Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Electrum
Author

Topic: Serious Security glitch in Electrum !! (Read 519 times)

btchris
hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
Serious Security glitch in Electrum !!
October 27, 2016, 04:42:07 PM
#4
Quote from: HI-TEC99 on October 27, 2016, 02:57:07 PM
I can't find an option in the GUI to add a new address, I think you can only do that in the console through the command line.

You misunderstood OP's issue.

You can create a wallet containing loose (non-HD) keys: create a "standard" wallet, select "Use public or private keys", and paste in one or more keys. Set a password when asked.

After creating the wallet, go to Wallet --> Private keys --> Import to import additional keys. Electrum will ask you for your password. In versions 2.7.9 and earlier, you could hit Cancel on the password prompt, but Electrum would still allow you to enter new private keys for import, and you'd end up with a wallet with the original keys encrypted, but the new keys in plaintext.

As I said above, this was fixed in 2.7.10.
HI-TEC99
legendary
Activity: 2772
Merit: 2846
Re: Serious Security glitch in Electrum !!
October 27, 2016, 02:57:07 PM
#3
Quote from: apoorvlathey on October 27, 2016, 10:36:22 AM
I have noticed a very serious security breach in electrum desktop wallet. I have set a password to secure my wallet, but it is of no use.
While adding new address, it asked for a password, i pressed cancel even then new window to enter the private key appeared and i was able to add new bitcoin address without the password !
I then tried to sign a message with the new address added to the wallet. It asked me for the password, i again pressed cancel, and to my surprise the sign/verify window still appeared and i could successfully sign message with that address without even entering the password.
I have not tried this with a bitcoin transaction though.

By "adding new address" do you mean you created a new wallet and left the password blank when it asked you to create one? The dialog box says "enter nothing if you want to disable encryption".




That's not a bug, it's a feature. If you don't want to be forced into entering a password every time you send Bitcoins then you miss out the password when you create the wallet.

I can't find an option in the GUI to add a new address, I think you can only do that in the console through the command line.
btchris
hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
Re: Serious Security glitch in Electrum !!
October 27, 2016, 12:18:32 PM
#2
It doesn't look like this was a known bug, but it was fixed here (as a result of fixing a related issue) in version 2.7.10 (current version is 2.7.11).

After upgrading, you'll still need to fix your wallet. Delete any affected addresses on the addresses tab, and import them again.
apoorvlathey
hero member
Activity: 1162
Merit: 547
CryptoTalk.Org - Get Paid for every Post!
Re: Serious Security glitch in Electrum !!
October 27, 2016, 10:36:22 AM
#1
I have noticed a very serious security breach in electrum desktop wallet. I have set a password to secure my wallet, but it is of no use.
While adding new address, it asked for a password, i pressed cancel even then new window to enter the private key appeared and i was able to add new bitcoin address without the password !
I then tried to sign a message with the new address added to the wallet. It asked me for the password, i again pressed cancel, and to my surprise the sign/verify window still appeared and i could successfully sign message with that address without even entering the password.
I have not tried this with a bitcoin transaction though.
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Electrum
Jump to: