Why users are always accused for the vulnerability of Electrum?

[Pffrt]

With old version of electrum, people may lose their coin as older version have vulnerability. Not everyone can keep up all the news, update and mistakenly they use an older version which is vulnerable and they lost their coin. Why the users always accuse here of being mistaken while it is totally a mistake of Electrum itself. Why did they release such a version without having significant test? It really hurts when people complain that they have lost their coin by using older version of electrum.

[ranochigo]

Same reason why Heartbleed, Meltdown and Spectre happened; no one discovered it when they were reviewing the codes and designing it. It's unfair to criticise Electrum this way, it's not like they intentionally introduced vulnerabilities to their source codes.

The issue with the vulnerability (less the JSONRPC attack) was due to the user's fault. Social engineering is a common hacking technique and it just proves how many users validate their download before installing it. It's just a poor practice on the user's part. Sure, Electrum shouldn't have allowed the error message to be displayed that way but if the user always validated their download(as recommended), they wouldn't have run it.

[OcTradism]

Which vulnerability you meant? Is this what you meant? Critical Electrum vulnerability. It occured 2 years and a half, too long.

People can not blame on Ethereum for past vulnerability if they don't upgrade their wallets to latest version. I know that there are some errors if people don't upgrade their Electrum wallets.

I don't use the feature "Check for updates" in the wallet (Help > Check for updates). It is my carefulness only and people should do this too. I don't simply believe in pop-up message.
I turn it off as following: Preferences > General > Automatically check for software updates

They can check for updates in the wallet but it is not a confirmation for update. After checking in wallet, they must go to official website of Electrum and check for updates.

If there is update, they must verify wallet before using it.

Electrum: You must download Electrum wallet from official website, and must verify wallet. See the guides below to understand how importance it is to verify your wallet and how to do so.
[GUIDE] How to Safely Download and Verify Electrum [Guide]
Electrum wallet - Update safely and avoid phishing wallets?
Verify wallets before installing & using. You'll lose fund if you don't verify

Vulnerability mostly come from user's faults:
- Don't backup their seeds.
- Don't secure backup well.
- Don't set up a password for their wallet or use too bad/ weak password.
- Don't verify wallet
- and so forth.

[Pffrt]

I'm not criticizing Electrum in such a bad way. I'm also a user of Electrum wallet.

Sure, Electrum shouldn't have allowed the error message to be displayed that way but if the user always validated their download(as recommended), they wouldn't have run it.

If you had a previous version with officially verified, you still have the chance to get the pop message. Imagine, I have used Electrum wallet 1 year back and left it in my device and after one year I just opened my wallet and saw the pop up. Very few people will hesitate to check official website. No one will have any question in their mind unless they have heard about the vulnerability.
But why here in the forum people say it's a vulnerability and you should have checked, indirectly the user is accussed of their mistake.

Vulnerability mostly come from user's faults:
- Don't backup their seeds.
- Don't secure backup well.
- Don't set up a password for their wallet or use too bad/ weak password.
- Don't verify wallet
- and so forth.

These are not vulnerability, dude. These are mistakes. Vulnerability is- hackers can send pop up message to users for updating their wallet with a fake app. This was a vulnerability of electrum wallet.

[OcTradism]

It is user' double faults to believe in pop-up message and don't verify wallets.

Do you call Bitcoin core is vulnerable if user still not upgrade wallet and still use years ago version?

Any wallet people use, verify it.

[ranochigo]

If you had a previous version with officially verified, you still have the chance to get the pop message. Imagine, I have used Electrum wallet 1 year back and left it in my device and after one year I just opened my wallet and saw the pop up. Very few people will hesitate to check official website. No one will have any question in their mind unless they have heard about the vulnerability.
But why here in the forum people say it's a vulnerability and you should have checked, indirectly the user is accussed of their mistake.

My point is: If you had good security practices (as you should), you would've checked the build against ThomasV's PGP at the very least.

If you've checked for the signature, you would've realised that the signature doesn't check out and it is a fake version. This, by itself is the user's fault. You're taking the risk if you are not validating the binaries and that is not Electrum's fault.

Zero day vulnerabilities are inevitable and this was 100% avoidable if the user took the necessary precaution.

[Pmalek]

We had a similar discussion in a different thread a while ago. Electrum's only blame is that they gave the servers the option to send custom messages. That is it. What the users do with it is out of their hands. As soon as they noticed what was going on, they patched it up.

But the users are the ones who didn't notice they were being redirected to a phishing site and that they are downloading a fake Electrum wallet. It is unfortunate, it is sad, but that is the harsh reality.

[DaveF]

Which vulnerability you meant? Is this what you meant? Critical Electrum vulnerability. It occured 2 years and a half, too long.

1 and 1/2 not 2 and 1/2 but yeah 18+ months.

It always seems to be the same thing. New user / low post count user opens their wallet that they have not used for over a year with some large amount of BTC in it and gets "hacked"
Same thing time after time.

Or like this person who got 28+BTC "hacked" from his trezor.
https://bitcointalk.org/index.php?action=profile;u=2584114

Asks / posts some questions about some dubious miner sales places and then a post about loosing $250,000 USD
Can't spot an obvious scam but has that much just sitting there.

Same with the I lost all my money with electrum. "I have barely posted here but had all this money in an old version that I didn't look at for over a year and now it's all gone, help me"


Or like this one:https://bitcointalk.org/index.php?action=profile;u=77542;sa=showPosts
Look at the post history and the long breaks. And then "Oh no, my BTC is gone, please help"


Just venting a bit.

-Dave

[LeGaulois]

When using such software it is also the user's responsibility to keep up to date with it. Especially since we're talking about money it should be something natural from the user. It's not as if you were installing CCleaner.

Vulnerability mostly come from user's faults:
- Don't backup their seeds.
- Don't secure backup well.
- Don't set up a password for their wallet or use too bad/ weak password.
- Don't verify wallet
- and so forth.

It's not what we call a vulnerability, vulnerability is when someone finds a way to compromise a code/system due to coding/programming errors, software flaws, or whatever...

What you describe is the habit problems from users

[HCP]

Why did they release such a version without having significant test?

The thing is... the software was tested! It's just that no "good people"™ saw the potential of the server message being abused in such a way. It wasn't until "bad people"™ actually started abusing it that the developers realised the issue and patched it. Unfortunately, that's just the way these things work...

It reminds me of some programming assignments I did back at University in my first year... simple stuff like design a number selection menu etc... I'd code it up and test it, pressing numbers and selecting menu items and it would work great... then I'd give it to my girlfriend (who was not tech savvy) and she would promptly "break" it by trying to type letters or special characters because she thought differently to me and it just didn't occur to me that when presented with menu items 1-4, someone would type a "J"

Having her test all my code probably earned me at least 10% extra marks on most of my assignments!

[Mpamaegbu]

With old version of electrum, people may lose their coin as older version have vulnerability. Not everyone can keep up all the news, update and mistakenly they use an older version which is vulnerable and they lost their coin. Why the users always accuse here of being mistaken while it is totally a mistake of Electrum itself. Why did they release such a version without having significant test? It really hurts when people complain that they have lost their coin by using older version of electrum.

It's for this confusion around Electrum that I stopped using it two years ago. The so many issues that led to people losing their cash and Electrum's negligence in addressing it isn't the right way to go with terrific customer care services.

It is user' double faults to believe in pop-up message and don't verify wallets.

Do you call Bitcoin core is vulnerable if user still not upgrade wallet and still use years ago version?

Any wallet people use, verify it.

I would still think that if it's a trusted wallet, then the pop-up should also be trusted to come from the site. So, why would it redirect the customer out of the site to a scam site?

[nc50lc]

I don't use the feature "Check for updates" in the wallet (Help > Check for updates). It is my carefulness only and people should do this too. I don't simply believe in pop-up message.
I turn it off as following: Preferences > General > Automatically check for software updates
-snip-

It's worth mentioning that the past "phishing message vulnerability" wasn't connected to the update notification setting.
It was the server-side error message that's disguised as an urgent upgrade notice (which will return with a generic message in the non-vulnerable versions).

That setting however was introduced after that vulnerability and as far as I know, based from the code: it's safe.

[pooya87]

Not everyone can keep up all the news, update and mistakenly they use an older version which is vulnerable and they lost their coin.

it is like saying some people don't have time to go all the way to the crosswalk and wait for the light to turn green and then look both ways before crossing the street. they just jump in the middle of it and look at the clouds while crossing!
who would you blame when an accident happens in this case?

I don't use the feature "Check for updates" in the wallet (Help > Check for updates). It is my carefulness only and people should do this too. I don't simply believe in pop-up message.
I turn it off as following: Preferences > General > Automatically check for software updates

that pop up message is received securely over SSL (so it is protected against MITM) and on top of that it is signed using ECDSA (same signature algorithm as every bitcoin transaction) using a hard-coded key in your client.

[joniboini]

Why did they release such a version without having significant test?

I think this is where you go wrong. Most vulnerabilities are zero-day one, not something that was deliberately left out when they release an app. And how did you know there is no significant test? Because there's a bug 2 years after the release?

If you feel like the test is not enough, feel free to join and test the app.

So, why would it redirect the customer out of the site to a scam site?

Because that's the attack/bug that the attacker uses. Even if you visit the official website, they told you to verify the files.

[Pmalek]

I would still think that if it's a trusted wallet, then the pop-up should also be trusted to come from the site. So, why would it redirect the customer out of the site to a scam site?

Electrum didn't redirect the users. The malicious server owners did. And people became victims of their scam. There is no reason to abandon Electrum for that. You say you stopped using Electrum because of it. I didn't, and I am still fine. And so are many other people. Just don't click on everything you see and believe everything you read.     

[Mpamaegbu]

Electrum didn't redirect the users. The malicious server owners did. And people became victims of their scam. There is no reason to abandon Electrum for that. You say you stopped using Electrum because of it. I didn't, and I am still fine. And so are many other people. Just don't click on everything you see and believe everything you read.    

It was a hard decision for me at the time I abandoned it because I truly like the interface of that wallet. But I rescinded that decision yesterday and tried to download it from playstore and the rating was below 4. Normally, I stay away from apps that are below 4 rating. So, am still not sure if this is the same Electrum. Can you help me to the right site with the updated version, please?

[Pmalek]

Snip

You can download the .apk file of the Android version of Electrum 4.0.2 directly from the downloads area of their official site. https://electrum.org/#download
They also posted a link to Google Play > https://play.google.com/store/apps/details?id=org.electrum.electrum

[TryNinja]

It was a hard decision for me at the time I abandoned it because I truly like the interface of that wallet. But I rescinded that decision yesterday and tried to download it from playstore and the rating was below 4. Normally, I stay away from apps that are below 4 rating. So, am still not sure if this is the same Electrum. Can you help me to the right site with the updated version, please?

The rating is only that low because scammers botted them to make the app show up lower in the search results while their fake apps are botted with 5 stars to appear legitimate. You would have been scammed easily if the fake app that did it was still im the store.

Never trust trivial, easily exploited numbers. Either get the app url from the oficial website and/or check the app full name (which looks like com.electrum.wallet < example).

[Mpamaegbu]

Thanks bro for the links. I appreciate.

<snip>

<snip>

I appreciate these insights you guys have shared with me, and I believe other users will learn a thing or two from it too.