Topic: Vulnerability discovered in Electrum 2.6 to 3.0.4: please upgrade - page 2. (Read 891 times)

The password feature has always been there, but it has always been optional, because some systems require automated payments. We are closely monitoring how fast users are updating their wallet software. Media reports were useful in spreading awareness, but it is true that they also created misunderstanding.

At this point, there is no evidence that bitcoins have been stolen because of this vulnerability. Two users have reported bitcoin theft and attributed it to the vulnerability, but these cases are more likely to have been caused by malware downloaded from fake electrum websites, or by keyloggers, because these wallets were protected with strong passwords.

We received one suspicious report by a user who sent bitcoins from an exchange to a wrong address. This user was trying fund his Electrum wallet, and he used an address that was in the "send" tab of his wallet, instead of the "receive" tab. This user did not answer our questions regarding whether the presence of an address in the "send" tab was resulting from his own actions, or could have been put there by a malicious website.

I have never ever bothered to download any of the wallet, ny coins was in cryptopia.... I hope its safe there....

Are there any estimations for how many users were critically vulnerable to this potential attack, i.e. had unencrypted seeds in their wallet files? I've tried to do some research, but failed to determine if Electrum was always asking for password during new wallet creation process, or this feature was added with some version? Also, is password optional during creation?
Some users and media have misunderstood this vulnerability and started claiming that "Electrum is completely broken and anyone can steal your coins when you run it", which is simply not true, so it's better to clear this misunderstanding.

1) that is the problem with older versions of windows (like windows 7). you need to install the latest updates. install KB2999226 and it should work.

2) read OP

you can always switch to Linux. the simplest way is to download a popular distribution like Ubuntu,
burn it on a DVD (if you don't want to install and have dual boot with windows),
boot from DVD,
download latest Electrum version and verify its signature
enter your seed
make your transaction and when you are done shut it down and everything will go away.

Strange. I don't try download new wallet.
I wait review about this new version. Anyone try it?

My windows defender for windows 10 doesn't let me download electrum portable 3.0.5 from electrum.org. It sais that electrum is malicious file and delets it while downloading. What should I do?

i use andriod version and update from googleplay ...
in andriod version cannt set password for wallet..!
1-should i send my fund to the new android wallet?
2-at all which platform is the safest way to store?android linux macos or windows?

If my wallet protected with password.. I want to move funds to my new wallet.
How make it safety? (close all web browsers)

Also I'm interesting about this bug in version before 2.6?

A vulnerability has been found in Electrum, and patched in version 3.0.5.
Please update your software if you are running an earlier version.

Below is a copy of the satement we put on our website.
The original can be found here: https://github.com/spesmilo/electrum-docs/blob/master/cve.rst

Thanks to Theymos for displaying a notice on this website.




JSONRPC vulnerability in Electrum 2.6 to 3.0.4
==============================================

On January 6th, a vulnerability was disclosed in the Electrum wallet
software, that allows malicious websites to execute wallet commands
through JSONRPC executed in a web browser. The bug affects versions
2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of
Electrum such as Electron Cash.


Can funds be stolen?
--------------------

Wallets that are not password protected are at risk of theft, if they
are opened with a version of Electrum older than 3.0.5 while a web
browser is active.

In addition, the vulnerability allows an attacker to modify user
settings, the list of contacts in a wallet, and the "payto" and
"amount" fields of the user interface while Electrum is running.

Although there is no known occurrence of Bitcoin theft occurring
because of this vulnerability, the risk increases substantially now
that the vulnerability has been made public.


Can wallet data be leaked?
--------------------------

Yes, an attacker can obtain private data, such as: Bitcoin addresses,
transaction labels, address labels, wallet contacts and master public
keys.


Can a password-protected wallet be bruteforced?
-----------------------------------------------

Not realistically. The vulnerability does not allow an attacker to
access encrypted seed or private keys, which would be needed in order
to perform an efficient brute force attack. Without the encrypted
seed, an attacker must try passwords using the JSONRPC interface,
while the user is visiting a malicious page. This is several orders of
magnitude slower than an attack with the encrypted seed, and
restricted in time. Even a weak password will protect against that.


What should users do?
---------------------

All users should upgrade their Electrum software, and stop using old
versions.

Users who did not protect their wallet with a password should create a
new wallet, and move their funds to that wallet. Even if it never
received any funds, a wallet without password should not be used
anymore, because its seed might have been compromised.

In addition, users should review their settings, and delete all
contacts from their contacts list, because the Bitcoin addresses of
their contacts might have been modified.


How to upgrade Electrum
-----------------------

Stop running any version of Electrum older than 3.0.5, and install
Electrum the most recent version. On desktop, make sure you download
Electrum from https://electrum.org and no other website. On Android,
the most recent version is available in Google Play.

If Electrum 3.0.5 (or any later version) cannot be installed or does
not work on your computer, stop using Electrum on that computer, and
access your funds from a device that can run Electrum 3.0.5. If you
really need to use an older version of Electrum, for example in order
to access wallet seed, make sure that your computer is offline, and
that no web browser is running on the computer at the same time.


Should all users move their funds to a new address?
---------------------------------------------------

We do not recommend moving funds from password protected wallets. For
wallets that were not password protected, moving funds is an extreme
precaution, that might not be necessary; indeed, if a wallet was
compromised, it is very likely that the attacker would have stolen the
funds immediately.


When was the issue reported and fixed?
--------------------------------------

The absence of password protection in the JSONRPC interface was
reported on November 25th, 2017 by user jsmad:
https://github.com/spesmilo/electrum/issues/3374

jsmad's report was about the Electrum daemon, a piece of software that
runs on web servers and is used by merchants in order to receive
Bitcoin payments. In that context, connections to the daemon from the
outside world must be explicitly authorized, by setting 'rpchost' and
'rpcport' in the Electrum configuration.                                                                                                                                                                          

On January 6th, 2018, Tavis Ormandy demonstrated that the JSONRPC
interface could be exploited against the Electrum GUI, and that the
attack could be carried out by a web browser running locally, visiting
a webpage with specially crafted JavaScript.

We released a new version (3.0.4) in the hours following Tavis' post,
with a patch written by mithrandi (Debian packager), that addressed
the attack demonstrated by Tavis. In addition, the Github issue
remained open, because mithrandi's patch was not adding password
protection to the JSONRPC interface.