Author

Topic: [SECURITY/PRIVACY WARNING] Electrum console content is being stored on disk (Read 255 times)

legendary
Activity: 3696
Merit: 1584
You can clear the console history with this command:

Code:
window.console.history = []

legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
Note that the file stores "everything" you type in your console including wrong commands or any random string you type there. The first line in my file content example is exactly what it says it is, "random stuff". Trimming won't work in this case when the interpreter can not parse the data to know what its type is.
IMO there simply is no need for persistence of console history after the wallet is closed.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
On Electrum, there are only commands, so they could trim any information inside parenthesis for command such as importprivkey()

It might be easier just to encrypt the last commands used and then decrypt them like it does the wallet file and store them in memory, it probably does that when you open the wallet anyway so it would make sense to do it here too...
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Yeah I'm not sure this is a problem but it definitely has been there since I found the console table (probably at least a year ago). Deleting those lines just deallocates them, if someone is really after your data they might still be able to get it unless you defrag or fill the drive completely every time. If you'll notice you should be able to hit the up button to get your last command which is sometimes helpful but I don't think it should be encouraged either. They've probably done this because Linux does similar, you can normally access your previous commands on your next login.

I understand what you mean, but the real problem is they didn't trim secret information (xprv, seed and private key) and all attacker have to do is access config file which is far easier than recover deleted file or analyze raw hex format.

On Electrum, there are only commands, so they could trim any information inside parenthesis for command such as importprivkey()
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
Yeah I'm not sure this is a problem but it definitely has been there since I found the console table (probably at least a year ago). Deleting those lines just deallocates them, if someone is really after your data they might still be able to get it unless you defrag or fill the drive completely every time. If you'll notice you should be able to hit the up button to get your last command which is sometimes helpful but I don't think it should be encouraged either. They've probably done this because Linux does similar, you can normally access your previous commands on your next login.
legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
If you have ever used Electrum's console tab and written anything there (not just successful commands), it is stored on your disk and you may want to clear it for either privacy reasons (eg. used ismine() and don't want to have that public information ie address here be stored on disk unencrypted) or for security reasons (eg. in case you used any of the functions like convert_xkey that involve something sensitive like your private key,...)

I've already opened an issue: https://github.com/spesmilo/electrum/issues/5563

To see this history you have to find your "config" file. It is located in the same place where your wallet folder is. On windows it will be
Code:
%APPDATA%\Electrum
On Linux or Mac:
Code:
~/.electrum

The file is simply called config (without an extension) and can be opened with any text editor. The content would look like this:
Code:
{
    "alias": "",
    "auto_connect": true,
    "check_updates": true,
    "config_version": 3,
    "console-history": [
        "random stuff",
        "ismine(\"Some address that you may not want to remain on disk for privacy reasons\")",
        "convert_xkey(\"master private key that holds your funds\", \"\")"
    ],
    "decimal_point": 8,
.....
}

The problem is the contents of console-history key. As you can see I wrote some examples already to show how it works.
In order to clean it manually you should first close your Electrum if it is open then delete everything after "console-history": [ starting after the opening bracket up to before the closing bracket without removing the brackets themselves. The result should be like this:
Code:
{
    "alias": "",
    "auto_connect": true,
    "check_updates": true,
    "config_version": 3,
    "console-history": [],
    "decimal_point": 8,
.....
}
Jump to: