Electrum Releases Update After Google Project Zero Researcher Discovers 2-Year Old Vulnerability in Wallet Client

Electrum’s developers released a new version of their bitcoin wallet client after a security researcher at Google Project Zero discovered a critical vulnerability that allowed hackers to use malicious websites to steal bitcoins from unencrypted Electrum wallets. If you haven’t already, update to Electrum 3.05

Tavis Ormandy, a white hat hacker who has identified a number of high-profile vulnerabilities in software products, discovered a critical bug in Electrum’s JSON-RPC protocol, which is used to transfer data between clients and servers.

The interface was not secured properly, which made any unencrypted Electrum wallet immediately vulnerable to having its balance drained by thieves if both the wallet and a web browser were open at the same time.

Here is an example of how the vulnerability can be exploited to steal the wallet seed from a wallet that is either unencrypted or encrypted with a poor password:

However, Ormandy said that users with encrypted wallets also face potential risks.

“I think just scanning for people in the background of a website is really easy, and seems likely someone will try that. Even with encrypted wallets, you can still change options, change destination addresses, deanonymize users via listaddresses and so on,” Ormandy wrote on Github.

The vulnerability, which affects wallet versions 2.6 to 3.0.3, was initially reported on Nov. 24, 2017, the same day that Bleeping Computer reported that hackers have been scanning the web for Ethereum wallet clients vulnerable to an insecure JSON-RPC interface. However, Electrum developers apparently did not recognize the gravity of the issue, as it went unaddressed until Ormandy discovered it on Jan. 6.

Apparently, the vulnerability was more than two years old, as the affected code was merged on Nov. 30, 2015. Amazingly, there are no known cases of it being successfully exploited, although this will almost certainly change now that the bug has been revealed.

Electrum quickly released an update, version 3.0.4, which addressed part of the issue but may still be vulnerable to some attacks.

Developers are now urging users to update their wallets to version 3.0.5, although they should probably exercise caution while using the wallet until it is clear that the release is stable.

Notably, the vulnerability also affects Electron Cash — a bitcoin cash-based fork of Electrum — so this wallet’s users should update their software clients to version 3.1.1.

Featured Image from Pixabay

David Murray

David has been following the development of cryptocurrency technology for several years, and he is optimistic about its potential to democratize the financial system.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.