only open the old Electrum but also visit a malicious website (which there is no evidence even exists) at the same time.

The other thing is what percentage of electrum users even know about this?  Because even if you use electrum a bit, the only way to know about this would be either visiting this forum or going to their website.  And obviously someone isn't going to check electrum website everyday to check for the new update etc. 

It would be a reasonable suggestion for Electrum to add an automatic notification when a new version is available.

In general, just calm down and upgrade. If you are holding a large amount of BTC then it shouldn't be on an internet connected device in the first place. Get a hardware wallet or use an air gapped cold wallet.

[Mr.Smithers]

I asked separately the same question in another thread and the general consensus of forum members was that it was safe. So I am just passing it along to your thread for your peace of mind

[cellard]

If you have a strong password or use your device just to open your wallet (you don't use it to browse the Internet) you will be safe.
the vulnerability uses some malicious JavaScript codes that can be only executed through your browser.

If you didn't lose any funds just send it to another wallet or update your electrum wallet to the latest version.

But now that Spectre and Meltdown exploits where found on all Intel computers since 1995, people are learning the fact that it's impossible to be safe. Electrum may have solved this, but you don't know if therea re more explouts lurking, either at software level or at hardware level, it's a losing battle, you must cold storage in isolated computers that are never connected to the internet, threat your bitcoins like they are radioactive material that must not escape it's containment (it must remain enclosed). People used to say that I was crazy about using libreboot, airgapping computers and so on, but now it's clear that it's impossible to keep your bitcoins safe outside of that model.

With Trezors and so on you are still connecting the device on an online machine and you are trusting that their method will not have any leaks, not as idea las airgapped linux machine in my book.

[redhondaxrm125]

As you can see, all you need to do is update your wallet, so it's perfectly fine, and you don't need to worry about it.

Strictly speaking, if you neglected to put a password on your wallet, then you probably should worry as your funds are currently vulnerable.  But other than that, yes, it should just be a simple update. 

Users of Bitcoin and other cryptocurrencies should also be vaguely aware of the security risks around JavaScript generally.  It's not just any given website you happen to be visiting that could potentially run malicious code, but also all the third party websites utilised by that site which handle all manner of things from advertising to multimedia plugins.  Browsing the internet with JavaScript completely disabled will result in a somewhat limited experience, as many websites won't function correctly.  So the trade-off is to use a browser plugin to manually pick and choose which sites are safe to run JavaScript and which ones should be blocked.  For any Firefox/Mozilla users, there's NoScript and I'm pretty sure there's something similar for Chrome users.  You'll have to click some buttons for each and every website you know and trust to allow JavaScript, which does take some time and effort, but it's worth it.

I believe so too. It is nice to fantasize that all is as easy as what we want it to be. But the thing is, it isn't. Even when security is improving, hackers are also improving which is why we all have to be careful and be more paranoid. Because in my opinion, being paranoid is more better than losing all your crypto possessions that you have worked hard in gaining.