Critical Security Release: Please update to Electrum 3.0.5 - page 4.

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: xdrpx on January 07, 2018, 03:33:15 AM

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

That won't help.

Quote from: xdrpx on January 07, 2018, 03:33:15 AM

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

There is no known way for them to steal your BTC in that case, though they can see your addresses/transactions and change your settings. I'm not sure (and maybe nobody yet fully knows) exactly how much damage they can do by changing your settings. So you should absolutely still update.

Quote from: jubalix on January 07, 2018, 05:03:12 AM

WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

That's normal, it means that his key isn't connected to your GPG trust graph. Typically you would --lsign-key the key after verifying it through some other method. PGP is kind of weird.

investorpgroovy

newbie

Activity: 58

Merit: 0

I believe Thomas is ecdsa on github..

https://github.com/spesmilo/electrum/issues/3374

Looks like mithrandi wrote the patch, maybe thats why the sig doesnt match

DooMAD

legendary

Activity: 3948

Merit: 3191

Leave no FUD unchallenged

Quote from: investorpgroovy on January 07, 2018, 04:13:25 AM

Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.

It's also recommended that all Firefox (or other Mozilla-based browser) users install the 'NoScript' browser extension. The website itself might look a little dated, but it's a good little plugin. It does take a while to get used to, but the extra security is worth the small learning curve. This will greatly reduce the general threat from malicious JavaScript while browsing online. Every website you visit can potentially allow any number of other linked websites to run malicious code through your browser. NoScript allows you to ensure that only the website you want to see can run code (and even then, only if you want it to) and block all the other, possibly dangerous, third party sites that might be linked through it.

jubalix

legendary

Activity: 2632

Merit: 1023

Quote from: vlom on January 07, 2018, 04:22:28 AM

keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins.

this looks good, doesn't it?

Code:

gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg
gpg: Signature made Sat Jan  6 23:59:14 2018 CET
gpg:                using RSA key 2BD5824B7F9470E6
gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

wait wait wait

so....its possible

[1] there is no error, and the site has been hacked to get everyone to down load the 3.0.4 which may have a backdoor in it.....

[2] or there is an error and the 3.0,4 site is hacked as well?

WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

vlom

legendary

Activity: 1498

Merit: 1117

keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins.

this looks good, doesn't it?

Code:

gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg
gpg: Signature made Sat Jan  6 23:59:14 2018 CET
gpg:                using RSA key 2BD5824B7F9470E6
gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

investorpgroovy

newbie

Activity: 58

Merit: 0

Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.

jubalix

legendary

Activity: 2632

Merit: 1023

This is kinda .... disappointing ... always air gap! though.

I would like to know the history of how this was missed and included in the code!

xdrpx

hero member

Activity: 616

Merit: 603

I had a couple of questions regarding the type of attack using JSONRPC to fetch wallet details and to perform transactions:

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

Edit: I've raised a bug for TAILS to update their electrum version to 3.0.4 https://labs.riseup.net/code/issues/15151

aso118

legendary

Activity: 1918

Merit: 1012

★Nitrogensports.eu★

It is good that Theymos created an announcement ticker which flashes whenever somebody visits bitcointalk. Electrum is one of the most popular wallets among newbies, because of its light-weight nature. The headline news regarding internet security has really been bad this week - first the security flaws in intel chips and now this.

HCP

legendary

Activity: 2086

Merit: 4361

In theory, no more than any other vulnerability/virus/malware... if the system with the private keys/seed is running on an offline system, then the opportunity for "leaks" is pretty minimal... there ARE still attack vectors (compromised USB key etc), so it would probably be prudent to update.

Additionally, the "vulnerable" Electrum on your online computer, could still leak "private" data like your addresses/wallet info etc. (as opposed to "sensitive" data like the private keys/seed)

adaseb

legendary

Activity: 3808

Merit: 1723

So if you are using cold storage this shouldn't be much of an issue?

Abdussamad

legendary

Activity: 3682

Merit: 1580

A new release was made to mitigate the impact of this bug: https://github.com/spesmilo/electrum/issues/3374

See release notes here: https://github.com/spesmilo/electrum/compare/fdd10bfb6083%5E...063ec0a758dd

Edit: 3.0.5 has now been released which fixes the bug.

Download from electrum.org/#download

Topic: Critical Security Release: Please update to Electrum 3.0.5 - page 4. (Read 947 times)