Warning: There is an ongoing phishing attack against Electrum users

HCP

legendary

Activity: 2086

Merit: 4363

Quote from: Stedsm on February 06, 2019, 03:59:58 AM

Quote from: HCP on February 04, 2019, 04:03:24 PM

So, any Electrum binaries on Github are NOT official releases.

Aren't releases made over GitHub by Electrum's official devs fine to be downloaded?

Yes, they would be... BUT, My point is...there are no binaries on the official github... there never have been.

They only have .zip or .tar.gz archives of the source code. Have a look: https://github.com/spesmilo/electrum/releases

As far as I am aware... the only place to download the binaries is via: https://www.electrum.org/#download (which actually links to: https://download.electrum.org/)

Stedsm

legendary

Activity: 3052

Merit: 1273

Quote from: HCP on February 04, 2019, 04:03:24 PM

I didn't say that you should never download anything from Github... I said you should "only download Electrum from the official website" and not from github. Besides, AFAIK, there are NO Electrum binary releases available on the official Electrum github anyway... they only have the source code available for download on the "releases" tab.

So, any Electrum binaries on Github are NOT official releases.

Aren't releases made over GitHub by Electrum's official devs fine to be downloaded? I know that either repositories can be cloned and/or hubs with fake account names may be created with exact Electrum wallet name that could drag someone into being scammed, but what about their official GitHub? And if newer versions are such dangerous, why can't we use older versions instead (obviously if there are no bugs and we're fine using them)?
If I'm not wrong, GitHub consists all older version files as well and they can be downloaded and used, so why go for updated versions when we feel no need or when knowing that such hack issues are taking place? How can an application like Electrum pop up instructions which are not even set by their devs? Can a hacker really be this rational in hacking even the servers behind that official app to throw some air in his malign intentions?

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: ysangkok on February 05, 2019, 01:24:10 PM

I work for Electrum Technologies GmbH.

Could you provide some evidence just to make everything clear about this? No one should just instantly trust a not known account.

ysangkok

newbie

Activity: 10

Merit: 3

Quote from: Awkward_Public_Stoner on January 12, 2019, 05:54:36 AM

Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.

Such a list is not very useful. Keep your Electrum updated by checking electrum.org, this is our only advice.

The only thing a malicious server could ever do, is to display error messages. Because Electrum v3.3.3 doesn't allow the server to display arbitrary error messages, it is safer.

If your Electrum v3.3.3+ version is showing error messages when trying to broadcast a transaction, as of right now, it probably means that you are currently using a malicious server. In that case, you can choose another server using the network dialog.

I work for Electrum Technologies GmbH.

HCP

legendary

Activity: 2086

Merit: 4363

Quote from: pooya87 on February 02, 2019, 11:45:36 PM

Quote from: HCP on February 02, 2019, 02:13:48 PM

~ DO NOT DOWNLOAD FROM GITHUB!

you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.

Quote from: joniboini on February 03, 2019, 05:23:24 AM

Second this. Isn't it also dangerous if somehow a hacker can hijack the DNS of the website to lure people to download his apps, which in turn makes downloading from GitHub safer? Anyway, the most important step to take is to always verify the signature.

Context is important... What I said was:

Quote from: HCP on February 02, 2019, 02:13:48 PM

ONLY download Electrum from the official website: https://electrum.org/#download - DO NOT DOWNLOAD FROM GITHUB!
ALWAYS check the digital signature of Electrum before running installer and/or portable exe

I didn't say that you should never download anything from Github... I said you should "only download Electrum from the official website" and not from github. Besides, AFAIK, there are NO Electrum binary releases available on the official Electrum github anyway... they only have the source code available for download on the "releases" tab.

So, any Electrum binaries on Github are NOT official releases.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Hhampuz on February 03, 2019, 10:42:15 PM

Quote from: ?? on ??

Quote from: Hhampuz on February 03, 2019, 10:07:55 PM

Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

What Electrum version do you use and when do you get the pop-up (when launch the application or try broadcast a transaction)?

Since Electrum 3.3.3, there's option to check update automatically (only if you enable it) where only signed message with hard-coded address on Electrum is valid.
If you see the pop-up when broadcast transaction, just change Electrum server and upgrade your software.

Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?

well you still had to have checked the digital signature of the file you downloaded, no matter where and how you got it from. if you haven't done that, then you should. visit the Electrum website and find ThomasV's PGP public key (i posted it above but you have to visit the website instead of trusting my link) and then also download the signature corresponding to the file you downloaded and verify the signature with the public key.

the command would look something like this

Code:

gpg --verify Electrum-3.3.3.tar.gz.asc Electrum-3.3.3.tar.gz

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: Hhampuz on February 03, 2019, 10:42:15 PM

Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?

Yes. Changing Electrum server address might be an option if you encounter server error in 3.3.3 again because it means (most of the time) you're connected to a malicious server.

Hhampuz

legendary

Activity: 3038

Merit: 6194

Meh.

Quote from: ?? on ??

Quote from: Hhampuz on February 03, 2019, 10:07:55 PM

Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

What Electrum version do you use and when do you get the pop-up (when launch the application or try broadcast a transaction)?

Since Electrum 3.3.3, there's option to check update automatically (only if you enable it) where only signed message with hard-coded address on Electrum is valid.
If you see the pop-up when broadcast transaction, just change Electrum server and upgrade your software.

Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?

Hhampuz

legendary

Activity: 3038

Merit: 6194

Meh.

Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: pooya87 on February 02, 2019, 11:45:36 PM

you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.

Second this. Isn't it also dangerous if somehow a hacker can hijack the DNS of the website to lure people to download his apps, which in turn makes downloading from GitHub safer? Anyway, the most important step to take is to always verify the signature.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: HCP on February 02, 2019, 02:13:48 PM

~ DO NOT DOWNLOAD FROM GITHUB!

you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.
in this case: https://github.com/spesmilo/electrum
and: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

HCP

legendary

Activity: 2086

Merit: 4363

Looks like this topic needs a bump... seems there are still users getting caught by the phishing attack... despite the fact that it is over 2 weeks since the issue was first brought to light... and also at least a week since the issue was patched in the version 3.3.3 release.

As always:

ONLY download Electrum from the official website: https://electrum.org/#download - DO NOT DOWNLOAD FROM GITHUB!
ALWAYS check the digital signature of Electrum before running installer and/or portable exe

Abdussamad

legendary

Activity: 3710

Merit: 1586

It's inheriting from QThread so I'm guess it happens when you run start. Start is defined in the parent class and it must be calling run.

Yes that's it: http://doc.qt.io/qt-5/qthread.html#start

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: HCP on January 27, 2019, 12:04:05 AM

Quote from: pooya87 on January 26, 2019, 10:39:58 PM

i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!

You just needed to check the Electrum Github commits...

That would lead you to: validate version update announcements using "bitcoin address" message… Wink

i know where it is. i even linked it in the other topic i started yesterday Tongue

i just have a hard time understanding python, that's all. maybe i need to try opening it in my Visual Studio to be able to follow the flow easier. for example i get that this is the whole thing here: https://github.com/spesmilo/electrum/blob/53310690a5c58145426047529eaa9af9db0b2741/electrum/gui/qt/util.py#L830-L942 but i can't figure out where it is calling the run() function under UpdateCheckThread class, i was expecting some sort of connection between that and UpdateCheck class but can't figure that out either.
the only call to it is https://github.com/spesmilo/electrum/blob/53310690a5c58145426047529eaa9af9db0b2741/electrum/gui/qt/util.py#L864-L867 where it calls start() on it but that class doesn't have a "start" function. lol. that is why i say i don't get python.

HCP

legendary

Activity: 2086

Merit: 4363

Quote from: pooya87 on January 26, 2019, 10:39:58 PM

i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!

You just needed to check the Electrum Github commits...

That would lead you to: validate version update announcements using "bitcoin address" message… Wink

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Lucius on January 26, 2019, 05:49:36 AM

~from this version users will be notified about new version They will probably use same way as hackers do, but announcements will be signed and verified with hardcoded BTC address.

no it is not like the thing hackers used. it is a new and to be honest a little weird way. this is how it works based on my little understanding of python (the hackers were using server response messages, this is your own wallet checking):
if you check the optional checkbox to do the check then it connects to the official website at "https://electrum.org/version" which is a new link they added (the /version part) and downloads a small json file with this content:

Code:

{ "version":"3.3.3", "signatures":{ "13xjmVAB1EATPP8RshTE8S8sNwwSUM9p1P":"Hx2zT1AogEs0r+BqwyKsuJpD0dsWovU+cQYra33VY/jMfIHtiO+HTg/o43DnhWMUTx4CNPyE0ywZiClnhL5gJj4="}}

then checks your wallet version against the version it received and if it is lower then shows you a message saying you can download it from "https://electrum.org/#download"
i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: pooya87 on January 26, 2019, 02:28:44 AM

finally it is fixed in the newest version 3.3.3

This is good news, there has already been mentioned a solution in that direction. Also there is some other fixes in this version, but the most interesting is that from this version users will be notified about new version. They will probably use same way as hackers do, but announcements will be signed and verified with hardcoded BTC address.

I just hope this is permanent fix for this issue, and it would be interesting to know the total damage this exploit is done to users.

Quote

# Release 3.3.3 - (January 25, 2019)

* Do not expose users to server error messages (#4968)
* Notify users of new releases. Release announcements must be signed,
and they are verified byElectrum using a hardcoded Bitcoin address.
* Hardware wallet fixes (#4991, #4993, #5006)
* Display only QR code in QRcode Window
* Fixed code signing on MacOS
* Randomise locktime of transactions

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

pooya87

legendary

Activity: 3472

Merit: 10611

finally it is fixed in the newest version 3.3.3
reference: https://github.com/spesmilo/electrum/pull/5011/files
it uses the same approach as the electronBCH approach that takes the message, analyzes it and then translates that into predefined messages instead of showing whatever the server sent. that should solve this issue for good.
if the server sends you a malicious message you should see ""Unknown error" instead of it.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

joele, older versions still works, but there are problems with synchronization and with security. You should not use any version under 3.0.5 because of security problem which is fixed with this version. Also it is good practice to always use latest version, your version is too old and it is not safe.

Quote

# Release 3.0.4 : (Security update)

* Fix a vulnerability caused by Cross-Origin Resource Sharing (CORS)
in the JSONRPC interface. Previous versions of Electrum are
vulnerable to port scanning and deanonimization attacks from
malicious websites. Wallets that are not password-protected are
vulnerable to theft.
* Bundle QR scanner with Android app
* Minor bug fixes

Quote

# Release 3.0.5 : (Security update)

This is a follow-up to the 3.0.4 release, which did not completely fix
issue #3374. Users should upgrade to 3.0.5.

* The JSONRPC interface is password protected
* JSONRPC commands are disabled if the GUI is running, except 'ping',
which is used to determine if a GUI is already running

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

joele

legendary

Activity: 1022

Merit: 1000

Old Electrum 2.9.3 and selected server node 'b.ooze.cc' still works for me.

Topic: Warning: There is an ongoing phishing attack against Electrum users (Read 716 times)