Topic: Electrum vulnerability found today! (Read 645 times)
So the trade-off is to use a browser plugin to manually pick and choose which sites are safe to run JavaScript and which ones should be blocked. For any Firefox/Mozilla users, there's NoScript and I'm pretty sure there's something similar for Chrome users. You'll have to click some buttons for each and every website you know and trust to allow JavaScript, which does take some time and effort, but it's worth it.
As you can see, all you need to do is update your wallet, so it's perfectly fine, and you don't need to worry about it.
Strictly speaking, if you neglected to put a password on your wallet, then you probably should worry as your funds are currently vulnerable. But other than that, yes, it should just be a simple update.
Users of Bitcoin and other cryptocurrencies should also be vaguely aware of the security risks around JavaScript generally. It's not just any given website you happen to be visiting that could potentially run malicious code, but also all the third party websites utilised by that site which handle all manner of things from advertising to multimedia plugins. Browsing the internet with JavaScript completely disabled will result in a somewhat limited experience, as many websites won't function correctly. So the trade-off is to use a browser plugin to manually pick and choose which sites are safe to run JavaScript and which ones should be blocked. For any Firefox/Mozilla users, there's NoScript and I'm pretty sure there's something similar for Chrome users. You'll have to click some buttons for each and every website you know and trust to allow JavaScript, which does take some time and effort, but it's worth it.
I believe so too. It is nice to fantasize that all is as easy as what we want it to be. But the thing is, it isn't. Even when security is improving, hackers are also improving which is why we all have to be careful and be more paranoid. Because in my opinion, being paranoid is more better than losing all your crypto possessions that you have worked hard in gaining.
If you have a strong password or use your device just to open your wallet (you don't use it to browse the Internet) you will be safe.
the vulnerability uses some malicious JavaScript codes that can be only executed through your browser.
If you didn't lose any funds just send it to another wallet or update your electrum wallet to the latest version.
the vulnerability uses some malicious JavaScript codes that can be only executed through your browser.
If you didn't lose any funds just send it to another wallet or update your electrum wallet to the latest version.
But now that Spectre and Meltdown exploits where found on all Intel computers since 1995, people are learning the fact that it's impossible to be safe. Electrum may have solved this, but you don't know if therea re more explouts lurking, either at software level or at hardware level, it's a losing battle, you must cold storage in isolated computers that are never connected to the internet, threat your bitcoins like they are radioactive material that must not escape it's containment (it must remain enclosed). People used to say that I was crazy about using libreboot, airgapping computers and so on, but now it's clear that it's impossible to keep your bitcoins safe outside of that model.
With Trezors and so on you are still connecting the device on an online machine and you are trusting that their method will not have any leaks, not as idea las airgapped linux machine in my book.
I asked separately the same question in another thread and the general consensus of forum members was that it was safe. So I am just passing it along to your thread for your peace of mind 
Can someone here confirm that downloading electrum from the official electrum website now with the windows installer is fine?
Yes, I've done it and it is fine. As long as you make sure it is the official website and not a phishing one. Verify the signature to be extra safe and protect yourself from the extremely unlikely event that the site has been hacked.
Anyone here still using the old electrum and opened it and have no issues at all even though it was recommended by theymos to not do it?
I had Electrum open when I first saw theymos message. All my BTC are safe. The vulnerability was reported to Electrum rather than being discovered by someone exploiting it. The exploit would be via a website running javascript so you would have to not only open the old Electrum but also visit a malicious website (which there is no evidence even exists) at the same time.
The other thing is what percentage of electrum users even know about this? Because even if you use electrum a bit, the only way to know about this would be either visiting this forum or going to their website. And obviously someone isn't going to check electrum website everyday to check for the new update etc.
It would be a reasonable suggestion for Electrum to add an automatic notification when a new version is available.
In general, just calm down and upgrade. If you are holding a large amount of BTC then it shouldn't be on an internet connected device in the first place. Get a hardware wallet or use an air gapped cold wallet.
Can someone here confirm that downloading electrum from the official electrum website now with the windows installer is fine?
Anyone here still using the old electrum and opened it and have no issues at all even though it was recommended by theymos to not do it?
The other thing is what percentage of electrum users even know about this? Because even if you use electrum a bit, the only way to know about this would be either visiting this forum or going to their website. And obviously someone isn't going to check electrum website everyday to check for the new update etc.
Anyone here still using the old electrum and opened it and have no issues at all even though it was recommended by theymos to not do it?
The other thing is what percentage of electrum users even know about this? Because even if you use electrum a bit, the only way to know about this would be either visiting this forum or going to their website. And obviously someone isn't going to check electrum website everyday to check for the new update etc.
I just read about this here:
https://bitcointalksearch.org/topic/m.27624964
Can someone inform me should I worry if I am using Electrum with a Trezor?
Thanks
https://bitcointalksearch.org/topic/m.27624964
Can someone inform me should I worry if I am using Electrum with a Trezor?
Thanks
Well, if you are users electrum site today you should upgrade to .3 to avoid of conflict in signing. But for those users are not connected to electrum you don't have to worry because we are safe in accessing the bitcoin forum index. Right this day we can see that it's already done fixing those cautions in electrum found at the top of our account.
And also when I upgrade, I verify the signature of Electrum wallet I downloaded from https://electrum.org/#download
I got a warning. Is it legit?
I got a warning. Is it legit?
Is the red light for electrum wallet over? I saw there is another upgrade for the wallet.
I am scared about it as I have all my btc on electrum.
I am scared about it as I have all my btc on electrum.
If you have a strong password or use your device just to open your wallet (you don't use it to browse the Internet) you will be safe.
the vulnerability uses some malicious JavaScript codes that can be only executed through your browser.
If you didn't lose any funds just send it to another wallet or update your electrum wallet to the latest version.
the vulnerability uses some malicious JavaScript codes that can be only executed through your browser.
If you didn't lose any funds just send it to another wallet or update your electrum wallet to the latest version.
I think if you followed the instruction and do the necessary updates including passwording your wallet there should be no more worries. Please just follow instructions.
i have just download the new version from here=https://www.electrum.org/#download i clicked from my electrum wallet from help option and open this link.is this link the same with this link https://electrum.org/#download because i though it was the same because i clicked from my electrum wallet?
please tell me this is the same link because i am scared.i have download from here https://www.electrum.org/#download.
please tell me this is the same link because i am scared.i have download from here https://www.electrum.org/#download.
Once you download it, do you need to copy/paste your 12 word seed to install the electrum 3.0.5 or not?
No, you do not need to, Electrum will just open normally but with the new version. However, you should always have a safely stored copy of your seed written down. If anything went wrong in the upgrade process you may need it to restore.
Hey all. So just to confirm.
Download the new electrum on the electrum.org site.
When you do this, do you need to copy/paste your 12 word seed when installing the new version? I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?
Download the new electrum on the electrum.org site.
When you do this, do you need to copy/paste your 12 word seed when installing the new version? I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?
You should be creating a new seed anyway since chances are you are new to this and don't know that if your seed ever saw the internet, your bitcoins are already compromised.
Get an OS that launches in a live OS like Tails for example and use that to generate the new wallet, of course disconnect your internet connection too, then you will guarantee that at least the seed was never saw online.
Now I don't know if it's normal behaviour if the new version should ask you to create a brand new seed, I would make sure that's normal before doing anything.
Hi there. I had an electrum wallet for a while so i'm not new to this. I also updated electrum few times from their website when it was version 2.x to 2.x etc.
So when i update it again on their website, i want to know, do they ask you for your 12 word seed to install the new version of electrum or not. Because i do not recall if it did when asking me this the last few times i installed new electrum version.
Hey all so just to confirm. Download from
https://electrum.org/#download
Then download from windows installer right assuming you have windows? I notice there is a word signature to it that you can click on but since its the real website, just click on windows installer and thats all?
Once you download it, do you need to copy/paste your 12 word seed to install the electrum 3.0.5 or not?
I want to make sure if this before i download it.
I presume that you did this --> https://blog.trezor.io/using-trezor-with-electrum-v3-a0b9bcffe26e .... You should be fine, if
you just upgrade to the latest version of Electrum 3.0.5. The previous upgrade 3.0.4 did not solve the problem, so you MUST
upgrade to Electrum 3.0.5 to solve it. Just make sure you keep your Trezor seed safe.
you just upgrade to the latest version of Electrum 3.0.5. The previous upgrade 3.0.4 did not solve the problem, so you MUST
upgrade to Electrum 3.0.5 to solve it. Just make sure you keep your Trezor seed safe.
Hey all. So just to confirm.
Download the new electrum on the electrum.org site.
When you do this, do you need to copy/paste your 12 word seed when installing the new version? I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?
Download the new electrum on the electrum.org site.
When you do this, do you need to copy/paste your 12 word seed when installing the new version? I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?
You should be creating a new seed anyway since chances are you are new to this and don't know that if your seed ever saw the internet, your bitcoins are already compromised.
Get an OS that launches in a live OS like Tails for example and use that to generate the new wallet, of course disconnect your internet connection too, then you will guarantee that at least the seed was never saw online.
Now I don't know if it's normal behaviour if the new version should ask you to create a brand new seed, I would make sure that's normal before doing anything.
Hi there. I had an electrum wallet for a while so i'm not new to this. I also updated electrum few times from their website when it was version 2.x to 2.x etc.
So when i update it again on their website, i want to know, do they ask you for your 12 word seed to install the new version of electrum or not. Because i do not recall if it did when asking me this the last few times i installed new electrum version.
I guess you do not have to worry because eletrum already know and have a way out to remove the vulnerability, you just asked to upgrade so that you safe from danger.
All have their respective duties you just ordered to obey if you want to be safe.
So you do not have to worry about what's happening now because the electrum has taken a good step.
All have their respective duties you just ordered to obey if you want to be safe.
So you do not have to worry about what's happening now because the electrum has taken a good step.
Hey all. So just to confirm.
Download the new electrum on the electrum.org site.
When you do this, do you need to copy/paste your 12 word seed when installing the new version? I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?
Download the new electrum on the electrum.org site.
When you do this, do you need to copy/paste your 12 word seed when installing the new version? I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?
You should be creating a new seed anyway since chances are you are new to this and don't know that if your seed ever saw the internet, your bitcoins are already compromised.
Get an OS that launches in a live OS like Tails for example and use that to generate the new wallet, of course disconnect your internet connection too, then you will guarantee that at least the seed was never saw online.
Now I don't know if it's normal behaviour if the new version should ask you to create a brand new seed, I would make sure that's normal before doing anything.
Hey all. So just to confirm.
Download the new electrum on the electrum.org site.
When you do this, do you need to copy/paste your 12 word seed when installing the new version? I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?
Download the new electrum on the electrum.org site.
When you do this, do you need to copy/paste your 12 word seed when installing the new version? I updated electrum few times when it was version 2.x to 2.x and i do not recall if it did or not?
Have all the answers missed my initial post that I am using Trezor hardware wallet with Electrum? How can I even set up an Electrum password if I am using it with Trezor?
I already have a Trezor password that I type in every time I connect it to the Electrum.
I already have a Trezor password that I type in every time I connect it to the Electrum.
You are safe because the Trezor holds your seed, not Electrum. That is the whole point of using a hardware wallet, it signs the transactions and that cannot be done from the PC or other devices you connect it to. However, it is possible that the exploit could be used to compromise your privacy so you should still upgrade.
Problem number 2 is that I would update Electrum wallet but I generally don't like updating, especially when I have 4 threats detected by scanning it on the VirusTotal. Yes, 4 threats on the newest Electrum 3.0.5
This could be a false positive from VirusTotal or you may have downloaded from a phishing site, not the genuine https://electrum.org/#download
Always verify the signature before installing.
Finally thanks for the answer!
Jump to: