Pffrt (OP)
|
|
July 14, 2020, 02:07:50 PM |
|
With old version of electrum, people may lose their coin as older version have vulnerability. Not everyone can keep up all the news, update and mistakenly they use an older version which is vulnerable and they lost their coin. Why the users always accuse here of being mistaken while it is totally a mistake of Electrum itself. Why did they release such a version without having significant test? It really hurts when people complain that they have lost their coin by using older version of electrum.
|
|
|
|
ranochigo
Legendary
Offline
Activity: 3038
Merit: 4420
Crypto Swap Exchange
|
|
July 14, 2020, 02:17:24 PM |
|
Same reason why Heartbleed, Meltdown and Spectre happened; no one discovered it when they were reviewing the codes and designing it. It's unfair to criticise Electrum this way, it's not like they intentionally introduced vulnerabilities to their source codes.
The issue with the vulnerability (less the JSONRPC attack) was due to the user's fault. Social engineering is a common hacking technique and it just proves how many users validate their download before installing it. It's just a poor practice on the user's part. Sure, Electrum shouldn't have allowed the error message to be displayed that way but if the user always validated their download(as recommended), they wouldn't have run it.
|
|
|
|
OcTradism
|
|
July 14, 2020, 02:23:23 PM |
|
Which vulnerability you meant? Is this what you meant? Critical Electrum vulnerability. It occured 2 years and a half, too long. People can not blame on Ethereum for past vulnerability if they don't upgrade their wallets to latest version. I know that there are some errors if people don't upgrade their Electrum wallets. I don't use the feature "Check for updates" in the wallet (Help > Check for updates). It is my carefulness only and people should do this too. I don't simply believe in pop-up message. I turn it off as following: Preferences > General > Automatically check for software updatesThey can check for updates in the wallet but it is not a confirmation for update. After checking in wallet, they must go to official website of Electrum and check for updates. If there is update, they must verify wallet before using it. Vulnerability mostly come from user's faults: - Don't backup their seeds. - Don't secure backup well. - Don't set up a password for their wallet or use too bad/ weak password. - Don't verify wallet - and so forth.
|
| | . .Duelbits. | │ | ..........UNLEASH.......... THE ULTIMATE GAMING EXPERIENCE | │ | DUELBITS FANTASY SPORTS | ████▄▄▄█████▄▄▄ ░▄████████████████▄ ▐██████████████████▄ ████████████████████ ████████████████████▌ █████████████████████ ████████████████▀▀▀ ███████████████▌ ███████████████▌ ████████████████ ████████████████ ████████████████ ████▀▀███████▀▀ | . ▬▬ VS ▬▬ | ████▄▄▄█████▄▄▄ ░▄████████████████▄ ▐██████████████████▄ ████████████████████ ████████████████████▌ █████████████████████ ███████████████████ ███████████████▌ ███████████████▌ ████████████████ ████████████████ ████████████████ ████▀▀███████▀▀ | /// PLAY FOR FREE /// WIN FOR REAL | │ | ..PLAY NOW.. | |
|
|
|
Pffrt (OP)
|
|
July 14, 2020, 02:27:32 PM |
|
I'm not criticizing Electrum in such a bad way. I'm also a user of Electrum wallet. Sure, Electrum shouldn't have allowed the error message to be displayed that way but if the user always validated their download(as recommended), they wouldn't have run it.
If you had a previous version with officially verified, you still have the chance to get the pop message. Imagine, I have used Electrum wallet 1 year back and left it in my device and after one year I just opened my wallet and saw the pop up. Very few people will hesitate to check official website. No one will have any question in their mind unless they have heard about the vulnerability. But why here in the forum people say it's a vulnerability and you should have checked, indirectly the user is accussed of their mistake. Vulnerability mostly come from user's faults: - Don't backup their seeds. - Don't secure backup well. - Don't set up a password for their wallet or use too bad/ weak password. - Don't verify wallet - and so forth.
These are not vulnerability, dude. These are mistakes. Vulnerability is- hackers can send pop up message to users for updating their wallet with a fake app. This was a vulnerability of electrum wallet.
|
|
|
|
OcTradism
|
|
July 14, 2020, 02:32:29 PM |
|
It is user' double faults to believe in pop-up message and don't verify wallets.
Do you call Bitcoin core is vulnerable if user still not upgrade wallet and still use years ago version?
Any wallet people use, verify it.
|
| | . .Duelbits. | │ | ..........UNLEASH.......... THE ULTIMATE GAMING EXPERIENCE | │ | DUELBITS FANTASY SPORTS | ████▄▄▄█████▄▄▄ ░▄████████████████▄ ▐██████████████████▄ ████████████████████ ████████████████████▌ █████████████████████ ████████████████▀▀▀ ███████████████▌ ███████████████▌ ████████████████ ████████████████ ████████████████ ████▀▀███████▀▀ | . ▬▬ VS ▬▬ | ████▄▄▄█████▄▄▄ ░▄████████████████▄ ▐██████████████████▄ ████████████████████ ████████████████████▌ █████████████████████ ███████████████████ ███████████████▌ ███████████████▌ ████████████████ ████████████████ ████████████████ ████▀▀███████▀▀ | /// PLAY FOR FREE /// WIN FOR REAL | │ | ..PLAY NOW.. | |
|
|
|
ranochigo
Legendary
Offline
Activity: 3038
Merit: 4420
Crypto Swap Exchange
|
|
July 14, 2020, 02:36:04 PM |
|
If you had a previous version with officially verified, you still have the chance to get the pop message. Imagine, I have used Electrum wallet 1 year back and left it in my device and after one year I just opened my wallet and saw the pop up. Very few people will hesitate to check official website. No one will have any question in their mind unless they have heard about the vulnerability. But why here in the forum people say it's a vulnerability and you should have checked, indirectly the user is accussed of their mistake.
My point is: If you had good security practices (as you should), you would've checked the build against ThomasV's PGP at the very least. If you've checked for the signature, you would've realised that the signature doesn't check out and it is a fake version. This, by itself is the user's fault. You're taking the risk if you are not validating the binaries and that is not Electrum's fault. Zero day vulnerabilities are inevitable and this was 100% avoidable if the user took the necessary precaution.
|
|
|
|
Pmalek
Legendary
Offline
Activity: 2912
Merit: 7511
Playgram - The Telegram Casino
|
|
July 14, 2020, 06:27:37 PM |
|
We had a similar discussion in a different thread a while ago. Electrum's only blame is that they gave the servers the option to send custom messages. That is it. What the users do with it is out of their hands. As soon as they noticed what was going on, they patched it up.
But the users are the ones who didn't notice they were being redirected to a phishing site and that they are downloading a fake Electrum wallet. It is unfortunate, it is sad, but that is the harsh reality.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
|
|
|
DaveF
Legendary
Offline
Activity: 3626
Merit: 6612
Crypto Swap Exchange
|
|
July 14, 2020, 07:12:03 PM Last edit: July 14, 2020, 08:17:19 PM by DaveF |
|
1 and 1/2 not 2 and 1/2 but yeah 18+ months. It always seems to be the same thing. New user / low post count user opens their wallet that they have not used for over a year with some large amount of BTC in it and gets "hacked" Same thing time after time. Or like this person who got 28+ BTC "hacked" from his trezor. https://bitcointalk.org/index.php?action=profile;u=2584114Asks / posts some questions about some dubious miner sales places and then a post about loosing $250,000 USD Can't spot an obvious scam but has that much just sitting there. Same with the I lost all my money with electrum. "I have barely posted here but had all this money in an old version that I didn't look at for over a year and now it's all gone, help me" Or like this one:https://bitcointalk.org/index.php?action=profile;u=77542;sa=showPosts Look at the post history and the long breaks. And then "Oh no, my BTC is gone, please help" Just venting a bit. -Dave
|
|
|
|
LeGaulois
Copper Member
Legendary
Offline
Activity: 2940
Merit: 4101
Top Crypto Casino
|
|
July 14, 2020, 07:45:22 PM |
|
When using such software it is also the user's responsibility to keep up to date with it. Especially since we're talking about money it should be something natural from the user. It's not as if you were installing CCleaner. Vulnerability mostly come from user's faults: - Don't backup their seeds. - Don't secure backup well. - Don't set up a password for their wallet or use too bad/ weak password. - Don't verify wallet - and so forth.
It's not what we call a vulnerability, vulnerability is when someone finds a way to compromise a code/system due to coding/programming errors, software flaws, or whatever... What you describe is the habit problems from users
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
July 14, 2020, 10:28:47 PM Merited by NotATether (1) |
|
Why did they release such a version without having significant test?
The thing is... the software was tested! It's just that no "good people"™ saw the potential of the server message being abused in such a way. It wasn't until "bad people"™ actually started abusing it that the developers realised the issue and patched it. Unfortunately, that's just the way these things work... It reminds me of some programming assignments I did back at University in my first year... simple stuff like design a number selection menu etc... I'd code it up and test it, pressing numbers and selecting menu items and it would work great... then I'd give it to my girlfriend (who was not tech savvy) and she would promptly "break" it by trying to type letters or special characters because she thought differently to me and it just didn't occur to me that when presented with menu items 1-4, someone would type a "J" Having her test all my code probably earned me at least 10% extra marks on most of my assignments!
|
|
|
|
Mpamaegbu
Legendary
Offline
Activity: 2842
Merit: 1226
Once a man, twice a child!
|
|
July 15, 2020, 02:06:47 AM |
|
With old version of electrum, people may lose their coin as older version have vulnerability. Not everyone can keep up all the news, update and mistakenly they use an older version which is vulnerable and they lost their coin. Why the users always accuse here of being mistaken while it is totally a mistake of Electrum itself. Why did they release such a version without having significant test? It really hurts when people complain that they have lost their coin by using older version of electrum.
It's for this confusion around Electrum that I stopped using it two years ago. The so many issues that led to people losing their cash and Electrum's negligence in addressing it isn't the right way to go with terrific customer care services. It is user' double faults to believe in pop-up message and don't verify wallets.
Do you call Bitcoin core is vulnerable if user still not upgrade wallet and still use years ago version?
Any wallet people use, verify it.
I would still think that if it's a trusted wallet, then the pop-up should also be trusted to come from the site. So, why would it redirect the customer out of the site to a scam site?
|
Before you boast of your material acquisition, take a stroll to a morgue and there you will find those who were once better than you're. Only fools think they've it all. Stay humble 🤔
[/color]
|
|
|
nc50lc
Legendary
Offline
Activity: 2562
Merit: 6236
Self-proclaimed Genius
|
|
July 15, 2020, 02:06:49 AM |
|
I don't use the feature "Check for updates" in the wallet (Help > Check for updates). It is my carefulness only and people should do this too. I don't simply believe in pop-up message. I turn it off as following: Preferences > General > Automatically check for software updates -snip-
It's worth mentioning that the past " phishing message vulnerability" wasn't connected to the update notification setting. It was the server-side error message that's disguised as an urgent upgrade notice ( which will return with a generic message in the non-vulnerable versions). That setting however was introduced after that vulnerability and as far as I know, based from the code: it's safe.
|
|
|
|
pooya87
Legendary
Offline
Activity: 3598
Merit: 10930
|
|
July 15, 2020, 03:28:13 AM |
|
Not everyone can keep up all the news, update and mistakenly they use an older version which is vulnerable and they lost their coin.
it is like saying some people don't have time to go all the way to the crosswalk and wait for the light to turn green and then look both ways before crossing the street. they just jump in the middle of it and look at the clouds while crossing! who would you blame when an accident happens in this case? I don't use the feature "Check for updates" in the wallet (Help > Check for updates). It is my carefulness only and people should do this too. I don't simply believe in pop-up message. I turn it off as following: Preferences > General > Automatically check for software updates
that pop up message is received securely over SSL (so it is protected against MITM) and on top of that it is signed using ECDSA (same signature algorithm as every bitcoin transaction) using a hard-coded key in your client.
|
Bitcoin is the only decentralized money in existence.
|
|
|
joniboini
Legendary
Offline
Activity: 2338
Merit: 1805
|
|
July 15, 2020, 06:25:39 AM |
|
Why did they release such a version without having significant test?
I think this is where you go wrong. Most vulnerabilities are zero-day one, not something that was deliberately left out when they release an app. And how did you know there is no significant test? Because there's a bug 2 years after the release? If you feel like the test is not enough, feel free to join and test the app. So, why would it redirect the customer out of the site to a scam site?
Because that's the attack/bug that the attacker uses. Even if you visit the official website, they told you to verify the files.
|
| CHIPS.GG | | | ▄▄███████▄▄ ▄████▀▀▀▀▀▀▀████▄ ▄███▀░▄░▀▀▀▀▀░▄░▀███▄ ▄███░▄▀░░░░░░░░░▀▄░███▄ ▄███░▄░░░▄█████▄░░░▄░███▄ ███░▄▀░░░███████░░░▀▄░███ ███░█░░░▀▀▀▀▀░░░▀░░░█░███ ███░▀▄░▄▀░▄██▄▄░▀▄░▄▀░███ ▀███░▀░▀▄██▀░▀██▄▀░▀░███▀ ▀███░▀▄░░░░░░░░░▄▀░███▀ ▀███▄░▀░▄▄▄▄▄░▀░▄███▀ ▀████▄▄▄▄▄▄▄████▀ █████████████████████████ | | ▄▄███████▄▄ ▄███████████████▄ ▄█▀▀▀▄█████████▄▀▀▀█▄ ▄██████▀▄█▄▄▄█▄▀██████▄ ▄████████▄█████▄████████▄ ████████▄███████▄████████ ███████▄█████████▄███████ ███▄▄▀▀█▀▀█████▀▀█▀▀▄▄███ ▀█████████▀▀██▀█████████▀ ▀█████████████████████▀ ▀███████████████████▀ ▀████▄▄███▄▄████▀ ████████████████████████ | | 3000+ UNIQUE GAMES | | | 12+ CURRENCIES ACCEPTED | | | VIP REWARD PROGRAM | | ◥ | Play Now |
|
|
|
Pmalek
Legendary
Offline
Activity: 2912
Merit: 7511
Playgram - The Telegram Casino
|
|
July 15, 2020, 03:05:57 PM |
|
I would still think that if it's a trusted wallet, then the pop-up should also be trusted to come from the site. So, why would it redirect the customer out of the site to a scam site? Electrum didn't redirect the users. The malicious server owners did. And people became victims of their scam. There is no reason to abandon Electrum for that. You say you stopped using Electrum because of it. I didn't, and I am still fine. And so are many other people. Just don't click on everything you see and believe everything you read.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
|
|
|
Mpamaegbu
Legendary
Offline
Activity: 2842
Merit: 1226
Once a man, twice a child!
|
|
July 15, 2020, 03:17:36 PM |
|
Electrum didn't redirect the users. The malicious server owners did. And people became victims of their scam. There is no reason to abandon Electrum for that. You say you stopped using Electrum because of it. I didn't, and I am still fine. And so are many other people. Just don't click on everything you see and believe everything you read.
It was a hard decision for me at the time I abandoned it because I truly like the interface of that wallet. But I rescinded that decision yesterday and tried to download it from playstore and the rating was below 4. Normally, I stay away from apps that are below 4 rating. So, am still not sure if this is the same Electrum. Can you help me to the right site with the updated version, please?
|
Before you boast of your material acquisition, take a stroll to a morgue and there you will find those who were once better than you're. Only fools think they've it all. Stay humble 🤔
[/color]
|
|
|
Pmalek
Legendary
Offline
Activity: 2912
Merit: 7511
Playgram - The Telegram Casino
|
|
July 15, 2020, 03:22:08 PM |
|
Snip You can download the .apk file of the Android version of Electrum 4.0.2 directly from the downloads area of their official site. https://electrum.org/#downloadThey also posted a link to Google Play > https://play.google.com/store/apps/details?id=org.electrum.electrum
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
|
|
|
TryNinja
Legendary
Offline
Activity: 2982
Merit: 7398
Top Crypto Casino
|
|
July 16, 2020, 03:53:29 PM |
|
It was a hard decision for me at the time I abandoned it because I truly like the interface of that wallet. But I rescinded that decision yesterday and tried to download it from playstore and the rating was below 4. Normally, I stay away from apps that are below 4 rating. So, am still not sure if this is the same Electrum. Can you help me to the right site with the updated version, please?
The rating is only that low because scammers botted them to make the app show up lower in the search results while their fake apps are botted with 5 stars to appear legitimate. You would have been scammed easily if the fake app that did it was still im the store. Never trust trivial, easily exploited numbers. Either get the app url from the oficial website and/or check the app full name (which looks like com.electrum.wallet < example).
|
|
|
|
Mpamaegbu
Legendary
Offline
Activity: 2842
Merit: 1226
Once a man, twice a child!
|
|
July 17, 2020, 08:00:00 AM |
|
Thanks bro for the links. I appreciate. <snip>
<snip>
I appreciate these insights you guys have shared with me, and I believe other users will learn a thing or two from it too.
|
Before you boast of your material acquisition, take a stroll to a morgue and there you will find those who were once better than you're. Only fools think they've it all. Stay humble 🤔
[/color]
|
|
|
|