Developers of the Electrum bitcoin wallet have rushed out a security update today, to fix a vulnerability that would have allowed malicious websites to scan and discover GUI wallet users’ private keys. Only non-password protected wallets were exposed to risk of theft from the flaw, a less-serious version of which was first reported a few months ago.
Anyone running Electrum is advised to shut down the application immediately and update to version 3.0.4, though Bitcointalk administrator Theymos advised against rushing to upgrade immediately, to “make sure everything is settled”.
The issue also affected Electrum derivative software such as the Electron Cash wallet for Bitcoin Cash and a version for Litecoin. however developer Jonald Fyookball posted on Github shortly after the patch release that Electron Cash had been updated as well.
New release: Electrum 3.0.4. Please upgrade, this is a security update. It fixes a vulnerability that was reported earlier today. See the release notes for details. https://t.co/Y2DXoUyOgkhttps://t.co/HlynSNK8dx
— Electrum (@ElectrumWallet) January 7, 2018
The project’s Github page described the issue as “a vulnerability caused by Cross-Origin Resource Sharing (CORS) in the JSONRPC interface. Previous versions of Electrum are vulnerable to port scanning and deanonimization attacks from malicious websites.”
In other words, simply having a non-password-protected Electrum wallet running and browsing the web left users at risk of losing their private keys and thus their entire BTC balances. Even wallets with passwords remain at risk, with protection at that stage being only as good as the password.
Was the Electrum Vulnerability Known for Months?
Github member “mithrandi” commented that the problem involved allowing cross-origin resource sharing (CORS) that exposed Electrum’s JSON-RPC interface, and may have been in the code for as long as Electrum has existed.
More serious, however, was the fact that Github user “jsmad” apparently first reported the issue back in November 2017, which was left untouched until a discussion flared up again yesterday.
“The JSONRPC interface is currently completely unprotected, I believe it should be a priority to add at least some form of password protection,” they wrote on November 25th.
Infosec news site BleepingComputer had also reported that week that hackers were busy deploying bots to scan the internet for filenames commonly used in bitcoin and ethereum wallets, such as wallet.dat and similar.
Responding to Bitsonline‘s query on Twitter, Electrum’s developers said the full extent of the problem wasn’t known before yesterday’s post. They wrote:
“Nobody realized that there was a vulnerability affecting GUI users until yesterday. jsmad’s initial report was about Electrum daemons running on merchant websites, accessed remotely via a fixed port.”
However, some remained unimpressed by developers’ addressing of the issue:
Would that be the same one Travis reported earlier that has apparently been on your books since last year?https://t.co/zz1zGrQCY2
— 🤖 418: Coffin Ready? (@ramriot) January 7, 2018
Github user “taviso”, who described himself as “not a bitcoiner”, responded to jsmad’s thread just yesterday demonstrating how a maliciously-coded website could sweep users’ computers for wallet files on Windows. The demo was able to find and display an Electrum wallet 12-word seed phrase in a matter of seconds, after that user loaded a website.
That post led to a greater understanding of how many could be affected, and prompted the action to issue the update today.
Do you use the Electrum wallet or any of its derivatives? What do you think of this issue? Let us know in the comments.
Images via Electrum, Pixabay