Just checking if I am under attack

[codehtcmail]

Hello,

I am on Electrum 3.06, I get this message as of Feb 6, 2019. My last transaction on Feb 1, 2019 didn't get this message, I am here checking if it's a normal message or am I under a phishing attack.

Thank you.

[1713858510]

1713858510

[Abdussamad]

Upgrade to the latest version from electrum.org

[pooya87]

this seems to be an electrum server which is using the same phishing attack technique to warn you about the vulnerability and direct you to download the latest version to prevent it from happening in case you connected to a malicious server and saw the malicious message instead.

just ignore the message but upgrade your wallet by downloading it from the same place you always downloaded your wallet (electrum.org) and make sure to check its signature.

[elda34b]

How nice, so a server is trying to alert people that they're running a version of old Electrum but using the same technique as the phishing attack. No wonder many people believe they're under attack. Well, as long as they don't ask you to download from website other than electrum.org, they're probably a good guy.

[nc50lc]

Well, as long as they don't ask you to download from website other than electrum.org, they're probably a good guy.

The problem is: the famous phishing attack uses and displayed the original site on the error message too but you will be redirected to the fake electrum github page.
It's the same hacker, apparently, he must have been informed about the latest news here in the electrum board and just enabled broadcasting of txs and reconstructed his fake error message to be like "that" (you're using a vulnerable version...) since it will not be displayed as intended in the latest version.
(A clever guy, I'll give him that)

To Mods, I request a pinned message regarding an "Urgent or Mandatory" update to electrum 3.3.3.

[Lucius]

this seems to be an electrum server which is using the same phishing attack technique to warn you about the vulnerability and direct you to download the latest version...

It is message from good Electrum server which is intended to users who still have older versions, under 3.3.3. If you remember few days ago I ask you is this possible that Electrum use same technique as hackers to warn users, and they do it now. It is officially posted on their website :

Warning: Versions of Electrum older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. Do not download software updates from another source than electrum.org. In order to reach users of vulnerable versions, we have started to use the same vulnerability, and to direct them to electrum.org.

]
The problem is: the famous phishing attack uses and displayed the original site on the error message too but you will be redirected to the fake electrum github page.
It's the same hacker, apparently, he must have been informed about the latest news here in the electrum board and just enabled broadcasting of txs and reconstructed his fake error message to be like "that" (you're using a vulnerable version...) since it will not be displayed as intended in the latest version.

Nobody was redirected to fake Electrum download on GitGub, user need to click on link and download fake version. So it is about basic understanding how things should work, and if you know that only link for safe download is official site why you will use any other source? If your bank send you message to burn all your money, would you do it or do you call the bank and check what is going on?

As you can see it is not same hacker, you did not check official page of Electrum and you give false information.

[HCP]

why servers can show message? Electrum developers should disable that from the first version

Why can windows run virus? microsoft should disable that from the first version

What you're asking for just isn't possible. It is well known within the software development industry that there will always be bugs and exploits, regardless of how hard you try to make something 100% bug and/or exploit free. Seemingly innocent design choices can and do come back to haunt developers when some hacker figures out a new exploit of a flaw in the original design.

It is very easy, with hindsight, to say the developers should have foreseen the dangers of allowing rich text error messages to be displayed... but they can't be expected to think of ALL scenarios and possibilities.

Also, if you think about it... it took 6 1/2 years from when Electrum was released for this flaw to be exploited... that is how "non-obvious" this exploit was.

[nc50lc]

-snip-

In order to reach users of vulnerable versions, we have started to use the same vulnerability, and to direct them to electrum.org.

Well, that's news to me.
But still, the hacker can use the same message with a link displayed as "electrum.org" pointed to a new fake electrum URL.
If the user is still using a vulnerable version, better ignore any error message and just directly browse and download from the official site to be safe.

-edit- Or edit the context into something like: "Ignore any error messages like this and download from the usual place: electrum.org" or "Ignore any direct link from error messages (like this) and download from the usual place: electrum.org"

because virus is a software and windows is created to run softwares. But electrum is not created to show messages from server

If you think you have a better idea(s) to help ThomasV and the developers, just open a pull request or bug report on Github to discuss your proposals.

[TryNinja]

electrum receives messages from server and show users in its way. Why servers can show messages?

In those - now old - versions, they could show an error to tell the user what happened when there was an issue when broadcasting the tx.

The problem is that they could show their own custom errors and make it appear at Electrum even when the transaction should have been sent without any issues. Since Electrum didn’t filter the messages, the owner of the server could just make the transaction fail and show whatever he wants.

It has been fixed now. Electrum only shows predefined erros, and when a server wants to make their own custom error, it shows “Unknown error” instead of the customized text set by the owner.

[HCP]

electrum receives messages from server and show users in its way. Why servers can show messages?

Because that was the design decision they made originally... it could have been simple convenience, it could have been because they wanted the server to have the flexibility to be able to send different "error" messages without needing to update the client (so as to provide backwards compatibility) should the need arise in the future.

Was it a poor design? In hindsight, yes.. absolutely it was
Is there anything they can do about the past? No
Is there anything they can do about the future? Yes, they already have... client has been patched to prevent arbitrary messages from bad servers... and server code has been modded so "good" servers can warn older clients to update (as per the example in the OP)