Critical Security Release: Please update to Electrum 3.0.5

Millionero

sr. member

Activity: 807

Merit: 423

Quote from: ThomasV on January 11, 2018, 10:23:06 AM

Quote from: Niya on January 08, 2018, 03:50:14 PM

So, to recap, if we upgrade to 3.0.5. we can run Electrum and browse the web or run other apps at the same time safely, with no worries, right?
Also, why Thomas is not speaking in this thread? This is one of the worst problems in the whole Electrum history and it's strange its main developer wrote nothing about that here on bitcointalk...

I opened another thread, which is pinned.

https://bitcointalksearch.org/topic/vulnerability-discovered-in-electrum-26-to-304-please-upgrade-2721388

LZ

legendary

Activity: 1722

Merit: 1072

P2P Cryptocurrency

Quote from: pesetacoin33 on January 11, 2018, 09:27:39 AM

I have windows view. When running version 3.0.5 of electrum, it gives me errors: in api-ms-win-crt-runtime-I1-1-0.dll and in python_dll.

You need to install KB2999226 (to install it you may also need to install the latest Service Pack).

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: Niya on January 08, 2018, 03:50:14 PM

So, to recap, if we upgrade to 3.0.5. we can run Electrum and browse the web or run other apps at the same time safely, with no worries, right?
Also, why Thomas is not speaking in this thread? This is one of the worst problems in the whole Electrum history and it's strange its main developer wrote nothing about that here on bitcointalk...

I opened another thread, which is pinned.

pesetacoin33

newbie

Activity: 33

Merit: 0

1) I have windows view. When running version 3.0.5 of electrum, it gives me errors: in api-ms-win-crt-runtime-I1-1-0.dll and in python_dll. I downloaded these dll, but the errors continue. Then I said that I have to download the pyqt5 program and its packages, but it's very complicated. It seems to me that version 3.0.5 is too complicated to install. What solutions can I have?

2) Version 2.9.3 I protected it with a password from the beginning. Should I update even if I put a password?

Thanks you so much

TheQuin

hero member

Activity: 2576

Merit: 883

Freebitco.in Support https://bit.ly/2I9BVS2

Quote from: Millionero on January 10, 2018, 08:59:44 AM

How do I check which electrum version I'm running? I followed the instructions at the electrum website to install 3.05. What command can I type that will print the version number now, so I can be sure?

Just look at the top left of the window

Also the Help > About

Millionero

sr. member

Activity: 807

Merit: 423

How do I check which electrum version I'm running? I followed the instructions at the electrum website to install 3.05. What command can I type that will print the version number now, so I can be sure?

Abdussamad

legendary

Activity: 3710

Merit: 1586

Quote from: jackg on January 08, 2018, 08:25:26 AM

Quote from: xbtboss on January 08, 2018, 07:29:05 AM

Hi
Use 3.0.3
What is the main danger? It is possible more in detail? If I use the wallet on a separate laptop without surfing on the Internet, for me there is still a threat?
+ ptotected by password strong

Providing there's a strong password your encrypted seed can be gathered but if the password is 15+ chars it can't be hacked.

It is recommended you upgrade but if you have a password and dont surf the web from that device there shouldn't be too much of a threat.

Encrypted seed cannot be gathered i.e. they cannot get at the cipher text . All they can do is attempt to guess your password via the json rpc interface. That is a slow process so it's not really going to crack any sort of reasonably strong password.

Abdussamad

legendary

Activity: 3710

Merit: 1586

Quote from: jerry0 on January 08, 2018, 07:37:02 PM

Can others confirm here 100 percent that downloading the electrum windows installer from the official website is safe?

People say to look at the signature but you dont need to look at it though right if its the actual website since everyone who downloads electrum the new version is downloading it directly from electrum website?

You should check the signature since websites can get hacked. There are also lots of fake websites out there. Checking the signature rules out all of this. Sure it's a bit of a bother to learn how to check the sig but once you've learned it you can keep doing it every time you update electrum. And you will have to update electrum because it gets new releases very often.

jerry0

full member

Activity: 1792

Merit: 186

Can others confirm here 100 percent that downloading the electrum windows installer from the official website is safe?

People say to look at the signature but you dont need to look at it though right if its the actual website since everyone who downloads electrum the new version is downloading it directly from electrum website?

Abdussamad

legendary

Activity: 3710

Merit: 1586

Quote from: Niya on January 08, 2018, 03:50:14 PM

Quote from: Abdussamad on January 07, 2018, 07:54:48 PM

3.0.5 was just released which fixes this bug completely.

Very good!

So, to recap, if we upgrade to 3.0.5. we can run Electrum and browse the web or run other apps at the same time safely, with no worries, right?
Also, why Thomas is not speaking in this thread? This is one of the worst problems in the whole Electrum history and it's strange its main developer wrote nothing about that here on bitcointalk...

He and the other developers were busy fixing the bug. He's said he will put out a statement soon.

The bug mainly affects people with no password on their wallets. If you have any sort of strong password like 10+ mixed characters you are safe.

asdlolciterquit

hero member

Activity: 1666

Merit: 565

Quote from: Mordaz on January 08, 2018, 06:55:51 AM

Quote from: jubalix on January 07, 2018, 03:54:17 AM

This is kinda .... disappointing ... always air gap! though.

Ditto! IMHO, air gap is more secure than a hardware wallet.

ok well, air gap is great, but don't you think that is much more easy to buy and use a hardware wallet than to create an air gap? I don't even know where to start...

Niya

hero member

Activity: 811

Merit: 512

Enhalo Mining

Quote from: Abdussamad on January 07, 2018, 07:54:48 PM

3.0.5 was just released which fixes this bug completely.

Very good!

So, to recap, if we upgrade to 3.0.5. we can run Electrum and browse the web or run other apps at the same time safely, with no worries, right?
Also, why Thomas is not speaking in this thread? This is one of the worst problems in the whole Electrum history and it's strange its main developer wrote nothing about that here on bitcointalk...

jerry0

full member

Activity: 1792

Merit: 186

Hey all. Just want to make sure of this.

So download electrum from the website using windows installer like i did previously. When i do this, would i need to copy and paste my 12 word seed? I have updated electrum few times when it was in the 2.x version but i don't recall if i need to? For example when you want to install electrum on a new device, you would install electrum and then click on i already have a seed and then you type the seed etc.

Thanks.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: xbtboss on January 08, 2018, 07:29:05 AM

Hi
Use 3.0.3
What is the main danger? It is possible more in detail? If I use the wallet on a separate laptop without surfing on the Internet, for me there is still a threat?
+ ptotected by password strong

Providing there's a strong password your encrypted seed can be gathered but if the password is 15+ chars it can't be hacked.

It is recommended you upgrade but if you have a password and dont surf the web from that device there shouldn't be too much of a threat.

xbtboss

newbie

Activity: 14

Merit: 0

Hi
Use 3.0.3
What is the main danger? It is possible more in detail? If I use the wallet on a separate laptop without surfing on the Internet, for me there is still a threat?
+ ptotected by password strong

Mordaz

newbie

Activity: 2

Merit: 0

Quote from: jubalix on January 07, 2018, 03:54:17 AM

This is kinda .... disappointing ... always air gap! though.

Ditto! IMHO, air gap is more secure than a hardware wallet.

Ghostdoggoz

newbie

Activity: 7

Merit: 0

Quote from: pooya87 on January 08, 2018, 12:08:21 AM

Quote from: Ghostdoggoz on January 07, 2018, 08:05:43 PM

Windows blocked the file soon as I tried to open it.

I don't know who to trust now, if even the official website files get blocked.

Also I get the pop up when I open Electrum wallet, http://puu.sh/yWxUb/329776e8f1.png .

your Malwarebyte is not blocking the official website! nor is it blocking Electrum!

what it is blocking is an Electrum server called "us01.hamster.science". and that is a false positive that only Malwarebyte blocks for some reason.
just go to your Network settings (you can click on the circle at the bottom right corner of the Electrum window) and change your server from there. choose any other ones and you are good to go.

Thankyou. Now to figure out where my coins are lol.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Ghostdoggoz on January 07, 2018, 08:05:43 PM

Windows blocked the file soon as I tried to open it.

I don't know who to trust now, if even the official website files get blocked.

Also I get the pop up when I open Electrum wallet, http://puu.sh/yWxUb/329776e8f1.png .

your Malwarebyte is not blocking the official website! nor is it blocking Electrum!

what it is blocking is an Electrum server called "us01.hamster.science". and that is a false positive that only Malwarebyte blocks for some reason.
just go to your Network settings (you can click on the circle at the bottom right corner of the Electrum window) and change your server from there. choose any other ones and you are good to go.

Potent

full member

Activity: 241

Merit: 100

Quote from: Potent on January 07, 2018, 05:49:12 PM

Hi people, having Electrum running and surfing web simultaneous makes the security breach. right?

I wanna know the attacker can surf my hard drive too? has he/she any access to my appdata content too?

Can he/she steal the wallet files from AppData\Roaming\Electrum and other wallets from AppData\Roaming\ too Huh

Should i make a new wallets for altcoins that have been at AppData\Roaming? Have other altcoins wallets leaked from this security bug?

tehol_bedict

newbie

Activity: 1

Merit: 0

I used electrum to sign an address that I have stored on my Trezor, does anybody know if this would this make me vulnerable? I don't want to move the coins if I don't have to, since I signed up for an airdrop and would lose my spot in the queue.

I feel like probably not, but better safe than sorry?

Ghostdoggoz

newbie

Activity: 7

Merit: 0

Windows blocked the file soon as I tried to open it.

I don't know who to trust now, if even the official website files get blocked.

Also I get the pop up when I open Electrum wallet, http://puu.sh/yWxUb/329776e8f1.png .

Abdussamad

legendary

Activity: 3710

Merit: 1586

3.0.5 was just released which fixes this bug completely.

Ghostdoggoz

newbie

Activity: 7

Merit: 0

Hi,

New to this all.

I had an older version of the wallet.

Saw the warning and installed new version.

I am trying to recover the wallet. I went through the steps, created new wallet and put the seed in and created new password.

I don't see anything in my balance.

I'm not sure if I have done everything correctly. Do I need to move anything across from old wallet cause I have already deleted all the old files and only have the new ones.

Any help would be greatly appreciated.

Potent

full member

Activity: 241

Merit: 100

Hi people, having Electrum running and surfing web simultaneous makes the security breach. right?

I wanna know the attacker can surf my hard drive too? has he/she any access to my appdata content too?

Can he/she steal the wallet files from AppData\Roaming\Electrum and other wallets from AppData\Roaming\ too Huh

BitMaxz

legendary

Activity: 3472

Merit: 3217

Playbet.io - Crypto Casino and Sportsbook

Looks like i need to use the latest one instead i already installed the electrum 3.0.4 and works great in windows 7 os i thought that this will be the same as 3.0 not work in win7 os
and had many bugs. for now i just install it in virtual machine just to investigate and monitor if this is not affected by CORS

Quote from: adaseb on January 07, 2018, 02:46:40 PM

Is there a log which shows if there were any recent connect attempts to the RPC ?

I was looking in github but i couldn't find any post that if electrum has rpc logs to watch if someone attempting to scan ports or trying to bruteforce and retrieve the password
Try this electrum twitter page and maybe someone can give how to show rpc logs
https://twitter.com/ElectrumWallet/status/949795637792518144

Quote from: Abdussamad on January 07, 2018, 04:35:06 PM

The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).

Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.

To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.

Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/

Thanks for such a great information but would like to know why still need to block the localhost do you think if i block the localhost the other application in my laptop will be affected?
i already install the latest one and choose the segwit wallet instead and hope i don't experience any issue..

Abdussamad

legendary

Activity: 3710

Merit: 1586

Quote from: crairezx20 on January 07, 2018, 02:27:30 PM

Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?

The bug has been there since 2.5. You should upgrade to the latest version. Your wallet is unlikely to have been compromised since you have a password on it. If it makes you feel better create a new wallet and move your coins there (after upgrading electrum of course).

Note to all those people asking how to update you simply install the latest version just like you did last. If you used the windows installer last time then download and install with the latest version's windows installer. If you used pip3 on linux then do the same with the latest tarball.

To those asking for why I said mitigate it's because this is not a complete fix to this vulnerability. It just asks browsers not to access your wallet. But other apps can still do it. A complete fix will take time and there will be another release for that.

Regarding blocking access via a firewall: https://www.reddit.com/r/Electrum/comments/7oj9h6/security_psa_the_jsonrpc_server_is_reachable_from/dsc3vxl/

inastorytold

newbie

Activity: 2

Merit: 0

Quote from: TheQuin on January 07, 2018, 08:05:43 AM

Quote from: inastorytold on January 07, 2018, 07:55:10 AM

Apologies for basic question, but just wanted to check the following:

I have an older version (2.8.x)
I have not split my forked coins - everything has been untouched for some time.
Am I correct in thinking I can just download the latest version and it will open my current wallet by default, leaving all forked coins intact and accessible until I manage to stop being such a luddite and learn how to separate them?

Thanks in advance.

Yes, that would work fine. Always make sure you have written down your seed phrase before upgrading just in case. You'll find instructions on how to split the coins on this board of the forum when you're ready to do it. If you're not using Electrum then there is also no hurry to upgrade. Just don't open the old Electrum and surf the web at the same time.

Thanks for your help, and for your post, too, BitcoinSupremo. I've downloaded 3.0.4 and all looks good. Really must get round to sorting out splitting coins and buying a ledger s nano. Wasn't long ago it seemed like an extravagant purchase for the size of my stash. Quite a different story now...

Darooghe

sr. member

Activity: 1120

Merit: 255

Quote from: adaseb on January 07, 2018, 02:46:40 PM

Is there a log which shows if there were any recent connect attempts to the RPC ?

Good question.

Having bitcoin is the most important and priority problem in my life recently

adaseb

legendary

Activity: 3808

Merit: 1723

Is there a log which shows if there were any recent connect attempts to the RPC ?

Darooghe

sr. member

Activity: 1120

Merit: 255

Quote from: jtipt on January 07, 2018, 12:50:29 PM

Quote from: schyter on January 07, 2018, 07:54:55 AM

Let me get something straight.

I simply installed v 3.0.4 to overwrite current version
Is this appropriate??

Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4 and then do a restore of the wallet

Yeah I have the same question. And would updating to 3.0.4 enough to be safe enough, or are the previous private keys compromised? And I need to transfer my coin?

This is my question either.

Quote from: crairezx20 on January 07, 2018, 02:27:30 PM

Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?

Is the bug only for 3.0.3 version or older versions are affected?

Thomas, we need you and your security advice. where are you Sir?

crairezx20

legendary

Activity: 1638

Merit: 1046

Hello guys would like to know if i'm one of the affected of this critical issue i just heard that they found that CORS is enabled from electrum 3.0.3.
Do you think old version of electrum like 2.9.2 is affected with this issue?
My wallet is also password protected so i feel safe?

vlom

legendary

Activity: 1498

Merit: 1117

i read this:

https://github.com/spesmilo/electrum/issues/3374

Quote

Hello, I'm not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy 😛.

I installed Electrum to look, and I'm confused why this isn't being treated as a critical and urgent vulnerability? If this bug wasn't already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.

The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.

I made you a demo. It's very basic, but you get the idea.

If you did set a password, some misdirection is required, but it's still game over, no?

Here is how I reproduced:

Install Electrum 3.0.3 on Windows.
Create a new wallet, all default settings. I left the wallet password blank - the default setting.
Visit in Chrome.
Wait a few seconds while it guesses the port, then an alert() appears with: seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
(Note: i dont use bitcoin, you can steal my empty wallet if you like)

he was able to see the seed.

but this wallet was not password protected. with a password protected wallet:

Quote

Even with encrypted wallets, you can still change options, change destination addresses, deanonymize users via listaddresses and so on.

so i think if your wallet was pw protected is was not possible to read the seed.

but if you are worried: install the newest version. create a new wallet and send all the coins to the new one.

jtipt

hero member

Activity: 1050

Merit: 529

Quote from: schyter on January 07, 2018, 07:54:55 AM

Let me get something straight.

I simply installed v 3.0.4 to overwrite current version
Is this appropriate??

Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4 and then do a restore of the wallet

Yeah I have the same question. And would updating to 3.0.4 enough to be safe enough, or are the previous private keys compromised? And I need to transfer my coin?

cryptoelusion

newbie

Activity: 2

Merit: 0

I actually just installed Electrum for the first time yesterday, version 3.0.4, to use in conjunction with a Trezor. This doesn't sound like it would affect the keys on the Trezor device, but thought I'd ask here if that's a safe mindset.

I was actually in the process of sweeping some keys from another wallet to my Trezor wallet through the Electrum interface. Should I wait awhile before trying to do that given the vunerability?

jerry0

full member

Activity: 1792

Merit: 186

Well i do have a password on my electrum.

But how many electrum users out there even know about this if they don't visit this forum. What percentage of electrum users even visit this forum daily or check the electrum website for updates?

Well i have updated electrum few times when i had version 2.0 or 2.1 etc and then needed to upgrade to 2.2 etc. But does anyone know when you do this when you download the new updated electrum on the website, do they ask you to type in the 12 word phrase? I assume they have to right? Because even though you still have old electrum wallet, it won't recognize it? I updated electrum few times and i'm trying to remember if it ask me to type in the 12 word phrase as that option i already have a 12 word phrase etc.

Also someone mentioned this as well. Is there a chance that this is a hack itself telling everyone to download the new electrum? Thus the mod and/or site got hacked?

I assume it would be fine to wait until the dust settles then? Because i can't imagine even 10 percent of electrum users know about this since they need to either visit this forum or visit the electrum website daily to make sure there is an update.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: jerry0 on January 07, 2018, 10:52:33 AM

Okay can someone explain exactly the issue here?

So what if you are using a version of electrum that is version 2.x and never upgraded for a while? Do you need to upgrade to the new electrum 3.0.4?

Also i have upgraded electrum few times when it was say electrum 2.3 to 2.5 etc. I have done this few times to the new version. But when you do this, does it require you to type down the 12 word phrase each time on the new wallet? I do not recall if it did or not. Also are you fine using electrum version 2.x as it is without upgrading right now?

No. It effects every version that existed as a server can do an rpc call if you don't have a password on your wallet.
You may as well upgrade, I've only ever used portable versions as they're easier to set up but there shouldn't need to be 12 words inputted every time as the data folders should be the same place, however, inputting the 12 words isn't really that much effort anyways and they're not too difficult to memorise once you've done it a few times.

jerry0

full member

Activity: 1792

Merit: 186

Okay can someone explain exactly the issue here?

So what if you are using a version of electrum that is version 2.x and never upgraded for a while? Do you need to upgrade to the new electrum 3.0.4?

Also i have upgraded electrum few times when it was say electrum 2.3 to 2.5 etc. I have done this few times to the new version. But when you do this, does it require you to type down the 12 word phrase each time on the new wallet? I do not recall if it did or not. Also are you fine using electrum version 2.x as it is without upgrading right now?

TheQuin

hero member

Activity: 2576

Merit: 883

Freebitco.in Support https://bit.ly/2I9BVS2

Quote from: Niya on January 07, 2018, 10:07:58 AM

Do you know if latest Electron Cash version is safe to use or not?

As it was forked from the same software the current version had the same issue. They have also released an update that you should upgrade to.

Niya

hero member

Activity: 811

Merit: 512

Enhalo Mining

Do you know if latest Electron Cash version is safe to use or not?

hatshepsut93

legendary

Activity: 3038

Merit: 2162

Quote from: gishab56 on January 07, 2018, 09:03:34 AM

Oh shit!

I have 13.5BTC in my Electrum wallet with passwords protected but not very strong. i haven't claimed any forks yet. I use windows 10 with a licensed Kaspersky security. what are best advices for me?

If you have BTC on an online Windows machine, you have pretty high risk of getting robbed at some point, and it's even worse if you have weak password. Antivirus programs are not making you immune to attacks, they are just preventing some small numbers of attacks. You should start doing research about security before it's too late - 13.5 BTC is a huge sum and it's absolutely worth all the hours and days you will spend learning. The common advice is to get a hardware wallet, but even then you have to know some basic stuff to avoid some risks.

vlom

legendary

Activity: 1498

Merit: 1117

Quote from: gishab56 on January 07, 2018, 09:03:34 AM

Oh shit!

I have 13.5BTC in my Electrum wallet with passwords protected but not very strong. i haven't claimed any forks yet. I use windows 10 with a licensed Kaspersky security. what are best advices for me?

if you really have 13.5 BTC then i would buy a hardware wallet.
https://www.ledgerwallet.com or https://trezor.io.

gishab56

newbie

Activity: 28

Merit: 0

Oh shit!

I have 13.5BTC in my Electrum wallet with passwords protected but not very strong. i haven't claimed any forks yet. I use windows 10 with a licensed Kaspersky security. what are best advices for me?

BitcoinSupremo

copper member

Activity: 1442

Merit: 529

Quote from: inastorytold on January 07, 2018, 07:55:10 AM

Apologies for basic question, but just wanted to check the following:

I have an older version (2.8.x)
I have not split my forked coins - everything has been untouched for some time.
Am I correct in thinking I can just download the latest version and it will open my current wallet by default, leaving all forked coins intact and accessible until I manage to stop being such a luddite and learn how to separate them?

Thanks in advance.

I was in the same situation as you , I had version 2.9.3 sitting around from a lot of time so I just installed the latest version from the official electrum website and I checked my balance and my settings, everything was untouched so I guess I am safe. Still I have not a big amount in my electrum wallet as I keep majority of my coins in Ledger HW.1 hardware wallet.

TheQuin

hero member

Activity: 2576

Merit: 883

Freebitco.in Support https://bit.ly/2I9BVS2

Quote from: inastorytold on January 07, 2018, 07:55:10 AM

Apologies for basic question, but just wanted to check the following:

I have an older version (2.8.x)
I have not split my forked coins - everything has been untouched for some time.
Am I correct in thinking I can just download the latest version and it will open my current wallet by default, leaving all forked coins intact and accessible until I manage to stop being such a luddite and learn how to separate them?

Thanks in advance.

Yes, that would work fine. Always make sure you have written down your seed phrase before upgrading just in case. You'll find instructions on how to split the coins on this board of the forum when you're ready to do it. If you're not using Electrum then there is also no hurry to upgrade. Just don't open the old Electrum and surf the web at the same time.

inastorytold

newbie

Activity: 2

Merit: 0

Apologies for basic question, but just wanted to check the following:

I have an older version (2.8.x)
I have not split my forked coins - everything has been untouched for some time.
Am I correct in thinking I can just download the latest version and it will open my current wallet by default, leaving all forked coins intact and accessible until I manage to stop being such a luddite and learn how to separate them?

Thanks in advance.

schyter

sr. member

Activity: 385

Merit: 257

Open to any CryptoBusiness idea you have for Ghana

Let me get something straight.

I simply installed v 3.0.4 to overwrite current version
Is this appropriate??

Or do i have to completely uninstall the old version, and then reinstall the new v 3.0.4 and then do a restore of the wallet

DooMAD

legendary

Activity: 3948

Merit: 3191

Leave no FUD unchallenged

Quote from: MCLXS411 on January 07, 2018, 07:32:51 AM

If you update to 3.0.4., is there still a threat ?

By their very nature, vulnerabilities like this can only be patched once they're discovered. 3.0.4 fixes this threat, but there could always be others. Always remember that there's an entire internet full of potentially dangerous people out there who would much rather see some Bitcoin in their wallet rather than yours. It's ultimately your responsibility to secure the computers or devices that you use to store your funds. Human nature means it's easy to get complacent about security, but that leads to breaches and potential loss of your funds. Always be vigilant. Keep backups, use strong passwords, be wary of browsing the internet with JavaScript fully enabled, don't allow your devices to be infected with keyloggers or other malware, don't leave large sums in a single wallet, and consider things like cold storage, multisig and paper wallets.

schyter

sr. member

Activity: 385

Merit: 257

Open to any CryptoBusiness idea you have for Ghana

Quote from: audaciousbeing on January 07, 2018, 06:55:35 AM

I don't know about the technicalities or how they are to hack the software with all the mnemonics attached. When I saw the flash message early in the day, I upgraded immediately and my wallet is already password protected. I hope everything is safe and everyone is able to stop panicking especially those who are not on the forum to read the warning and the progress that has been made. Electrum is one wallet that to a large extent has been able to create a niche for itself and I think vulnerability at this time will tarnish the over the years reputation.

You are right.
1. I am protected by a decent wallet password
2. I only use mozilla browser
3. I have upgraded to the v3.0.4

Nevertheless, this vulnerability is getting into my head too much.
Its image has already been tarnished with me and it may be the same with other people and is likely to last for years.
I love electrum though for its light-weight feature and other features as well.

Maybe i should give electrum a second chance

MCLXS411

newbie

Activity: 19

Merit: 0

If you update to 3.0.4., is there still a threat ?

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: Darooghe on January 07, 2018, 07:04:30 AM

Should we install new version and make new seeds then transfer all old balances to new one?
Who pays the fee?

That's unnecessary, theymos states here and there is also a little insight into what would happen if you had been hacked and how to notice it. If you do want a clean wallet, you can transfer to your new wallet. Don't expect a dev to pay for your fees though as it's open source and "offered with no warranty". If you had a password set on your wallet, it should be more difficult to hack your wallet using json responses from a server.

Quote from: macit800 on January 07, 2018, 07:09:39 AM

I use 3.0.1 version. Is there a guide or video where I can see how to upload to a new version?

Providing you have your seed written down, just run through the next install and put your seed into it when asked.

macit800

member

Activity: 322

Merit: 40

“The Premier Digital Asset Management Ecosystem”

I use 3.0.1 version. Is there a guide or video where I can see how to upload to a new version?

Darooghe

sr. member

Activity: 1120

Merit: 255

Should we install new version and make new seeds then transfer all old balances to new one?
Who pays the fee?

audaciousbeing

hero member

Activity: 1330

Merit: 569

I don't know about the technicalities or how they are to hack the software with all the mnemonics attached. When I saw the flash message early in the day, I upgraded immediately and my wallet is already password protected. I hope everything is safe and everyone is able to stop panicking especially those who are not on the forum to read the warning and the progress that has been made. Electrum is one wallet that to a large extent has been able to create a niche for itself and I think vulnerability at this time will tarnish the over the years reputation.

schyter

sr. member

Activity: 385

Merit: 257

Open to any CryptoBusiness idea you have for Ghana

Quote from: asdlolciterquit on January 07, 2018, 06:12:02 AM

Quote from: Abdussamad on January 06, 2018, 08:46:26 PM

A new release was made to mitigate the impact of this bug: https://github.com/spesmilo/electrum/issues/3374

See release notes here: https://github.com/spesmilo/electrum/compare/fdd10bfb6083%5E...063ec0a758dd

Download from electrum.org/#download

one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?

kind of.
but it was just a quick fix.
They removed CORS till they release update which will protect the JSON RPC with password

aoluain

legendary

Activity: 2464

Merit: 1387

Quote from: oseventwenty on January 07, 2018, 06:03:32 AM

All my wallets have a strong password, and I only use electrum on a Linux machine.

Am I pretty safe?

Quote from: tryer12 on January 07, 2018, 05:43:04 AM

Say I didn't touch my wallet or entered the password while the computer was connected to the internet, Am I considered safe? And If I don't touch it now untill I actually feel like I have to move some funds should I update to 3.0.4 and just use my normal wallet using the passphrase? So basically if I don't leave my electrum software on while in browser I'm basically safe?

as from the announcement by theymos if we dont use the electrum wallet without upgrading
it will be fine and if we have a strong passphrase set up we are marginally less at risk.
Lets see how this pans out but a safe bet would be to upgrade as per above advice.

**THANKS TO THEYMOS AND THE ADMINISTRATORS FOR ALL THE BACKGROUND WORK THAT GOES INTO THE WORKINGS OF THE FORUM AND FOR KEEPING EVERYONE SAFE!!

DooMAD

legendary

Activity: 3948

Merit: 3191

Leave no FUD unchallenged

Quote from: asdlolciterquit on January 07, 2018, 06:12:02 AM

one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?

My understanding is that since the exploit utilises CORS, 3.0.4 simply disables CORS until a more permanent solution is found. It will make your wallet safe, but it's more of a stopgap than a solution. I think they use the word "mitigate" because it's possible some wallets may have already been compromised if they didn't have a password. This update obviously won't be able to undo any damage that has already been done.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Very bad news for Electrum users,there is a fix but I think in process of upgrade many may become victims of phishing sites which are shown sometimes at the top of search results like add from Google.So use only legit Electrum site : https://electrum.org/#home

I use Electrum only in combination with Ledger,is old version of Electrum can in any way compromise Ledger?I think answer is no,but I know that Electrum v3 is not working on Windows 7&8,any info is this fixed with 3.0.4 version?

If you use ElectronCash there is also upgrade to 3.1.1 with note that old version are not safe,probably Electrum for LTC&DASH need update too and before that it is not advisable to use them.

asdlolciterquit

hero member

Activity: 1666

Merit: 565

Quote from: Abdussamad on January 06, 2018, 08:46:26 PM

A new release was made to mitigate the impact of this bug: https://github.com/spesmilo/electrum/issues/3374

See release notes here: https://github.com/spesmilo/electrum/compare/fdd10bfb6083%5E...063ec0a758dd

Download from electrum.org/#download

one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?

oseventwenty

member

Activity: 294

Merit: 29

All my wallets have a strong password, and I only use electrum on a Linux machine.

Am I pretty safe?

tryer12

member

Activity: 147

Merit: 10

Say I didn't touch my wallet or entered the password while the computer was connected to the internet, Am I considered safe? And If I don't touch it now untill I actually feel like I have to move some funds should I update to 3.0.4 and just use my normal wallet using the passphrase? So basically if I don't leave my electrum software on while in browser I'm basically safe?

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: xdrpx on January 07, 2018, 03:33:15 AM

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

That won't help.

Quote from: xdrpx on January 07, 2018, 03:33:15 AM

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

There is no known way for them to steal your BTC in that case, though they can see your addresses/transactions and change your settings. I'm not sure (and maybe nobody yet fully knows) exactly how much damage they can do by changing your settings. So you should absolutely still update.

Quote from: jubalix on January 07, 2018, 05:03:12 AM

WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

That's normal, it means that his key isn't connected to your GPG trust graph. Typically you would --lsign-key the key after verifying it through some other method. PGP is kind of weird.

investorpgroovy

newbie

Activity: 58

Merit: 0

I believe Thomas is ecdsa on github..

https://github.com/spesmilo/electrum/issues/3374

Looks like mithrandi wrote the patch, maybe thats why the sig doesnt match

DooMAD

legendary

Activity: 3948

Merit: 3191

Leave no FUD unchallenged

Quote from: investorpgroovy on January 07, 2018, 04:13:25 AM

Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.

It's also recommended that all Firefox (or other Mozilla-based browser) users install the 'NoScript' browser extension. The website itself might look a little dated, but it's a good little plugin. It does take a while to get used to, but the extra security is worth the small learning curve. This will greatly reduce the general threat from malicious JavaScript while browsing online. Every website you visit can potentially allow any number of other linked websites to run malicious code through your browser. NoScript allows you to ensure that only the website you want to see can run code (and even then, only if you want it to) and block all the other, possibly dangerous, third party sites that might be linked through it.

jubalix

legendary

Activity: 2632

Merit: 1023

Quote from: vlom on January 07, 2018, 04:22:28 AM

keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins.

this looks good, doesn't it?

Code:

gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg
gpg: Signature made Sat Jan  6 23:59:14 2018 CET
gpg:                using RSA key 2BD5824B7F9470E6
gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

wait wait wait

so....its possible

[1] there is no error, and the site has been hacked to get everyone to down load the 3.0.4 which may have a backdoor in it.....

[2] or there is an error and the 3.0,4 site is hacked as well?

WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

vlom

legendary

Activity: 1498

Merit: 1117

keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins.

this looks good, doesn't it?

Code:

gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg
gpg: Signature made Sat Jan  6 23:59:14 2018 CET
gpg:                using RSA key 2BD5824B7F9470E6
gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

investorpgroovy

newbie

Activity: 58

Merit: 0

Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.

jubalix

legendary

Activity: 2632

Merit: 1023

This is kinda .... disappointing ... always air gap! though.

I would like to know the history of how this was missed and included in the code!

xdrpx

hero member

Activity: 616

Merit: 603

I had a couple of questions regarding the type of attack using JSONRPC to fetch wallet details and to perform transactions:

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

Edit: I've raised a bug for TAILS to update their electrum version to 3.0.4 https://labs.riseup.net/code/issues/15151

aso118

legendary

Activity: 1918

Merit: 1012

★Nitrogensports.eu★

It is good that Theymos created an announcement ticker which flashes whenever somebody visits bitcointalk. Electrum is one of the most popular wallets among newbies, because of its light-weight nature. The headline news regarding internet security has really been bad this week - first the security flaws in intel chips and now this.

HCP

legendary

Activity: 2086

Merit: 4363

In theory, no more than any other vulnerability/virus/malware... if the system with the private keys/seed is running on an offline system, then the opportunity for "leaks" is pretty minimal... there ARE still attack vectors (compromised USB key etc), so it would probably be prudent to update.

Additionally, the "vulnerable" Electrum on your online computer, could still leak "private" data like your addresses/wallet info etc. (as opposed to "sensitive" data like the private keys/seed)

adaseb

legendary

Activity: 3808

Merit: 1723

So if you are using cold storage this shouldn't be much of an issue?

Abdussamad

legendary

Activity: 3710

Merit: 1586

A new release was made to mitigate the impact of this bug: https://github.com/spesmilo/electrum/issues/3374

See release notes here: https://github.com/spesmilo/electrum/compare/fdd10bfb6083%5E...063ec0a758dd

Edit: 3.0.5 has now been released which fixes the bug.

Download from electrum.org/#download

Topic: Critical Security Release: Please update to Electrum 3.0.5 (Read 956 times)