Author: Thomas Voegtlin 2018-01-10 17:44:02
Published on: 2018-01-10T17:44:02+00:00
A vulnerability in the Electrum wallet software has been disclosed on January 6th. The bug affects versions 2.6 to 3.0.4 of Electrum, on all platforms, and also affects clones like Electron Cash. Wallets that are not password protected are at risk of theft if they are opened with a version of Electrum older than 3.0.5 while a web browser is active. An attacker can obtain private data and modify user settings, which includes the list of contacts in a wallet, and the "payto" and "amount" fields of the user interface while Electrum is running. Users should upgrade their Electrum software and stop using old versions. In addition, users should review their settings and delete all contacts from their contact list because the Bitcoin addresses of their contacts might have been modified. To upgrade Electrum, users need to stop running any version of Electrum older than 3.0.5 and install the most recent version. On desktop, users should download Electrum from https://electrum.org and no other website. Android users can find the most recent version available in Google Play. If the newest version cannot be installed, users should stop using Electrum on that computer and access their funds from a device that can run Electrum 3.0.5. In addition, users who did not protect their wallet with a password should create a new wallet and move their funds to that wallet.It is recommended that users do not move funds from password-protected wallets. For wallets that were not password protected, moving funds is an extreme precaution that may not be necessary. The vulnerability was reported on November 25th, 2017, by user jsmad, and patched in version 3.0.5 of Electrum. After Tavis Ormandy demonstrated that the JSONRPC interface could be exploited against the Electrum GUI, a patch was written by mithrandi in hours following Tavis' post. The Github issue remained open because mithrandi's patch did not add password protection to the JSONRPC interface. Proper password protection to the JSONRPC interface of the daemon was added on Sunday, January 7th. The 3.0.5 release includes password protection and completely disables JSONRPC in the GUI.
Updated on: 2023-06-12T23:45:36.822581+00:00