Electrum Wallet Hack – Vulnerability

Critical Electrum Wallet Hack Vulnerability – URGENT

A vulnerability was found in the Electrum wallet software which potentially allows random websites to steal your wallet using JavaScript. The bug presumably also affects altcoin derivatives of Electrum such as Electron Cash. If you don’t use Electrum or a derivative, then you are not affected and you can ignore this.

From the OFFICIAL ELECTRUM WALLET TWITTER FEED:

New release: Electrum 3.0.4. Please upgrade, this is a security update. It fixes a vulnerability that was reported earlier today. See the release notes for details.

Developers of the Electrum bitcoin wallet have rushed out a security update today, to fix a vulnerability that would have allowed malicious websites to scan and discover users’ private keys. Only non-password protected wallets were exposed to risk of theft from the flaw, which was first reported a few months ago

1. If you are running Electrum, shut it down right NOW!
2. Upgrade to 3.0.4 (making sure to verify the PGP signature).

You don’t necessarily need to rush to upgrade. In fact, in cases like this it wise to wait a couple of days just in case the upgrade proves to introduce new bugs or anomalies. The important thing is to NOT use the old versions. If you have an old version sitting somewhere not being used, then it is harmless as long as you do not forget to upgrade it before using it again later.

This vulnerability also affects any Electrum derivative software such as the Electron Cash wallet for Bitcoin Cash and a version for Litecoin.  However developer Jonald Fyookball posted on Github shortly after the patch release that Electron Cash had been updated as well.

Github user “taviso”, responded to jsmad’s thread yesterday demonstrating how a maliciously-coded website could sweep users’ computers for wallet files on Windows. The demo was able to find and display an Electrum wallet 12-word seed phrase in a matter of seconds, after that user loaded a website.

That post appears to have prompted the action to fix the vulnerability and issue the release today.

If at any point in the past you, had your electrum wallet opened AND never set a wallet passphrase set AND had your browser opened, then it is possible that your wallet is compromised.  Paranoid folks might want to send all of their Bitcoin (BTC) from their old Electrum wallet to a brand new Electrum wallet.  Quite frankly, if someone already compromised your wallet, you probably don’t have any Bitcoins left in it any way.

This was just fixed hours ago. The Electrum developer (ThomasV on the forum, ecdsa on github) will presumably post more detailed info and instructions in the near future.

UPDATE:

If you never set your wallet password, then it is easy to steal your bitcoins through this vulnerability. ALWAYS password protect ANY cryptocurrency wallet no matter what!

If you had a relatively strong wallet password set, then it seems that an attacker could “only” get address/transaction information from your wallet and change your Electrum settings.

In conclusion, if you had a wallet password set, you can relax just a “tad”, but you still should NOT use the wallet and upgrade to the new wallet. This is a serious matter.

Until Next Time…

Faith Sloan “QueenWiki” 
http://facebook.com/queenwikiOfficial – Get Updates and Please Like the page
http://facebook.com/groups/cryptocurrencyeducation JOIN for Cryptocurrency Education
http://twitter.com/faithsloan FOLLOW ME to get ALL of my social media posts and blog posts
YouTube Channel Like, Comment, SHARE and SUBSCRIBE to be notified when new videos are published!

Queen Wiki

Faith Sloan better known as "Queen Wiki" or "Crypto Queen" is a cryptocurrency enthusiast and trader. She has been a software engineer for 40 years and builds Decentralized Apps (DApps) on the Ethereum blockchain and plays with Tech toys. When she is not teaching, researching and writing about Cryptocurrencies, she's traveling the world and feeding her eating hobby.