Sunday, December 4, 2022

Electrum Wallet Keys Could Be Snatched by Malicious Websites

Electrum Wallet Keys Could Be Snatched by Malicious Websites

Developers of the Electrum bitcoin wallet have rushed out a security update today, to fix a vulnerability that would have allowed malicious websites to scan and discover GUI wallet users’ private keys. Only non-password protected wallets were exposed to risk of theft from the flaw, a less-serious version of which was first reported a few months ago.

Also read: Reminder: You Don’t Have to Buy a Whole Bitcoin!

Join the Bitsonline Telegram channel to get the latest Bitcoin, cryptocurrency, and tech news updates:

Electrum logoAnyone running Electrum is advised to shut down the application immediately and update to version 3.0.4, though Bitcointalk administrator Theymos advised against rushing to upgrade immediately, to “make sure everything is settled”.

The issue also affected Electrum derivative software such as the Electron Cash wallet for Bitcoin Cash and a version for Litecoin. however developer Jonald Fyookball posted on Github shortly after the patch release that Electron Cash had been updated as well.

The project’s Github page described the issue as “a vulnerability caused by Cross-Origin Resource Sharing (CORS) in the JSONRPC interface. Previous versions of Electrum are vulnerable to port scanning and deanonimization attacks from malicious websites.”

In other words, simply having a non-password-protected Electrum wallet running and browsing the web left users at risk of losing their private keys and thus their entire BTC balances. Even wallets with passwords remain at risk, with protection at that stage being only as good as the password.

Was the Electrum Vulnerability Known for Months?

Github member “mithrandi” commented that the problem involved allowing cross-origin resource sharing (CORS) that exposed Electrum’s JSON-RPC interface, and may have been in the code for as long as Electrum has existed.

Electrum safeMore serious, however, was the fact that Github user “jsmad” apparently first reported the issue back in November 2017, which was left untouched until a discussion flared up again yesterday.

“The JSONRPC interface is currently completely unprotected, I believe it should be a priority to add at least some form of password protection,” they wrote on November 25th.

Infosec news site BleepingComputer had also reported that week that hackers were busy deploying bots to scan the internet for filenames commonly used in bitcoin and ethereum wallets, such as wallet.dat and similar.

Responding to Bitsonline‘s query on Twitter, Electrum’s developers said the full extent of the problem wasn’t known before yesterday’s post. They wrote:

“Nobody realized that there was a vulnerability affecting GUI users until yesterday. jsmad’s initial report was about Electrum daemons running on merchant websites, accessed remotely via a fixed port.”

However, some remained unimpressed by developers’ addressing of the issue:

Github user “taviso”, who described himself as “not a bitcoiner”, responded to jsmad’s thread just yesterday demonstrating how a maliciously-coded website could sweep users’ computers for wallet files on Windows. The demo was able to find and display an Electrum wallet 12-word seed phrase in a matter of seconds, after that user loaded a website.

That post led to a greater understanding of how many could be affected, and prompted the action to issue the update today.

Do you use the Electrum wallet or any of its derivatives? What do you think of this issue? Let us know in the comments.

Images via Electrum, Pixabay

Bitsonline Email Newsletter