Pages:
Author

Topic: Critical Security Release: Please update to Electrum 3.0.5 - page 2. (Read 956 times)

newbie
Activity: 7
Merit: 0
Windows blocked the file soon as I tried to open it.

I don't know who to trust now, if even the official website files get blocked.

Also I get the pop up when I open Electrum wallet, http://puu.sh/yWxUb/329776e8f1.png .
legendary
Activity: 3710
Merit: 1586
3.0.5 was just released which fixes this bug completely.
newbie
Activity: 7
Merit: 0
Hi,

New to this all.

I had an older version of the wallet.

Saw the warning and installed new version.

I am trying to recover the wallet. I went through the steps, created new wallet and put the seed in and created new password.

I don't see anything in my balance.

I'm not sure if I have done everything correctly. Do I need to move anything across from old wallet cause I have already deleted all the old files and only have the new ones.

Any help would be greatly appreciated.
full member
Activity: 241
Merit: 100
Hi people, having Electrum running and surfing web simultaneous makes the security breach. right?

I wanna know the attacker can surf my hard drive too? has he/she any access to my appdata content too?

Can he/she steal the wallet files from AppData\Roaming\Electrum and other wallets from AppData\Roaming\ too Huh
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
Looks like i need to use the latest one instead i already installed the electrum 3.0.4 and works great in windows 7 os i thought that this will be the same as 3.0 not work in win7 os
and had many bugs. for now i just install it in virtual machine just to investigate and monitor if this is not affected by CORS

Is there a log which shows if there were any recent connect attempts to the RPC ?
I was looking in github but i couldn't find any post that if electrum has rpc logs to watch if someone attempting to scan ports or trying to bruteforce and retrieve the password
Try this electrum twitter page and maybe someone can give how to show rpc logs
https://twitter.com/ElectrumWallet/status/949795637792518144



The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).

Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.

To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.

Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/
Thanks for such a great information but would like to know why still need to block the localhost do you think if i block the localhost the other application in my laptop will be affected?
i already install the latest one and choose the segwit wallet instead and hope i don't experience any issue..
legendary
Activity: 3710
Merit: 1586
Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?

The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).

Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.

To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.

Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/
newbie
Activity: 2
Merit: 0
Apologies for basic question, but just wanted to check the following:

I have an older version (2.8.x)
I have not split my forked coins - everything has been untouched for some time.
Am I correct in thinking I can just download the latest version and it will open my current wallet by default, leaving all forked coins intact and accessible until I manage to stop being such a luddite and learn how to separate them?

Thanks in advance.

Yes, that would work fine. Always make sure you have written down your seed phrase before upgrading just in case. You'll find instructions on how to split the coins on this board of the forum when you're ready to do it. If you're not using Electrum then there is also no hurry to upgrade. Just don't open the old Electrum and surf the web at the same time.


Thanks for your help, and for your post, too, BitcoinSupremo. I've downloaded 3.0.4 and all looks good. Really must get round to sorting out splitting coins and buying a ledger s nano. Wasn't long ago it seemed like an extravagant purchase for the size of my stash. Quite a different story now...
sr. member
Activity: 1120
Merit: 255
Is there a log which shows if there were any recent connect attempts to the RPC ?

Good question.

Having bitcoin is the most important and priority problem in my life recently
legendary
Activity: 3808
Merit: 1723
Is there a log which shows if there were any recent connect attempts to the RPC ?
sr. member
Activity: 1120
Merit: 255
Let me get something straight.

I simply installed v 3.0.4 to overwrite current version
Is this appropriate??

Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4  and then do a restore of the wallet
Yeah I have the same question. And would updating to 3.0.4 enough to be safe enough, or are the previous private keys compromised? And I need to transfer my coin?

This is my question either.

Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?

Is the bug only for 3.0.3 version or older versions are affected?

Thomas, we need you and your security advice. where are you Sir?
legendary
Activity: 1638
Merit: 1046
Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?
legendary
Activity: 1498
Merit: 1117
i read this:

https://github.com/spesmilo/electrum/issues/3374

Quote
Hello, I'm not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy 😛.

I installed Electrum to look, and I'm confused why this isn't being treated as a critical and urgent vulnerability? If this bug wasn't already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.

The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.

I made you a demo. It's very basic, but you get the idea.

If you did set a password, some misdirection is required, but it's still game over, no?

Here is how I reproduced:

Install Electrum 3.0.3 on Windows.
Create a new wallet, all default settings. I left the wallet password blank - the default setting.
Visit in Chrome.
Wait a few seconds while it guesses the port, then an alert() appears with: seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
(Note: i dont use bitcoin, you can steal my empty wallet if you like)

he was able to see the seed.

but this wallet was not password protected. with a password protected wallet:

Quote
Even with encrypted wallets, you can still change options, change destination addresses, deanonymize users via listaddresses and so on.

so i think if your wallet was pw protected is was not possible to read the seed.

but if you are worried: install the newest version. create a new wallet and send all the coins to the new one.
hero member
Activity: 1050
Merit: 529
Let me get something straight.

I simply installed v 3.0.4 to overwrite current version
Is this appropriate??

Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4  and then do a restore of the wallet
Yeah I have the same question. And would updating to 3.0.4 enough to be safe enough, or are the previous private keys compromised? And I need to transfer my coin?
newbie
Activity: 2
Merit: 0
I actually just installed Electrum for the first time yesterday, version 3.0.4, to use in conjunction with a Trezor. This doesn't sound like it would affect the keys on the Trezor device, but thought I'd ask here if that's a safe mindset.

I was actually in the process of sweeping some keys from another wallet to my Trezor wallet through the Electrum interface. Should I wait awhile before trying to do that given the vunerability?
full member
Activity: 1792
Merit: 186
Well i do have a password on my electrum. 

But how many electrum users out there even know about this if they don't visit this forum.  What percentage of electrum users even visit this forum daily or check the electrum website for updates?

Well i have updated electrum few times when i had version 2.0 or 2.1 etc and then needed to upgrade to 2.2 etc.  But does anyone know when you do this when you download the new updated electrum on the website, do they ask you to type in the 12 word phrase?  I assume they have to right?  Because even though you still have old electrum wallet, it won't recognize it?  I updated electrum few times and i'm trying to remember if it ask me to type in the 12 word phrase as that option i already have a 12 word phrase etc.

Also someone mentioned this as well.  Is there a chance that this is a hack itself telling everyone to download the new electrum?  Thus the mod and/or site got hacked? 

I assume it would be fine to wait until the dust settles then?  Because i can't imagine even 10 percent of electrum users know about this since they need to either visit this forum or visit the electrum website daily to make sure there is an update.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
Okay can someone explain exactly the issue here?

So what if you are using a version of electrum that is version 2.x and never upgraded for a while?  Do you need to upgrade to the new electrum 3.0.4?

Also i have upgraded electrum few times when it was say electrum 2.3 to 2.5 etc.  I have done this few times to the new version.  But when you do this, does it require you to type down the 12 word phrase each time on the new wallet?  I do not recall if it did or not.  Also are you fine using electrum version 2.x as it is without upgrading right now? 

No. It effects every version that existed as a server can do an rpc call if you don't have a password on your wallet.
You may as well upgrade, I've only ever used portable versions as they're easier to set up but there shouldn't need to be 12 words inputted every time as the data folders should be the same place, however, inputting the 12 words isn't really that much effort anyways and they're not too difficult to memorise once you've done it a few times.
full member
Activity: 1792
Merit: 186
Okay can someone explain exactly the issue here?

So what if you are using a version of electrum that is version 2.x and never upgraded for a while?  Do you need to upgrade to the new electrum 3.0.4?

Also i have upgraded electrum few times when it was say electrum 2.3 to 2.5 etc.  I have done this few times to the new version.  But when you do this, does it require you to type down the 12 word phrase each time on the new wallet?  I do not recall if it did or not.  Also are you fine using electrum version 2.x as it is without upgrading right now? 
hero member
Activity: 2576
Merit: 883
Freebitco.in Support https://bit.ly/2I9BVS2
Do you know if latest Electron Cash version is safe to use or not?

As it was forked from the same software the current version had the same issue. They have also released an update that you should upgrade to.
hero member
Activity: 811
Merit: 512
Enhalo Mining
Do you know if latest Electron Cash version is safe to use or not?
legendary
Activity: 3038
Merit: 2162
Oh shit!

I have 13.5BTC in my Electrum wallet with passwords protected but not very strong. i haven't claimed any forks yet. I use windows 10 with a licensed Kaspersky security. what are best advices for me?

If you have BTC on an online Windows machine, you have pretty high risk of getting robbed at some point, and it's even worse if you have weak password. Antivirus programs are not making you immune to attacks, they are just preventing some small numbers of attacks. You should start doing research about security before it's too late - 13.5 BTC is a huge sum and it's absolutely worth all the hours and days you will spend learning. The common advice is to get a hardware wallet, but even then you have to know some basic stuff to avoid some risks.
Pages:
Jump to: