Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Electrum Critical Vulnerability - SHUT IT DOWN IMMEDIATELY

  • 07-01-2018 10:43pm
    #1
    Zab
    Registered Users, Registered Users 2 Posts: 1,931 ✭✭✭


    Copied from: https://bitcointalk.org/index.php?topic=2702103.0

    A vulnerability was found in the Electrum wallet software which potentially allows random websites to steal your wallet via JavaScript. The bug presumably also affects altcoin derivatives of Electrum such as Electron Cash. If you don't use Electrum or a derivative, then you are not affected and you can ignore this.

    Action steps:

    1. If you are running Electrum, shut it down right this second.
    2. Upgrade to 3.0.5 (making sure to verify the PGP signature).

    You don't necessarily need to rush to upgrade. In fact, in cases like this it can be prudent to wait a while just to make sure that everything is settled. The important thing is to not use the old versions. If you have an old version sitting somewhere not being used, then it is harmless as long as you do not forget to upgrade it before using it again later.

    If at any point in the past you:

    - Had Electrum open with no wallet passphrase set; and,
    - Had a webpage open

    Then it is possible that your wallet is already compromised. Particularly paranoid people might want to send all of the BTC in their old Electrum wallet to a newly-generated Electrum wallet. (Though probably if someone has your wallet, then they already would've stolen all of the BTC in it...)

    This was just fixed hours ago. The Electrum developer (ThomasV on the forum, ecdsa on github) will presumably post more detailed info and instructions in the near future.

    Update 1: If you had no wallet password set, then theft is trivial. If you had a somewhat-decent wallet password set, then it seems that an attacker could "only" get address/transaction info from your wallet and change your Electrum settings, the latter of which seems to me to have a high chance of being exploitable further. So if you had a wallet password set, you can reduce your panic by a few notches, but you should still treat this very seriously.

    Update 2: Version 3.0.5 was just released, which further protects the component of Electrum which was previously vulnerable. It is not critically necessary to upgrade from 3.0.4 to 3.0.5, though upgrading would be a good idea. Also, I've heard some people saying that only versions 3.0.0-3.0.3 are affected, but this is absolutely wrong; all versions from 2.6 to 3.0.3 are affected by the vulnerability.

    Update 3: You definitely should upgrade from 3.0.4 to 3.0.5, since 3.0.4 may still be vulnerable to some attacks.


Comments

  • #2
    Zab
    Registered Users, Registered Users 2 Posts: 1,931 ✭✭✭Zab


    3.0.5 now out, also considered required.

    As an aside, if you don't use a password on your wallet file you need to start. Although passwords can be a pain, somebody managing to grab a file from your user folder is considerably more likely than them keylogging your password, even if hopefully neither will happen.


Advertisement