Bitcoin Forum
March 07, 2021, 12:51:13 PM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Warning: There is an ongoing phishing attack against Electrum users  (Read 624 times)
Lucius
Legendary
*
Offline Offline

Activity: 2072
Merit: 2196


Si Vis Pacem, Para Bellum


View Profile WWW
January 26, 2019, 10:49:36 AM
 #21

finally it is fixed in the newest version 3.3.3

This is good news, there has already been mentioned a solution in that direction. Also there is some other fixes in this version, but the most interesting is that from this version users will be notified about new version. They will probably use same way as hackers do, but announcements will be signed and verified with hardcoded BTC address.

I just hope this is permanent fix for this issue, and it would be interesting to know the total damage this exploit is done to users.

Quote
# Release 3.3.3 - (January 25, 2019)

 * Do not expose users to server error messages (#4968)
 * Notify users of new releases. Release announcements must be signed,
   and they are verified byElectrum using a hardcoded Bitcoin address.
 * Hardware wallet fixes (#4991, #4993, #5006)
 * Display only QR code in QRcode Window
 * Fixed code signing on MacOS
* Randomise locktime of transactions

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

1615121473
Hero Member
*
Offline Offline

Posts: 1615121473

View Profile Personal Message (Offline)

Ignore
1615121473
Reply with quote  #2

1615121473
Report to moderator
1615121473
Hero Member
*
Offline Offline

Posts: 1615121473

View Profile Personal Message (Offline)

Ignore
1615121473
Reply with quote  #2

1615121473
Report to moderator
1615121473
Hero Member
*
Offline Offline

Posts: 1615121473

View Profile Personal Message (Offline)

Ignore
1615121473
Reply with quote  #2

1615121473
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1615121473
Hero Member
*
Offline Offline

Posts: 1615121473

View Profile Personal Message (Offline)

Ignore
1615121473
Reply with quote  #2

1615121473
Report to moderator
1615121473
Hero Member
*
Offline Offline

Posts: 1615121473

View Profile Personal Message (Offline)

Ignore
1615121473
Reply with quote  #2

1615121473
Report to moderator
1615121473
Hero Member
*
Offline Offline

Posts: 1615121473

View Profile Personal Message (Offline)

Ignore
1615121473
Reply with quote  #2

1615121473
Report to moderator
pooya87
Legendary
*
Offline Offline

Activity: 2282
Merit: 3611


Remember tonight for it's the beginning of forever


View Profile
January 27, 2019, 03:39:58 AM
 #22

~from this version users will be notified about new version They will probably use same way as hackers do, but announcements will be signed and verified with hardcoded BTC address.

no it is not like the thing hackers used. it is a new and to be honest a little weird way. this is how it works based on my little understanding of python (the hackers were using server response messages, this is your own wallet checking):
if you check the optional checkbox to do the check then it connects to the official website at "https://electrum.org/version" which is a new link they added (the /version part) and downloads a small json file with this content:
Code:
{ "version":"3.3.3", "signatures":{ "13xjmVAB1EATPP8RshTE8S8sNwwSUM9p1P":"Hx2zT1AogEs0r+BqwyKsuJpD0dsWovU+cQYra33VY/jMfIHtiO+HTg/o43DnhWMUTx4CNPyE0ywZiClnhL5gJj4="}}

then checks your wallet version against the version it received and if it is lower then shows you a message saying you can download it from "https://electrum.org/#download"
i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!

HCP
Legendary
*
Offline Offline

Activity: 1624
Merit: 3359

<insert witty quote here>


View Profile
January 27, 2019, 05:04:05 AM
 #23

i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!
You just needed to check the Electrum Github commits...

That would lead you to: validate version update announcements using "bitcoin address" message… Wink




pooya87
Legendary
*
Offline Offline

Activity: 2282
Merit: 3611


Remember tonight for it's the beginning of forever


View Profile
January 27, 2019, 05:31:48 AM
 #24

i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!
You just needed to check the Electrum Github commits...

That would lead you to: validate version update announcements using "bitcoin address" message… Wink

i know where it is. i even linked it in the other topic i started yesterday Tongue
i just have a hard time understanding python, that's all. maybe i need to try opening it in my Visual Studio to be able to follow the flow easier. for example i get that this is the whole thing here: https://github.com/spesmilo/electrum/blob/53310690a5c58145426047529eaa9af9db0b2741/electrum/gui/qt/util.py#L830-L942 but i can't figure out where it is calling the run() function under UpdateCheckThread class, i was expecting some sort of connection between that and UpdateCheck class but can't figure that out either.
the only call to it is https://github.com/spesmilo/electrum/blob/53310690a5c58145426047529eaa9af9db0b2741/electrum/gui/qt/util.py#L864-L867 where it calls start() on it but that class doesn't have a "start" function. lol. that is why i say i don't get python.

Abdussamad
Legendary
*
Offline Offline

Activity: 2758
Merit: 1308



View Profile
January 28, 2019, 09:31:16 AM
Merited by pooya87 (1)
 #25

It's inheriting from QThread so I'm guess it happens when you run start. Start is defined in the parent class and it must be calling run.

Yes that's it: http://doc.qt.io/qt-5/qthread.html#start

HCP
Legendary
*
Offline Offline

Activity: 1624
Merit: 3359

<insert witty quote here>


View Profile
February 02, 2019, 07:13:48 PM
 #26

Looks like this topic needs a bump... seems there are still users getting caught by the phishing attack... despite the fact that it is over 2 weeks since the issue was first brought to light... and also at least a week since the issue was patched in the version 3.3.3 release.

As always:

ONLY download Electrum from the official website: https://electrum.org/#download - DO NOT DOWNLOAD FROM GITHUB!
ALWAYS check the digital signature of Electrum before running installer and/or portable exe

pooya87
Legendary
*
Offline Offline

Activity: 2282
Merit: 3611


Remember tonight for it's the beginning of forever


View Profile
February 03, 2019, 04:45:36 AM
 #27

~ DO NOT DOWNLOAD FROM GITHUB!

you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.
in this case: https://github.com/spesmilo/electrum
and: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

joniboini
Legendary
*
Offline Offline

Activity: 1218
Merit: 1490


Be careful of impostor. Ask for a signed message.


View Profile
February 03, 2019, 10:23:24 AM
 #28

you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.

Second this. Isn't it also dangerous if somehow a hacker can hijack the DNS of the website to lure people to download his apps, which in turn makes downloading from GitHub safer? Anyway, the most important step to take is to always verify the signature.


      ▄███████▄     ▄███████▄
   ▄██░░██████▄███████░░██
  ████░░░██████████░░░████
█████░░░░█████████░░░░█████
█████░░░░░███████░░░░░█████
█████░░██░░█████░░██░░█████
  ████░███████████████░████
    ▀██████████████████████
       ▀███████████████████▀
           █████   ████   █████
           ██████    █    ██████
           ███████      ███████
             ███████  ███████
               ▀███████████▀
                  ▀████████▀

    █
   ██
█████
    █
    █
    █
    █
    █

█  █    ▄█            ▄▄▄██
   █    █▄█▄              ▀▀
 █  █      █
       
                     
          ▄        █
       ██
▄██
    ▄▀
██
▀▀

.. Yield Farming...
Compound The Best Profits
          ▄▄▄▄
  ▄▄▀▀        ▀▀▄▄
█▄                    ▄█     ▄
████▄▄▄▄▄▄████   ███
██████████████     ▀
██████████████
██████████████████
██████████████ ▄▄▄ ██
██████████████ █$█    █
 ▀▀▀███████▀█▀  ▀▀▀ ██
           ▀▀▀        ██    ██
   ▄                        ▀▀
 ███
   ▀

    █
   ██
█████
    █
    █
    █
    █
    █
[]
Hhampuz
Legendary
*
Online Online

Activity: 1694
Merit: 3191


Meh.


View Profile
February 04, 2019, 03:07:55 AM
 #29

Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

████
████
████
████
████
████
████
████
████
████
████
████
████
███████████████████████████
███████████████████████████
████████▀▀▄▄▄▄▄▄▄▀▀████████
██████▀▄██▀▀▄▄ ████▄▀██████
█████ ███ ████ ▀▀████ █████
████ █████ ███▀▀▀▄████ ████
████ ███▀▀▀▄▄▄████████ ████
████ ██▄▄▀▀███████▀▄▄█ ████
█████ █████ █▀██▀▄███ █████
██████▄▀███▀▄█▀▄███▀▄██████
████████▄▄▀▀▀ ▀▀▀▄▄████████
██████████▀▄███████████████
██████████████████████████
.
.FORTUNEJACK..
████
████
████
████
████
████
████
████
████
████
████
████
████
.
.+250 FS....................
████
████
████
████
████
████
████
████
████
████
████
████
████
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1792
Merit: 2682


NotYourKeys.org - Not Your Keys, Not Your Bitcoin


View Profile
February 04, 2019, 03:37:45 AM
 #30

Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

What Electrum version do you use and when do you get the pop-up (when launch the application or try broadcast a transaction)?

Since Electrum 3.3.3, there's option to check update automatically (only if you enable it) where only signed message with hard-coded address on Electrum is valid.
If you see the pop-up when broadcast transaction, just change Electrum server and upgrade your software.

Hhampuz
Legendary
*
Online Online

Activity: 1694
Merit: 3191


Meh.


View Profile
February 04, 2019, 03:42:15 AM
 #31

Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

What Electrum version do you use and when do you get the pop-up (when launch the application or try broadcast a transaction)?

Since Electrum 3.3.3, there's option to check update automatically (only if you enable it) where only signed message with hard-coded address on Electrum is valid.
If you see the pop-up when broadcast transaction, just change Electrum server and upgrade your software.

Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?

████
████
████
████
████
████
████
████
████
████
████
████
████
███████████████████████████
███████████████████████████
████████▀▀▄▄▄▄▄▄▄▀▀████████
██████▀▄██▀▀▄▄ ████▄▀██████
█████ ███ ████ ▀▀████ █████
████ █████ ███▀▀▀▄████ ████
████ ███▀▀▀▄▄▄████████ ████
████ ██▄▄▀▀███████▀▄▄█ ████
█████ █████ █▀██▀▄███ █████
██████▄▀███▀▄█▀▄███▀▄██████
████████▄▄▀▀▀ ▀▀▀▄▄████████
██████████▀▄███████████████
██████████████████████████
.
.FORTUNEJACK..
████
████
████
████
████
████
████
████
████
████
████
████
████
.
.+250 FS....................
████
████
████
████
████
████
████
████
████
████
████
████
████
joniboini
Legendary
*
Offline Offline

Activity: 1218
Merit: 1490


Be careful of impostor. Ask for a signed message.


View Profile
February 04, 2019, 04:03:15 AM
 #32

Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?

Yes. Changing Electrum server address might be an option if you encounter server error in 3.3.3 again because it means (most of the time) you're connected to a malicious server.


      ▄███████▄     ▄███████▄
   ▄██░░██████▄███████░░██
  ████░░░██████████░░░████
█████░░░░█████████░░░░█████
█████░░░░░███████░░░░░█████
█████░░██░░█████░░██░░█████
  ████░███████████████░████
    ▀██████████████████████
       ▀███████████████████▀
           █████   ████   █████
           ██████    █    ██████
           ███████      ███████
             ███████  ███████
               ▀███████████▀
                  ▀████████▀

    █
   ██
█████
    █
    █
    █
    █
    █

█  █    ▄█            ▄▄▄██
   █    █▄█▄              ▀▀
 █  █      █
       
                     
          ▄        █
       ██
▄██
    ▄▀
██
▀▀

.. Yield Farming...
Compound The Best Profits
          ▄▄▄▄
  ▄▄▀▀        ▀▀▄▄
█▄                    ▄█     ▄
████▄▄▄▄▄▄████   ███
██████████████     ▀
██████████████
██████████████████
██████████████ ▄▄▄ ██
██████████████ █$█    █
 ▀▀▀███████▀█▀  ▀▀▀ ██
           ▀▀▀        ██    ██
   ▄                        ▀▀
 ███
   ▀

    █
   ██
█████
    █
    █
    █
    █
    █
[]
pooya87
Legendary
*
Offline Offline

Activity: 2282
Merit: 3611


Remember tonight for it's the beginning of forever


View Profile
February 04, 2019, 04:04:14 AM
Merited by Hhampuz (1)
 #33

Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

What Electrum version do you use and when do you get the pop-up (when launch the application or try broadcast a transaction)?

Since Electrum 3.3.3, there's option to check update automatically (only if you enable it) where only signed message with hard-coded address on Electrum is valid.
If you see the pop-up when broadcast transaction, just change Electrum server and upgrade your software.

Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?

well you still had to have checked the digital signature of the file you downloaded, no matter where and how you got it from. if you haven't done that, then you should. visit the Electrum website and find ThomasV's PGP public key (i posted it above but you have to visit the website instead of trusting my link) and then also download the signature corresponding to the file you downloaded and verify the signature with the public key.

the command would look something like this
Code:
gpg --verify Electrum-3.3.3.tar.gz.asc Electrum-3.3.3.tar.gz

HCP
Legendary
*
Offline Offline

Activity: 1624
Merit: 3359

<insert witty quote here>


View Profile
February 04, 2019, 09:03:24 PM
 #34

~ DO NOT DOWNLOAD FROM GITHUB!
you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.
Second this. Isn't it also dangerous if somehow a hacker can hijack the DNS of the website to lure people to download his apps, which in turn makes downloading from GitHub safer? Anyway, the most important step to take is to always verify the signature.

Context is important... What I said was:
ONLY download Electrum from the official website: https://electrum.org/#download - DO NOT DOWNLOAD FROM GITHUB!
ALWAYS check the digital signature of Electrum before running installer and/or portable exe
I didn't say that you should never download anything from Github... I said you should "only download Electrum from the official website" and not from github. Besides, AFAIK, there are NO Electrum binary releases available on the official Electrum github anyway... they only have the source code available for download on the "releases" tab.

So, any Electrum binaries on Github are NOT official releases.

ysangkok
Newbie
*
Offline Offline

Activity: 10
Merit: 3


View Profile
February 05, 2019, 06:24:10 PM
 #35

Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.

Such a list is not very useful. Keep your Electrum updated by checking electrum.org, this is our only advice.

The only thing a malicious server could ever do, is to display error messages. Because Electrum v3.3.3 doesn't allow the server to display arbitrary error messages, it is safer.

If your Electrum v3.3.3+ version is showing error messages when trying to broadcast a transaction, as of right now, it probably means that you are currently using a malicious server. In that case, you can choose another server using the network dialog.

I work for Electrum Technologies GmbH.
TryNinja
Legendary
*
Offline Offline

Activity: 1666
Merit: 3170


Merit & Notifications bot: @BTTSuperNotifier_bot


View Profile WWW
February 06, 2019, 02:54:49 AM
 #36

I work for Electrum Technologies GmbH.
Could you provide some evidence just to make everything clear about this? No one should just instantly trust a not known account.

Stedsm
Legendary
*
Offline Offline

Activity: 2324
Merit: 1233



View Profile
February 06, 2019, 08:59:58 AM
 #37

I didn't say that you should never download anything from Github... I said you should "only download Electrum from the official website" and not from github. Besides, AFAIK, there are NO Electrum binary releases available on the official Electrum github anyway... they only have the source code available for download on the "releases" tab.

So, any Electrum binaries on Github are NOT official releases.

Aren't releases made over GitHub by Electrum's official devs fine to be downloaded? I know that either repositories can be cloned and/or hubs with fake account names may be created with exact Electrum wallet name that could drag someone into being scammed, but what about their official GitHub? And if newer versions are such dangerous, why can't we use older versions instead (obviously if there are no bugs and we're fine using them)?
If I'm not wrong, GitHub consists all older version files as well and they can be downloaded and used, so why go for updated versions when we feel no need or when knowing that such hack issues are taking place? How can an application like Electrum pop up instructions which are not even set by their devs? Can a hacker really be this rational in hacking even the servers behind that official app to throw some air in his malign intentions?

██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████████████████
███████████████████████████
████████▀▀▄▄▄▄▄▄▄▀▀████████
██████▀▄██▀▀▄▄ ████▄▀██████
█████ ███ ████ ▀▀████ █████
████ █████ ███▀▀▀▄████ ████
████ ███▀▀▀▄▄▄████████ ████
████ ██▄▄▀▀███████▀▄▄█ ████
█████ █████ █▀██▀▄███ █████
██████▄▀███▀▄█▀▄███▀▄██████
████████▄▄▀▀▀ ▀▀▀▄▄████████
██████████▀▄███████████████
██████████████████████████
.
.FortuneJack.
██
██
██
██
██
██
██
██
██
██
██
██
██
.
..JACKMATE FANTASY  │  BUILD YOUR UCL TEAM OF 6..
██████
██
██
██
██
██
██
██
██
██
██
██
██
█████████████████████████████████████████████████████     █████████████████████
.
██████     ████████████████████████████████████████████████████████████████████
██
██
██
██
██
██
██
██
██
██
██
██
██████
.
..PLAY NOW..
HCP
Legendary
*
Offline Offline

Activity: 1624
Merit: 3359

<insert witty quote here>


View Profile
February 06, 2019, 10:13:37 AM
 #38

So, any Electrum binaries on Github are NOT official releases.
Aren't releases made over GitHub by Electrum's official devs fine to be downloaded?
Yes, they would be... BUT, My point is...there are no binaries on the official github... there never have been.

They only have .zip or .tar.gz archives of the source code. Have a look:  https://github.com/spesmilo/electrum/releases

As far as I am aware... the only place to download the binaries is via: https://www.electrum.org/#download (which actually links to: https://download.electrum.org/)

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!