Windows blocked the file soon as I tried to open it.
I don't know who to trust now, if even the official website files get blocked.
Also I get the pop up when I open Electrum wallet, http://puu.sh/yWxUb/329776e8f1.png .
Topic: Critical Security Release: Please update to Electrum 3.0.5 - page 2. (Read 949 times)
3.0.5 was just released which fixes this bug completely.
Hi,
New to this all.
I had an older version of the wallet.
Saw the warning and installed new version.
I am trying to recover the wallet. I went through the steps, created new wallet and put the seed in and created new password.
I don't see anything in my balance.
I'm not sure if I have done everything correctly. Do I need to move anything across from old wallet cause I have already deleted all the old files and only have the new ones.
Any help would be greatly appreciated.
New to this all.
I had an older version of the wallet.
Saw the warning and installed new version.
I am trying to recover the wallet. I went through the steps, created new wallet and put the seed in and created new password.
I don't see anything in my balance.
I'm not sure if I have done everything correctly. Do I need to move anything across from old wallet cause I have already deleted all the old files and only have the new ones.
Any help would be greatly appreciated.
Hi people, having Electrum running and surfing web simultaneous makes the security breach. right?
I wanna know the attacker can surf my hard drive too? has he/she any access to my appdata content too?
Can he/she steal the wallet files from AppData\Roaming\Electrum and other wallets from AppData\Roaming\ too
I wanna know the attacker can surf my hard drive too? has he/she any access to my appdata content too?
Can he/she steal the wallet files from AppData\Roaming\Electrum and other wallets from AppData\Roaming\ too
Looks like i need to use the latest one instead i already installed the electrum 3.0.4 and works great in windows 7 os i thought that this will be the same as 3.0 not work in win7 os
and had many bugs. for now i just install it in virtual machine just to investigate and monitor if this is not affected by CORS
Try this electrum twitter page and maybe someone can give how to show rpc logs
https://twitter.com/ElectrumWallet/status/949795637792518144
The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).
Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.
To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.
Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/
Thanks for such a great information but would like to know why still need to block the localhost do you think if i block the localhost the other application in my laptop will be affected?
i already install the latest one and choose the segwit wallet instead and hope i don't experience any issue..
and had many bugs. for now i just install it in virtual machine just to investigate and monitor if this is not affected by CORS
Is there a log which shows if there were any recent connect attempts to the RPC ?
I was looking in github but i couldn't find any post that if electrum has rpc logs to watch if someone attempting to scan ports or trying to bruteforce and retrieve the passwordTry this electrum twitter page and maybe someone can give how to show rpc logs
https://twitter.com/ElectrumWallet/status/949795637792518144
The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).
Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.
To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.
Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/
i already install the latest one and choose the segwit wallet instead and hope i don't experience any issue..
Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?
The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).
Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.
To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.
Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/
Apologies for basic question, but just wanted to check the following:
I have an older version (2.8.x)
I have not split my forked coins - everything has been untouched for some time.
Am I correct in thinking I can just download the latest version and it will open my current wallet by default, leaving all forked coins intact and accessible until I manage to stop being such a luddite and learn how to separate them?
Thanks in advance.
I have an older version (2.8.x)
I have not split my forked coins - everything has been untouched for some time.
Am I correct in thinking I can just download the latest version and it will open my current wallet by default, leaving all forked coins intact and accessible until I manage to stop being such a luddite and learn how to separate them?
Thanks in advance.
Yes, that would work fine. Always make sure you have written down your seed phrase before upgrading just in case. You'll find instructions on how to split the coins on this board of the forum when you're ready to do it. If you're not using Electrum then there is also no hurry to upgrade. Just don't open the old Electrum and surf the web at the same time.
Thanks for your help, and for your post, too, BitcoinSupremo. I've downloaded 3.0.4 and all looks good. Really must get round to sorting out splitting coins and buying a ledger s nano. Wasn't long ago it seemed like an extravagant purchase for the size of my stash. Quite a different story now...
Is there a log which shows if there were any recent connect attempts to the RPC ?
Good question.
Having bitcoin is the most important and priority problem in my life recently
Is there a log which shows if there were any recent connect attempts to the RPC ?
Let me get something straight.
I simply installed v 3.0.4 to overwrite current version
Is this appropriate??
Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4 and then do a restore of the wallet
Yeah I have the same question. And would updating to 3.0.4 enough to be safe enough, or are the previous private keys compromised? And I need to transfer my coin? I simply installed v 3.0.4 to overwrite current version
Is this appropriate??
Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4 and then do a restore of the wallet
This is my question either.
Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?
Is the bug only for 3.0.3 version or older versions are affected?
Thomas, we need you and your security advice. where are you Sir?
Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?
i read this:
https://github.com/spesmilo/electrum/issues/3374
he was able to see the seed.
but this wallet was not password protected. with a password protected wallet:
so i think if your wallet was pw protected is was not possible to read the seed.
but if you are worried: install the newest version. create a new wallet and send all the coins to the new one.
https://github.com/spesmilo/electrum/issues/3374
Quote
Hello, I'm not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy 😛.
I installed Electrum to look, and I'm confused why this isn't being treated as a critical and urgent vulnerability? If this bug wasn't already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.
The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.
I made you a demo. It's very basic, but you get the idea.
If you did set a password, some misdirection is required, but it's still game over, no?
Here is how I reproduced:
Install Electrum 3.0.3 on Windows.
Create a new wallet, all default settings. I left the wallet password blank - the default setting.
Visit in Chrome.
Wait a few seconds while it guesses the port, then an alert() appears with: seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
(Note: i dont use bitcoin, you can steal my empty wallet if you like)
I installed Electrum to look, and I'm confused why this isn't being treated as a critical and urgent vulnerability? If this bug wasn't already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.
The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.
I made you a demo. It's very basic, but you get the idea.
If you did set a password, some misdirection is required, but it's still game over, no?
Here is how I reproduced:
Install Electrum 3.0.3 on Windows.
Create a new wallet, all default settings. I left the wallet password blank - the default setting.
Visit in Chrome.
Wait a few seconds while it guesses the port, then an alert() appears with: seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
(Note: i dont use bitcoin, you can steal my empty wallet if you like)
he was able to see the seed.
but this wallet was not password protected. with a password protected wallet:
Quote
Even with encrypted wallets, you can still change options, change destination addresses, deanonymize users via listaddresses and so on.
so i think if your wallet was pw protected is was not possible to read the seed.
but if you are worried: install the newest version. create a new wallet and send all the coins to the new one.
Let me get something straight.
I simply installed v 3.0.4 to overwrite current version
Is this appropriate??
Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4 and then do a restore of the wallet
Yeah I have the same question. And would updating to 3.0.4 enough to be safe enough, or are the previous private keys compromised? And I need to transfer my coin? I simply installed v 3.0.4 to overwrite current version
Is this appropriate??
Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4 and then do a restore of the wallet
I actually just installed Electrum for the first time yesterday, version 3.0.4, to use in conjunction with a Trezor. This doesn't sound like it would affect the keys on the Trezor device, but thought I'd ask here if that's a safe mindset.
I was actually in the process of sweeping some keys from another wallet to my Trezor wallet through the Electrum interface. Should I wait awhile before trying to do that given the vunerability?
I was actually in the process of sweeping some keys from another wallet to my Trezor wallet through the Electrum interface. Should I wait awhile before trying to do that given the vunerability?
Well i do have a password on my electrum.
But how many electrum users out there even know about this if they don't visit this forum. What percentage of electrum users even visit this forum daily or check the electrum website for updates?
Well i have updated electrum few times when i had version 2.0 or 2.1 etc and then needed to upgrade to 2.2 etc. But does anyone know when you do this when you download the new updated electrum on the website, do they ask you to type in the 12 word phrase? I assume they have to right? Because even though you still have old electrum wallet, it won't recognize it? I updated electrum few times and i'm trying to remember if it ask me to type in the 12 word phrase as that option i already have a 12 word phrase etc.
Also someone mentioned this as well. Is there a chance that this is a hack itself telling everyone to download the new electrum? Thus the mod and/or site got hacked?
I assume it would be fine to wait until the dust settles then? Because i can't imagine even 10 percent of electrum users know about this since they need to either visit this forum or visit the electrum website daily to make sure there is an update.
But how many electrum users out there even know about this if they don't visit this forum. What percentage of electrum users even visit this forum daily or check the electrum website for updates?
Well i have updated electrum few times when i had version 2.0 or 2.1 etc and then needed to upgrade to 2.2 etc. But does anyone know when you do this when you download the new updated electrum on the website, do they ask you to type in the 12 word phrase? I assume they have to right? Because even though you still have old electrum wallet, it won't recognize it? I updated electrum few times and i'm trying to remember if it ask me to type in the 12 word phrase as that option i already have a 12 word phrase etc.
Also someone mentioned this as well. Is there a chance that this is a hack itself telling everyone to download the new electrum? Thus the mod and/or site got hacked?
I assume it would be fine to wait until the dust settles then? Because i can't imagine even 10 percent of electrum users know about this since they need to either visit this forum or visit the electrum website daily to make sure there is an update.
Okay can someone explain exactly the issue here?
So what if you are using a version of electrum that is version 2.x and never upgraded for a while? Do you need to upgrade to the new electrum 3.0.4?
Also i have upgraded electrum few times when it was say electrum 2.3 to 2.5 etc. I have done this few times to the new version. But when you do this, does it require you to type down the 12 word phrase each time on the new wallet? I do not recall if it did or not. Also are you fine using electrum version 2.x as it is without upgrading right now?
So what if you are using a version of electrum that is version 2.x and never upgraded for a while? Do you need to upgrade to the new electrum 3.0.4?
Also i have upgraded electrum few times when it was say electrum 2.3 to 2.5 etc. I have done this few times to the new version. But when you do this, does it require you to type down the 12 word phrase each time on the new wallet? I do not recall if it did or not. Also are you fine using electrum version 2.x as it is without upgrading right now?
No. It effects every version that existed as a server can do an rpc call if you don't have a password on your wallet.
You may as well upgrade, I've only ever used portable versions as they're easier to set up but there shouldn't need to be 12 words inputted every time as the data folders should be the same place, however, inputting the 12 words isn't really that much effort anyways and they're not too difficult to memorise once you've done it a few times.
Okay can someone explain exactly the issue here?
So what if you are using a version of electrum that is version 2.x and never upgraded for a while? Do you need to upgrade to the new electrum 3.0.4?
Also i have upgraded electrum few times when it was say electrum 2.3 to 2.5 etc. I have done this few times to the new version. But when you do this, does it require you to type down the 12 word phrase each time on the new wallet? I do not recall if it did or not. Also are you fine using electrum version 2.x as it is without upgrading right now?
So what if you are using a version of electrum that is version 2.x and never upgraded for a while? Do you need to upgrade to the new electrum 3.0.4?
Also i have upgraded electrum few times when it was say electrum 2.3 to 2.5 etc. I have done this few times to the new version. But when you do this, does it require you to type down the 12 word phrase each time on the new wallet? I do not recall if it did or not. Also are you fine using electrum version 2.x as it is without upgrading right now?
Do you know if latest Electron Cash version is safe to use or not?
As it was forked from the same software the current version had the same issue. They have also released an update that you should upgrade to.
Do you know if latest Electron Cash version is safe to use or not?
Oh shit!
I have 13.5BTC in my Electrum wallet with passwords protected but not very strong. i haven't claimed any forks yet. I use windows 10 with a licensed Kaspersky security. what are best advices for me?
I have 13.5BTC in my Electrum wallet with passwords protected but not very strong. i haven't claimed any forks yet. I use windows 10 with a licensed Kaspersky security. what are best advices for me?
If you have BTC on an online Windows machine, you have pretty high risk of getting robbed at some point, and it's even worse if you have weak password. Antivirus programs are not making you immune to attacks, they are just preventing some small numbers of attacks. You should start doing research about security before it's too late - 13.5 BTC is a huge sum and it's absolutely worth all the hours and days you will spend learning. The common advice is to get a hardware wallet, but even then you have to know some basic stuff to avoid some risks.
Jump to: