Electrum’s developers released a new version of their bitcoin wallet client after a security researcher at Google Project Zero discovered a critical vulnerability that allowed hackers to use malicious websites to steal bitcoins from unencrypted Electrum wallets. If you haven’t already, update to Electrum 3.05
Tavis Ormandy, a white hat hacker who has identified a number of high-profile vulnerabilities in software products, discovered a critical bug in Electrum’s JSON-RPC protocol, which is used to transfer data between clients and servers.
The interface was not secured properly, which made any unencrypted Electrum wallet immediately vulnerable to having its balance drained by thieves if both the wallet and a web browser were open at the same time.
Here is an example of how the vulnerability can be exploited to steal the wallet seed from a wallet that is either unencrypted or encrypted with a poor password:
Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin pic.twitter.com/MYq1u9ZZbt
— h43z (@h43z) January 7, 2018
However, Ormandy said that users with encrypted wallets also face potential risks.
“I think just scanning for people in the background of a website is really easy, and seems likely someone will try that. Even with encrypted wallets, you can still change options, change destination addresses, deanonymize users via listaddresses and so on,” Ormandy wrote on Github.
The vulnerability, which affects wallet versions 2.6 to 3.0.3, was initially reported on Nov. 24, 2017, the same day that Bleeping Computer reported that hackers have been scanning the web for Ethereum wallet clients vulnerable to an insecure JSON-RPC interface. However, Electrum developers apparently did not recognize the gravity of the issue, as it went unaddressed until Ormandy discovered it on Jan. 6.
Apparently, the vulnerability was more than two years old, as the affected code was merged on Nov. 30, 2015. Amazingly, there are no known cases of it being successfully exploited, although this will almost certainly change now that the bug has been revealed.
Electrum quickly released an update, version 3.0.4, which addressed part of the issue but may still be vulnerable to some attacks.
Developers are now urging users to update their wallets to version 3.0.5, although they should probably exercise caution while using the wallet until it is clear that the release is stable.
Featured Image from Pixabay