Author

Topic: Transferring BTC from Electrum That Has Not Been Updated? (Read 363 times)

legendary
Activity: 2758
Merit: 6830
Thanks.  So if you click okay, is that the same as clicking the x?  Thus only way to download it is by clicking on that link right?
Yes. You would need to click the link, download the file and run it to risk your coins.

Electrum only sees that as a error message and there is no way the hacker can pass “actions”, like opening a link, downloading a file or running a command in your wallet/PC.
full member
Activity: 1792
Merit: 186
Thanks.  So if you click okay, is that the same as clicking the x?  Thus only way to download it is by clicking on that link right?
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
First result from Google was this one.


There's an x a help and an OK.
full member
Activity: 1792
Merit: 186
Is there a picture that someone took of how the message looks like?  I saw another thread where someone showed a picture of it but it only shows like an okay to click on and no X on the top corner?


Also because i still have not claimed my btc cash and gold yet... would you say its probably better idea to claim those first... and then send the rest of the btc from my electrum to hardware wallet?  I ask this because if you do download that software, wouldn't that mean any btc cash or gold that you have and didn't claim, a hacker could claim that as well?  Also does anyone know if those ppl who downloaded the fake electrum from that message, did it infect their entire computer such as if they use a password program like lastpass or keepass, it infected that as well so all your password and accounts from a password manager is now infected?  Or its only the electrum? 


legendary
Activity: 2030
Merit: 1573
CLEAN non GPL infringing code made in Rust lang
Hey all.  So just to confirm.  Would it just be fine right now if i open electrum 3.0.5 as is and then try to send the remaining btc i have in my wallet to somewhere else?  But if i get that message, then i close it.  Then i close electrum.  Then go to the official electrum site and download electrum? 

Right now i just want to get any btc i have in electrum out of it and do not want to use it until later on when there is very little concerns on it.

Also the message that does pop up if it gives you that message, is it a link where if you click on it, it automatically downloads it?  So if you click on it by accident, could you still immediately cancel the download or once you click on that link, that is it?  Or do you have to download it fully and also go through the installation process?

You will be fine sending from the old version. If you connect to a fake server, when you try send the funds you get a scary message telling you to upgrade, go to electrumfakeserver yadda. Just ignore it; change the server to a legit one and try again.

In a legit server, you also get another scary message telling you to upgrade because your Electrum is "vulnerable" but the broadcast was successful (sigh). Ignore that too, you are done.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
fronti, it is true that we need to trust to companies like Trezor or Ledger, but so far they have proved to have a good product for keeping our private keys safe. Phishing and hardware wallets, hm? Where you get that theory?

Hardware alone isnt great... Unless you pick it up from ledger hq or trezor hq there is always a risk you don't have a genuine device. Multisig with other devices (even another online one is preferable). The chances of a mail carrier hijacking are low in developed countries but high on less developed ones and not all post comes in as good a condition as it was promised. Some parcels that come through customs have suspicious appearances sometimes that makes them look like they've been opened.

A hardware wallet is greatly beneficial in a lot of cases but shouldn't wholly be relied upon.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
fronti, it is true that we need to trust to companies like Trezor or Ledger, but so far they have proved to have a good product for keeping our private keys safe. Phishing and hardware wallets, hm? Where you get that theory?

Private keys never leave hardware wallet, and you can use Electrum as UI, or Ledger Live for Nano S - phishing is dangerous for online wallet/exchanges. For clipboard malware which can change your address Ledger is implemented checking of sending address/receiving address, so if you enough careful there is no way that malware can trick you.

Nothing is not 100% safe, but I always look for the best possible option.
legendary
Activity: 2912
Merit: 1309
Hardware wallets are a logical choice, for 60-70$ you can get much better security then with most desktop wallets.

but you need to trust the hardware wallet vendors.
Also if you use a hardware wallet there are still phishing possibilities.
For example change a shown btc address on a website

Security is never easy!
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
so to use electrum i have to trust other softwares?

Exactly, only way to be 100% sure that you download correct file is to verify that file, and for that you need some tool/software. But you have possibility to check that software integrity in the way that it is described in post by pooya87.

You do not need to install Electrum first to verify it, it is actually the opposite procedure - you need to verify Electrum files which you download before installation, because otherwise the whole procedure does not make sense.

Electrum is easy to use light desktop wallet, but as you can see it is not 100% safe, especially for inexperienced users. Does this mean that you should stop using Electrum? It all depends on you and how much you really care about your coins, and accordingly to that you can take steps to increase security of coin storage. Hardware wallets are a logical choice, for 60-70$ you can get much better security then with most desktop wallets.
legendary
Activity: 3710
Merit: 1586
so to use electrum i have to trust other softwares?

Yes starting with your BIOS and OS. You also have to trust your hardware manufacturer.
legendary
Activity: 3710
Merit: 1586
Here's a guide to verifying the gpg sig. I suggest you update your electrum from electrum.org. That way the only problem you might face is difficulty spending bitcoins at which point you can simply switch servers and try again.
gpg4win has a signature to verify file? Or how to verify gpg4win?

They use code signing. More details here: https://www.gpg4win.org/package-integrity.html
legendary
Activity: 3472
Merit: 10611
For verifying the download I use Gpg4win.

gpg4win has a signature to verify file? Or how to verify gpg4win?

Lol, you need to install it before you can validate it.  Undecided

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.

i believe he is talking about checking the signature of GPG4Win itself as like any other application this .exe file is also being released with a signature. like this is for the last version: https://files.gpg4win.org/gpg4win-3.1.5.tar.bz2.sig
so verifying its signature looks a bit odd since the application you use for signature verification is the same thing you want to verify! here is the documentation for how to do it though: https://www.gpg4win.org/package-integrity.html

you can also check it using Linux since most of them already come with GPG installed.
legendary
Activity: 2758
Merit: 6830
Lol, you need to install it before you can validate it.  Undecided

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.
Please don’t... all that the AVs do is check for malware signatures. This means that if a piece of software doesn’t have a signature that matches with one in their database, it won’t flag as a virus. This doesn’t say sh*t about the legitimacy of a software.

You could use a fake version of gpg4win that shows a specifc software signature as legit even if its not and it wouldn’t be flagged by your AV.

Btw, Electrum is commonly flagged as a trojan by many AVs. Does that mean I should “stop”? Wink
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
For verifying the download I use Gpg4win.

gpg4win has a signature to verify file? Or how to verify gpg4win?

Lol, you need to install it before you can validate it.  Undecided

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Hey all.  So just to confirm...

There is no danger for your coins even if you use Electrum 3.0.5, that message may appear, but it certainly does not affect security of the wallet. Only danger is if you click on link posted in that message and manually download fake wallet, nothing happens automatically.

If that message appear just close it with x, and then change server by click on Tools -> Network -> Select any other server -> Untick option "Select server automatically". Check post from Abdussamad if you need more detailed explanation (with pictures).
legendary
Activity: 2758
Merit: 6830
Hey all.  So just to confirm.  Would it just be fine right now if i open electrum 3.0.5 as is and then try to send the remaining btc i have in my wallet to somewhere else?  But if i get that message, then i close it.  Then i close electrum.  Then go to the official electrum site and download electrum?  
You should just download the latest version right now. If for some reason you want to keep using 3.0.5, ignore the message and restart Electrum to get a new server or change it manually.

Quote
Right now i just want to get any btc i have in electrum out of it and do not want to use it until later on when there is very little concerns on it.
Nothing bad will happen unless you download the fake Electrum.

Quote
Also the message that does pop up if it gives you that message, is it a link where if you click on it, it automatically downloads it?  So if you click on it by accident, could you still immediately cancel the download or once you click on that link, that is it?  Or do you have to download it fully and also go through the installation process?  
Just download the latest version. Why try to send anything with the vulnerable version?

And no, it’s not a “click and you’re doomed” thing. You would have to download and run it.
full member
Activity: 1792
Merit: 186
Hey all.  So just to confirm.  Would it just be fine right now if i open electrum 3.0.5 as is and then try to send the remaining btc i have in my wallet to somewhere else?  But if i get that message, then i close it.  Then i close electrum.  Then go to the official electrum site and download electrum? 



Right now i just want to get any btc i have in electrum out of it and do not want to use it until later on when there is very little concerns on it.



Also the message that does pop up if it gives you that message, is it a link where if you click on it, it automatically downloads it?  So if you click on it by accident, could you still immediately cancel the download or once you click on that link, that is it?  Or do you have to download it fully and also go through the installation process? 
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
You say if i try to send the btc and the server im using is compromised, then yes i would get that message to update electrum.  But i also have the option to x the message right and cancel the transaction?  But most likely the outcome is when i try to send btc now, i won't get the message?

Since you are still using 3.0.5 version there is a possibility that such message can pop up if you are connected to bad server. But there is no danger to your transaction, only danger is if you follow link posted in message and download fake Electrum. Problem is solved in latest version 3.3.3, instead of   
receiving such messages, user can only get error message if it is connected to a bad server.

it is funny those servers are still there to have questions like this (where are you electrum developers why bad servers are still in the servers list for users to connect to?).

I think developers can not remove bad servers from server list, everyone can set up server and there is no way to determine which one is bad or good. Even if they remove them, hackers can add more new severs much faster than they can be removed. In short, Electrum is not perfect wallet.

legendary
Activity: 3710
Merit: 1586
Here's a guide to verifying the gpg sig. I suggest you update your electrum from electrum.org. That way the only problem you might face is difficulty spending bitcoins at which point you can simply switch servers and try again.
full member
Activity: 1792
Merit: 186
You say if i try to send the btc and the server im using is compromised, then yes i would get that message to update electrum.  But i also have the option to x the message right and cancel the transaction?  But most likely the outcome is when i try to send btc now, i won't get the message?


full member
Activity: 1792
Merit: 186
How do i verify the pgp signature is legit before i download it?  Do i need to right click it or what do i need to do to make sure the link is legit?  Again this is complicated for someone like me that isn't that computer savy.  Though using electrum would be considered tech savy for most users.


Well if i manually type in the website in my address bar on chrome


www.electrum.org


And then click enter... that is still not safe?  When i type in electrum on google, i see an electrum.org link on the first one showing and am sure that is the legit one as i have clicked on that link before a while back when i did an update.



Thanks.

legendary
Activity: 3472
Merit: 10611
okay so just to confirm this.  No one here has heard of anyone that went to the real electrum website www.electrum.org and downloaded the program and it being malicious?  I thought i was pretty sure someone mentioned this was a case with a few others?

there are two problems here.
1. you may think you are visiting the real website but you really aren't. for example your browser might have redirected you to a similar looking website as @nc50lc explained above and you may not notice it.
2. the website may be compromised. it is just a website after all, and not immune to hacks. a hacker might have injected a malicious software there.

so what is the solution you ask?
it is pretty simple, get in the habit of verifying PGP signatures of whatever you download with the real public key of the developer.
what i mean by "real" is about the concept of "web of trust". in short it is about gaining the public key in a way that it can't be faked. like asking a friend to send the key via SMS, physical mail or sign it with his own public key which you already have. or at the very least checking multiple sources to see if the key you see on the website is the same as you see elsewhere like on Github,... this is the key by the way: 0x2BD5824B7F9470E6
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
1.  First off, if i open my electrum wallet now, will it ask me to update to the newest version via a message?

No.

Or it only will show me this message if i try to send btc?

If your transaction happens to be accepted by one of the compromised servers, yes.

Or i might not even get this message and i could send the btc?

Yes, this is the most likely outcome.

The other thing is if you do receive this message, i assume you can close that message as say no or x it out?  Is it clicking no or closing the message by x'ing it out?

Yes, that also works.

Should i just go to www.electrum.org and download the newest up to date electrum on the website?

That's what I would do.  Only download Electrum from https://electrum.org/#home.

If you are concerned about the safety of using electrum, keep in mind; your security is your responsibility.  If I were you, I would do as you've described in your second point; update to the latest version before accessing your wallet.  

But before you install the latest version of electrum learn to verify the signature.  Learning to check the signature, and doing so every time you download an updated version should put your mind at ease when using electrum.  It really is one of the best desktop wallets to use, and it's worth learning to use it safely.

For verifying the download I use Gpg4win.



legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
-snip-
But has there been any case of anyone that has downloaded electrum from the official www.electrum.org site and had an issue?  
So far, no one.
But you might wanna double-check if it was bookmarked or a google search result, there has been a fake site with Big letter i for an "L" like this: eIectrum; users who don't use serif fonts wont notice the difference.
full member
Activity: 1792
Merit: 186
Well i dont know how to do the verification etc.  Someone mention this and this is confusing for someone that is not computer savy.


But has there been any case of anyone that has downloaded electrum from the official www.electrum.org site and had an issue? 
legendary
Activity: 2170
Merit: 1789
No one here has heard of anyone that went to the real electrum website www.electrum.org and downloaded the program and it being malicious?  I thought i was pretty sure someone mentioned this was a case with a few others?

It's a false positive (if you're talking about the installer being identified as a virus). You can always verify the files though, and make it your regular practice if you're in crypto in order to increase your security. You can also check out the official GitHub and verify the code/build it by yourself if you don't trust the official website (though I don't find any reason to do so).

Vulnerabilities that recently being mentioned/surfaced can be avoided easily if users have enough awareness and always verify any files before they use it.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
There aren't any recent cases. It can't hurt to validate the signatures. If you have a phone, you can download electrum and make a watching only wallet, take your computer offline and run electrum. Then click to send the funds to an address, hit preview and sign. Then get thevqr code (between copy and export) and scan it with the send tab on your phone and click broadcast.

Alternatively you can just keep using the old version but I'm not sure if 3.0.5 has the json rpc vulnerability so make sure you hit broadcast. You can get the message on all but the latest versions of electrum desktop, it doesn't appear at all on android electrum though if it's not much...
full member
Activity: 1792
Merit: 186
thanks for that information.  So if there is that fake update message, you can close it just like that by x'ing it?


okay so just to confirm this.  No one here has heard of anyone that went to the real electrum website www.electrum.org and downloaded the program and it being malicious?  I thought i was pretty sure someone mentioned this was a case with a few others?

legendary
Activity: 2758
Merit: 6830
1.  First off, if i open my electrum wallet now, will it ask me to update to the newest version via a message?  Or it only will show me this message if i try to send btc?  Or i might not even get this message and i could send the btc?  The other thing is if you do receive this message, i assume you can close that message as say no or x it out?  Is it clicking no or closing the message by x'ing it out?
If you open your wallet and end up selecting a malicious server (server selection is random by default), you will get a fake update message whenever you try to make a transaction. The message itself doesn’t do anything. It’s al a phishing attempt and you will only be affected if you believe the message and download the fake update from a fake website (that isn’t electrum.org)

Quote
At the moment, I want to send the btc i have in my electrum to my hardware wallet.  Thus that way, i don't want to use the electrum wallet anymore at least for now.  But i have not opened the program once due to all the issues with electrum.  What is the best method for me to do this right now?
Download the latest version from ELECTRUM.ORG (that’s the ONLY legit website). Those will mitigate the attacks and if you end up connected in a malicious server, it will show only a “unknown error” message instead of the fake update message. Then, just select a different server manually or restart the wallet to connect to another one automatically.

Quote
2.  Should i just go to www.electrum.org and download the newest up to date electrum on the website?  As long as you don't download electrum from github or those other links, are you fine?  Someone mentioned that as long as you download it from the official site... you are fine.  Is this true or false?  Because i think i recalled reading that the hacker posted the fake link on their site for a short duration where anyone that downloaded electrum from the official site downloaded that malicious file?  Or is this not true?  
Yes. That’s true. The only vulnerability is the possibility of sending fake messages to the users on their servers, so they can be lured in downloading a malware wallet.
full member
Activity: 1792
Merit: 186
I am using electrum 3.0.5.  I still have some amount of btc there as i previously transferred it to a hardware wallet.  I have not tried to open my electrum wallet on my windows laptop for a while after hearing people talk about all the issues with the update and those scams going on. 


1.  First off, if i open my electrum wallet now, will it ask me to update to the newest version via a message?  Or it only will show me this message if i try to send btc?  Or i might not even get this message and i could send the btc?  The other thing is if you do receive this message, i assume you can close that message as say no or x it out?  Is it clicking no or closing the message by x'ing it out?


At the moment, I want to send the btc i have in my electrum to my hardware wallet.  Thus that way, i don't want to use the electrum wallet anymore at least for now.  But i have not opened the program once due to all the issues with electrum.  What is the best method for me to do this right now?



2.  Should i just go to www.electrum.org and download the newest up to date electrum on the website?  As long as you don't download electrum from github or those other links, are you fine?  Someone mentioned that as long as you download it from the official site... you are fine.  Is this true or false?  Because i think i recalled reading that the hacker posted the fake link on their site for a short duration where anyone that downloaded electrum from the official site downloaded that malicious file?  Or is this not true? 



Jump to: