Electrum vulnerability found today! - page 2.

TheQuin

hero member

Activity: 2576

Merit: 883

Freebitco.in Support https://bit.ly/2I9BVS2

Quote from: zoza14 on January 08, 2018, 04:10:43 AM

Have all the answers missed my initial post that I am using Trezor hardware wallet with Electrum? How can I even set up an Electrum password if I am using it with Trezor?

I already have a Trezor password that I type in every time I connect it to the Electrum.

You are safe because the Trezor holds your seed, not Electrum. That is the whole point of using a hardware wallet, it signs the transactions and that cannot be done from the PC or other devices you connect it to. However, it is possible that the exploit could be used to compromise your privacy so you should still upgrade.

Quote from: zoza14 on January 08, 2018, 04:10:43 AM

Problem number 2 is that I would update Electrum wallet but I generally don't like updating, especially when I have 4 threats detected by scanning it on the VirusTotal. Yes, 4 threats on the newest Electrum 3.0.5

This could be a false positive from VirusTotal or you may have downloaded from a phishing site, not the genuine https://electrum.org/#download
Always verify the signature before installing.

hahay

legendary

Activity: 3486

Merit: 1055

Leading Crypto Sports Betting & Casino Platform

Quote from: zoza14 on January 07, 2018, 06:19:10 AM

I just read about this here:

https://bitcointalksearch.org/topic/m.27624964

Can someone inform me should I worry if I am using Electrum with a Trezor?

Thanks

I've spended a coin from electrum from a couple of weeks ago, so I do not have to worry about the current situation. But to prevent things that are not desirable, then it is better we need to update the electrum wallet to the latest version, because after all they will improve their system to be better again.

satamusic

member

Activity: 120

Merit: 10

yes.

tempted to setup a few VMs with the vulnerable Electrum version installed, no adblock or noscript, and let them run wild on the internet crawling the sleaziest sites i can imagine for a few hours, and just see what i catch

zoza14

jr. member

Activity: 79

Merit: 1

Have all the answers missed my initial post that I am using Trezor hardware wallet with Electrum? How can I even set up an Electrum password if I am using it with Trezor?

I already have a Trezor password that I type in every time I connect it to the Electrum.

Problem number 2 is that I would update Electrum wallet but I generally don't like updating, especially when I have 4 threats detected by scanning it on the VirusTotal. Yes, 4 threats on the newest Electrum 3.0.5

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: jerry0 on January 07, 2018, 10:25:31 PM

Okay thanks for that information. So what if you open electrum now then but don't download new version. Is that fine or not? It says shut down electrum immediately but i assume only if you open the wallet? Such as imagine you open electrum but don't put in your password to open the encryption?

if you don't have a password set for your Electrum wallet (any version between 2.6 to 3.0.3) and open it, an attacker can use the JSONRPC of your wallet to get your private keys.
that is why the warning tells you to "close" your wallet and don't open it until you upgrade.

Quote

What do you mean PGP signature?

https://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://gnupg.org/download/integrity_check.html

Quote

Yes im going to wait as well in case this is a hack where the forum/mod got hacked.

what does the forum mod getting hacked has anything to do with this?!!!

jerry0

full member

Activity: 1792

Merit: 186

Okay thanks for that information. So what if you open electrum now then but don't download new version. Is that fine or not? It says shut down electrum immediately but i assume only if you open the wallet? Such as imagine you open electrum but don't put in your password to open the encryption?

What do you mean PGP signature?

Yes im going to wait as well in case this is a hack where the forum/mod got hacked.

cellard

legendary

Activity: 1372

Merit: 1252

Quote from: DooMAD on January 07, 2018, 11:04:56 AM

Quote from: cellard on January 07, 2018, 08:04:05 AM

This is great. It points out at how SPV wallets are a waste of time and why you should run your own full Bitcoin client to process your own transactions and put your coins in cold storage.

This also points out at how big blockers are terrorists against Bitcoin, as they want to get the power away from the users running full Bitcoin clients and they want everyone using nodes only except corporations.

Roger Ver and co are the biggest threats to Bitcoin.

Is that really the overall message you take from this thread? What an utterly shameful stance. Particularly as you seem to be deliberately twisting what happened to suit some political narrative. Even if you could distort the facts to suit your personal attacks (which you've utterly failed at doing, as BitcoinHodler pointed out), it's never "great" that users could have their wallets compromised due to a security vulnerability. Running a full node won't be suitable for every user and it's not something people should be coerced into against their will. Dismissing SPV users as some sort of worthless underclass is reprehensible behaviour. All you achieve is creating further division in the community when that's the last thing we need right now.

SPV users ARE underclass, and this wouldn't have happened if you were processing your own transactions in your full validating node. The further you are from the ideal of sovereign money, the more underclass you become within the bitcoin network. This is a fact.
They are not worthless, I didn't say that. They have worth, just like people using 0 confirmation transactions (back then when you could still do that), but they are second class citizens in the network, they always were.

It's never a bad time to remind people how Roger Ver et al want nobody but corporations to run full validating nodes, they want everyone else on SPV wallets being a cuck of someone else processing the transactions for you. Not gonna happen.

shamzblueworld

hero member

Activity: 714

Merit: 500

Thanks to this notice that I saw in the morning and hurriedly updated my electrum, hopefully its all fine now.
Was quite worries as yesterday almost all day my electrum was open and it was the affected version too.

jseverson

hero member

Activity: 1834

Merit: 759

Quote from: jerry0 on January 07, 2018, 11:18:27 AM

Does anyone here think it could be the mod or forum hacked getting you to download the new wallet though?

When you guys did the update when downloading new electrum, did it require you to type down the 12 word seed or not? I updated electrum few times and i don't recall if it did or not. I assume yes because well you are creating a new wallet? But no because well you are just upgrading from one to another?

Nah, it's legit. Electrum is open-source, and someone seems to have found the vulnerability and reported it.

I have not updated yet because I want to wait until the entire thing blows over, and if you're paranoid, you can do the same thing. What the vulnerability does is it allows a hacker to see your seeds, but having a wallet password encrypts those seeds, so you should be fine for the most part if you have a password. That being said, I strongly advise you to not use your older version at all anymore. Once you do decide to download, just make sure you verify its PGP signature, as theymos has stated.

jerry0

full member

Activity: 1792

Merit: 186

Does anyone here think it could be the mod or forum hacked getting you to download the new wallet though?

When you guys did the update when downloading new electrum, did it require you to type down the 12 word seed or not? I updated electrum few times and i don't recall if it did or not. I assume yes because well you are creating a new wallet? But no because well you are just upgrading from one to another?

TriplexXx

member

Activity: 176

Merit: 10

Once you update your electrum wallet app to the next version you are safe. You are not the only one scared about the electrum latest vulnerability there are many people, though!

casparthefriendly

member

Activity: 84

Merit: 10

Quote from: paolo099 on January 07, 2018, 07:33:48 AM

besides the wallet, if you have no password in your wallet, you deserve to be hacked because really, that means you don't give a value to your BTC (dust or not), as soon as i saw the red dot at the top of this page i have upgraded my electrum wallet and everything went fine.
If you don't have a password now it's the time to encrypt it, now.. come on guys, you will not regret to have a password but you will cry hard if you get hacked because you're too lazy to add it.

NOBODY DESERVES to be hacked! Do you deserved to be hacked for posting this assinine post? Sheez!

DooMAD

legendary

Activity: 3948

Merit: 3191

Leave no FUD unchallenged

Quote from: cellard on January 07, 2018, 08:04:05 AM

This is great. It points out at how SPV wallets are a waste of time and why you should run your own full Bitcoin client to process your own transactions and put your coins in cold storage.

This also points out at how big blockers are terrorists against Bitcoin, as they want to get the power away from the users running full Bitcoin clients and they want everyone using nodes only except corporations.

Roger Ver and co are the biggest threats to Bitcoin.

Is that really the overall message you take from this thread? What an utterly shameful stance. Particularly as you seem to be deliberately twisting what happened to suit some political narrative. Even if you could distort the facts to suit your personal attacks (which you've utterly failed at doing, as BitcoinHodler pointed out), it's never "great" that users could have their wallets compromised due to a security vulnerability. Running a full node won't be suitable for every user and it's not something people should be coerced into against their will. Dismissing SPV users as some sort of worthless underclass is reprehensible behaviour. All you achieve is creating further division in the community when that's the last thing we need right now.

BitcoinHodler

hero member

Activity: 1456

Merit: 579

HODLing is an art, not just a word...

Quote from: cellard on January 07, 2018, 08:04:05 AM

This is great. It points out at how SPV wallets are a waste of time and why you should run your own full Bitcoin client to process your own transactions and put your coins in cold storage.

This also points out at how big blockers are terrorists against Bitcoin, as they want to get the power away from the users running full Bitcoin clients and they want everyone using nodes only except corporations.

Roger Ver and co are the biggest threats to Bitcoin.

dude take a chill pill Grin

this has nothing to do with Electrum being an SPV wallet. it is only because the JSONRPC interface of electrum were not using encryption. even if Electrum were a full client the same thing could have happened.
read the issue: https://github.com/spesmilo/electrum/issues/3374

cellard

legendary

Activity: 1372

Merit: 1252

This is great. It points out at how SPV wallets are a waste of time and why you should run your own full Bitcoin client to process your own transactions and put your coins in cold storage.

This also points out at how big blockers are terrorists against Bitcoin, as they want to get the power away from the users running full Bitcoin clients and they want everyone using nodes only except corporations.

Roger Ver and co are the biggest threats to Bitcoin.

xiaowu55

newbie

Activity: 84

Merit: 0

It gives us a warning Our wallets may not be safe, the safety of the purse is worth we suspect If we "had been stolen Who is responsible for So we should be prepared for protection It is very important for us the wallet operators should also be measures Timely find loopholes And in a timely manner to repair

BitcoinHodler

hero member

Activity: 1456

Merit: 579

HODLing is an art, not just a word...

Quote from: paolo099 on January 07, 2018, 07:39:55 AM

Quote from: BitcoinHodler on January 07, 2018, 07:36:29 AM

Quote from: paolo099 on January 07, 2018, 07:33:48 AM

besides the wallet, if you have no password in your wallet, you deserve to be hacked because really, that means you don't give a value to your BTC (dust or not), as soon as i saw the red dot at the top of this page i have upgraded my electrum wallet and everything went fine.
If you don't have a password now it's the time to encrypt it, now.. come on guys, you will not regret to have a password but you will cry hard if you get hacked because you're too lazy to add it.

it is not such a good idea to open your Electrum now that this method of exploiting it have been made public, there are going to be a lot of people who will try to abuse this.

first upgrade your wallet to the new version (or wait a while to see if it is all fixed and then upgrade to the latest version) then attempt to set a password.

it is worth mentioning that none of this would have mattered if you were using cold storage!

i completely agree with you and bear in mind, my advice to add a password to your electrum wallet is to do it AFTER you updated to the newest version!
And of course, cold storage does not have bugs

yeah, i was just clarifying.
and technically speaking the cold storage[1] has the bugs since it is the same software you are running but it is not affected by this particular issue and most of the rest that usually cause issues similar to this one like the new CPU meltdown and specter attacks.

[1] http://docs.electrum.org/en/latest/coldstorage.html

ManaMan

member

Activity: 238

Merit: 38

Quote from: xlcus on January 07, 2018, 07:35:05 AM

I also used the electrum.

Is there any report that someone got lost with electrum so far?

So far none that I am aware of, even if one or few person lost their funds this way question is if they would even report it. They might be new to crypto or they may have all sorts of things in their minds about that it was their mistake.

This is why if you simply follow up with updates of any software no matter if it's oriented to crypto, it should be safer and more secure. Keep up wit updates and always encrypt your wallet. I mean even if some guy saw this issue and tried to use and exploit it and steal funds from others he wouldn't get far if user have set password and I mean strong one.

Quote from: BitcoinHodler on January 07, 2018, 07:36:29 AM

Quote from: paolo099 on January 07, 2018, 07:33:48 AM

besides the wallet, if you have no password in your wallet, you deserve to be hacked because really, that means you don't give a value to your BTC (dust or not), as soon as i saw the red dot at the top of this page i have upgraded my electrum wallet and everything went fine.
If you don't have a password now it's the time to encrypt it, now.. come on guys, you will not regret to have a password but you will cry hard if you get hacked because you're too lazy to add it.

it is not such a good idea to open your Electrum now that this method of exploiting it have been made public, there are going to be a lot of people who will try to abuse this.

first upgrade your wallet to the new version (or wait a while to see if it is all fixed and then upgrade to the latest version) then attempt to set a password.

it is worth mentioning that none of this would have mattered if you were using cold storage!

Well at least they hope that some news sites will pick it up and imform community about an update, do you think that many people upgraded their previous versions? Some people might not even upgraded it to support LN... They have to make it public and raise awareness in my opinion.

paolo099

full member

Activity: 224

Merit: 101

Quote from: BitcoinHodler on January 07, 2018, 07:36:29 AM

Quote from: paolo099 on January 07, 2018, 07:33:48 AM

besides the wallet, if you have no password in your wallet, you deserve to be hacked because really, that means you don't give a value to your BTC (dust or not), as soon as i saw the red dot at the top of this page i have upgraded my electrum wallet and everything went fine.
If you don't have a password now it's the time to encrypt it, now.. come on guys, you will not regret to have a password but you will cry hard if you get hacked because you're too lazy to add it.

it is not such a good idea to open your Electrum now that this method of exploiting it have been made public, there are going to be a lot of people who will try to abuse this.

first upgrade your wallet to the new version (or wait a while to see if it is all fixed and then upgrade to the latest version) then attempt to set a password.

it is worth mentioning that none of this would have mattered if you were using cold storage!

i completely agree with you and bear in mind, my advice to add a password to your electrum wallet is to do it AFTER you updated to the newest version!
And of course, cold storage does not have bugs

Blackhammer321

member

Activity: 400

Merit: 59

You just only need to update your electrum to 3.0.4 version to solve that issue. Old version might be vulnerable for some who does not use password on his/her wallet other than that you don't have to worry much. I've read that electrum is vulnerable on past version and uses javascripts to do it.

Topic: Electrum vulnerability found today! - page 2. (Read 645 times)