Security Issue with Electrum Wallet | Bitcointalksearch.org

dado7

full member

Activity: 322

Merit: 141

Quote from: bitperson on January 07, 2018, 10:57:30 AM

Blockchain explorers usually allow you to check one address at a time. The blockchain doesn't 'know' which addresses 'belong' to your wallet. However, https://www.blockonomics.co allows you to paste in several addresses at once, making it a convenient tool for checking your wallet balance.

Always check your balance this way. For Ethereum and ERC20 coins you can use Ethporer or Etherscan. Never input your private keys anywhere more then absolutely neccessary.
Also, 3.0.5. version of Electrum wallet was upgraded to clear the risk so you can download it and safely use.

Also, just as a simple security advice - never open a browser and bitcoin wallet at the same time.

Captain_Planet

full member

Activity: 448

Merit: 102

I have upgraded the electrum wallet. now let me know what should I do next? May I move my funds out or avoid loggin in anymore for a few days or after updating problem is solved and I am safe now? Please let me know.

exstasie

legendary

Activity: 1806

Merit: 1521

Quote from: joshfraser on January 08, 2018, 06:21:45 PM

Where can I read more about this security issue?

You can read about the issue on Electrum's Github here:

Quote from: leopard2 on January 07, 2018, 06:09:43 PM

no need to be complicated just use Electrum 304 which is fixed...

Less than a day later, a new version was released, and the developers stated that 3.0.4 didn't fully address the vulnerability. That's why my gut reaction to these disclosures is to shut everything down, make sure networks are completely disabled, and shelter in place.

My Electrum funds are all in forced-HODL mode right now. I'll see how things look in a week or two. Tongue

joshfraser

newbie

Activity: 9

Merit: 0

Where can I read more about this security issue?

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

Quote from: lionelho on January 08, 2018, 08:00:20 AM

So now 3.0.5 completely fixed the problem? BTW, is the Android wallet required to upgrade also?

Yes. The problem stems from the fact that the JSONRPC wasn't password protected. Android is affected in the same way, you have to update. The latest version disables the JSONRPC for Android.

lionelho

full member

Activity: 135

Merit: 100

Quote from: ranochigo on January 08, 2018, 05:01:04 AM

Quote from: TheQuin on January 08, 2018, 04:18:53 AM

That is not entirely correct. They released 3.0.4 which disabled the RPC server vulnerability so it is safe to use. The 3.0.5 is a fix rather than just disabling. Either version means you are safe. The rushed 3.0.4 to get a safe version available as soon as possible they didn't discover "the bug wasn't completely fixed in it", they always knew that they would then release the full fix later.

It wasn't fixed. Even though CORS is disabled, the vulnerability can still be exploited by using POST request. It's just made more difficult for websites to exploit but it's still possible. 3.0.4 disables the ability to trigger a CORS preflight but didn't disable JsonRPC. 3.0.5 disabled JSONRPC commands.

So now 3.0.5 completely fixed the problem? BTW, is the Android wallet required to upgrade also?

zenyfomax1

jr. member

Activity: 98

Merit: 1

Quote from: Kakmakr on January 08, 2018, 02:15:07 AM

Quote from: zenyfomax1 on January 08, 2018, 01:01:37 AM

Quote from: keyboard warrior on January 07, 2018, 09:30:59 PM

Quote from: vnck25 on January 07, 2018, 07:31:07 PM

Quote from: leopard2 on January 07, 2018, 06:09:43 PM

no need to be complicated just use Electrum 304 which is fixed...

Thank you very much for your reply!

It's now version 3.0.5 you need to upgrade to. They rushed version 3.0.4 then a day later discovered the bug wasn't completely fixed in it.

electrum is one of the (if not *the*) most popular desktop wallets for bitcoin right? this doesn't look very good...

I beg to differ. I think the most used wallet is the Blockchain.info wallet and that site has had it's fair share of troubles in the past and it is still standing. ^smile^

You have to worry, when exploits like this is not discovered and people start losing coins on these platforms. Most of these wallet providers are using Open Source software, so it is pretty hard to hide these exploits. ^smile^

blockchain.info is web-based, am i correct? i was specifically referring to desktop wallet.

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

Quote from: TheQuin on January 08, 2018, 04:18:53 AM

That is not entirely correct. They released 3.0.4 which disabled the RPC server vulnerability so it is safe to use. The 3.0.5 is a fix rather than just disabling. Either version means you are safe. The rushed 3.0.4 to get a safe version available as soon as possible they didn't discover "the bug wasn't completely fixed in it", they always knew that they would then release the full fix later.

It wasn't fixed. Even though CORS is disabled, the vulnerability can still be exploited by using POST request. It's just made more difficult for websites to exploit but it's still possible. 3.0.4 disables the ability to trigger a CORS preflight but didn't disable JsonRPC. 3.0.5 disabled JSONRPC commands.

TheQuin

hero member

Activity: 2576

Merit: 883

Freebitco.in Support https://bit.ly/2I9BVS2

Quote from: keyboard warrior on January 07, 2018, 09:30:59 PM

It's now version 3.0.5 you need to upgrade to. They rushed version 3.0.4 then a day later discovered the bug wasn't completely fixed in it.

That is not entirely correct. They released 3.0.4 which disabled the RPC server vulnerability so it is safe to use. The 3.0.5 is a fix rather than just disabling. Either version means you are safe. The rushed 3.0.4 to get a safe version available as soon as possible they didn't discover "the bug wasn't completely fixed in it", they always knew that they would then release the full fix later.

Kakmakr

legendary

Activity: 3542

Merit: 1965

Leading Crypto Sports Betting & Casino Platform

Quote from: zenyfomax1 on January 08, 2018, 01:01:37 AM

Quote from: keyboard warrior on January 07, 2018, 09:30:59 PM

Quote from: vnck25 on January 07, 2018, 07:31:07 PM

Quote from: leopard2 on January 07, 2018, 06:09:43 PM

no need to be complicated just use Electrum 304 which is fixed...

Thank you very much for your reply!

It's now version 3.0.5 you need to upgrade to. They rushed version 3.0.4 then a day later discovered the bug wasn't completely fixed in it.

electrum is one of the (if not *the*) most popular desktop wallets for bitcoin right? this doesn't look very good...

I beg to differ. I think the most used wallet is the Blockchain.info wallet and that site has had it's fair share of troubles in the past and it is still standing. ^smile^

You have to worry, when exploits like this is not discovered and people start losing coins on these platforms. Most of these wallet providers are using Open Source software, so it is pretty hard to hide these exploits. ^smile^

zenyfomax1

jr. member

Activity: 98

Merit: 1

Quote from: keyboard warrior on January 07, 2018, 09:30:59 PM

Quote from: vnck25 on January 07, 2018, 07:31:07 PM

Quote from: leopard2 on January 07, 2018, 06:09:43 PM

no need to be complicated just use Electrum 304 which is fixed...

Thank you very much for your reply!

It's now version 3.0.5 you need to upgrade to. They rushed version 3.0.4 then a day later discovered the bug wasn't completely fixed in it.

electrum is one of the (if not *the*) most popular desktop wallets for bitcoin right? this doesn't look very good...

keyboard warrior

sr. member

Activity: 266

Merit: 251

Quote from: vnck25 on January 07, 2018, 07:31:07 PM

Quote from: leopard2 on January 07, 2018, 06:09:43 PM

no need to be complicated just use Electrum 304 which is fixed...

Thank you very much for your reply!

It's now version 3.0.5 you need to upgrade to. They rushed version 3.0.4 then a day later discovered the bug wasn't completely fixed in it.

vnck25

member

Activity: 392

Merit: 11

Quote from: leopard2 on January 07, 2018, 06:09:43 PM

no need to be complicated just use Electrum 304 which is fixed...

Thank you very much for your reply!

leopard2

legendary

Activity: 1372

Merit: 1014

no need to be complicated just use Electrum 304 which is fixed...

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

Quote from: BitcoinSupremo on January 07, 2018, 10:52:53 AM

Quote from: vnck25 on January 07, 2018, 10:16:32 AM

Since there is a security issue with the electrum wallet, is there a way to check our BTC balance without signing into the wallet?
I know there is a way for MyEtherWallet where you can use Etherscan.io to check the balance of ETH and all the ERC20 tokens in that wallet. However since electrum changes its public address after every transaction is this something possible? Can we use blockchain.info to do this? Please shed some light on this issue.

Thanks!

Yes you can. There 's no issue if you open electrum while you haven't open up any browser tab. So what you do is open electrum wallet and copy the btc address you want to check to a notepad document. Close electrum and then open up a browser, go to blockchain.info and copy the btc address you want to check. That's how you do it. However upgrade, as this is an advice from ThomasV ,the creator of Electrum.

You should do this offline actually. With the exploit, anyone can get your seeds by guessing the correct port. Anyone can run an attack on your IPs actually, doesn't have to be a website. The website method is for the attacker to target anyone who goes to the website.

Sorry, the RPC is open to the local machine only. This would only work where there is either a malicious program on your computer or if you accessed a website and they used CORS to scan and connect to your computer.

bitperson

full member

Activity: 210

Merit: 119

Blockchain explorers usually allow you to check one address at a time. The blockchain doesn't 'know' which addresses 'belong' to your wallet. However, https://www.blockonomics.co allows you to paste in several addresses at once, making it a convenient tool for checking your wallet balance.

BitcoinSupremo

copper member

Activity: 1442

Merit: 529

Quote from: vnck25 on January 07, 2018, 10:16:32 AM

Since there is a security issue with the electrum wallet, is there a way to check our BTC balance without signing into the wallet?
I know there is a way for MyEtherWallet where you can use Etherscan.io to check the balance of ETH and all the ERC20 tokens in that wallet. However since electrum changes its public address after every transaction is this something possible? Can we use blockchain.info to do this? Please shed some light on this issue.

Thanks!

Yes you can. There 's no issue if you open electrum while you haven't open up any browser tab. So what you do is open electrum wallet and copy the btc address you want to check to a notepad document. Close electrum and then open up a browser, go to blockchain.info and copy the btc address you want to check. That's how you do it. However upgrade, as this is an advice from ThomasV ,the creator of Electrum.

vnck25

member

Activity: 392

Merit: 11

Since there is a security issue with the electrum wallet, is there a way to check our BTC balance without signing into the wallet?
I know there is a way for MyEtherWallet where you can use Etherscan.io to check the balance of ETH and all the ERC20 tokens in that wallet. However since electrum changes its public address after every transaction is this something possible? Can we use blockchain.info to do this? Please shed some light on this issue.

Thanks!

Topic: Security Issue with Electrum Wallet (Read 344 times)