Electrum clients older than 3.3 can no longer connect to public electrum servers

[bL4nkcode]

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672

[hatshepsut93]

I've opened my watch-only wallet today and freaked out a little bit when it failed to connect to multiple servers, but eventually I managed to connect to a server. So, it seems like the DOS is not total. Still, it's good to know that it's a white hat DOS, and even though I don't use Electrum for sending transactions on online machines, I'm still going to upgrade soon. Thanks for sharing!

[Lucius]

This is finally something that will solve the problem with phishing messages, but unfortunately I think they waited too long to prevent hackers in their dirty game. Is this something what could have been done earlier, how complicated it is from the technical side to prevent old versions of Electrum to connect to public Electrum servers?

hatshepsut93, I use Electrum yesterday and I also notice that it took much longer time to connect to server. I am not sure how you still can connect with old version, probably this blocking is not working 100%.

[Abdussamad]

It'll take time for good servers to roll out this new code. Once they do the scammers will have only one avenue left - they have to get you to connect to their server first!

[G3nijalac]

so if I am using a version older than 3.3 can I still manualy connect to a server?

edit: "We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages." does this mean if i open my old version electrum it will automaticaly be forced to upgrade to the latest safe version?

[Abdussamad]

old versions are unsafe so they are deploying this "fix" on good electrum servers. it means if you run an old version and happen to connect to a good server electrum will crash forcing you to seek help. when you do we will tell you to upgrade. so that's what you should do it's for your own good!

edit: the upgrade is not automatic. you have to download and install the latest version from electrum.org.

[nc50lc]

This "fixbandage" is much much better than the "Good Messages" from legitimate servers which scared the heck out of the newbies.

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.
Or is it (are there) something else than Denial of Service?

[pooya87]

is it just me or these days it seems like a new rather serious issue (bug) is being found in Electrum every week or so?!

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.

this was more of a bug that is being exploited and when they do it "kills" the network instance of your application and as far as i can understand it can no longer do anything else let alone connect to another server.

[Abdussamad]

This "fixbandage" is much much better than the "Good Messages" from legitimate servers which scared the heck out of the newbies.

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.
Or is it (are there) something else than Denial of Service?

Yes if the first server they connect to is a bad one or an unpatched good one their clients will not crash. Also if they are using versions 3.3 - 3.3.2 they will still see the phishing messages if they are connected to a bad server and attempt to spend their bitcoins. However, with  version 3.3.2 the message is not rendered in rich text.

Once legit servers deploy this it'll greatly reduce the room attackers have to operate.

[DireWolfM14]

edit: the upgrade is not automatic. you have to download and install the latest version from electrum.org.

Wouldn't it be more secure to process updates through the software it's self, rather than rely on users going to the right website for download checking signatures?  Is that something the dev team is planning for future releases?

[Abdussamad]

idk. you can ask them on irc.

i know auto updates were rejected by bitcoin core because in the event of a compromise of their servers every user could become infected with malware.

[Artemis3]

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

[TryNinja]

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.

Unless people start falling for the scam (which actually happened and resulted in the loss of hundreds - if not thousands - of BTC). Just because you know this is a scam, doesn't mean others will.

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

Yes. If they started doing this from day one, the damages would have been much smaller.

[pooya87]

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

Yes. If they started doing this from day one, the damages would have been much smaller.

as far as i can tell there is no bug in the server side to be used to cause a crash anyways. this DoS attack that is being discussed here is on the client side and it was also found recently so it couldn't be used from early days either.

[Abdussamad]

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

It's a case of damned if you do and damned if you don't! People who lost money to the scam were cursing the developers and threatening to sue them so they had to do something. Now people are complaining that they have to update electrum!

Note that it's not just the phishing bug. The DoS bug they are exploiting is also there and there's a wallet file corruption bug that was fixed recently as well.

[HCP]

It's a case of damned if you do and damned if you don't! People who lost money to the scam were cursing the developers and threatening to sue them so they had to do something. Now people are complaining that they have to update electrum!

I think that the old quote from John Lydgate sums it up quite nicely...

“You can please some of the people all of the time, you can please all of the people some of the time, but you can’t please all of the people all of the time”.”
― John Lydgate

I can certainly understand why the devs chose this approach (exploiting a DoS vulnerability)... not sure I 100% agree with it, but I honestly can't think of anything else they could realistically have done... they'd already advertised about the previous "error message exploit" here, on twitter, on the official website etc... and still, weeks after the initial incident and patch, there are still users getting caught out.