What's this vulnerability ?
Just one day ago a Github user taviso reported a serious vulnerability in Electrum Bitcoin Wallet. This is a very serious security bug which allows an attacker to steal your Electrum wallet seed via a simple browser and java script. The attacker can only steal your seed if you left your wallet unprotected without encrypting it.
How does it work ?
On the Electrum's github issue page he shows how it is possible to steal Electrum wallet seed --
- He Installed Electrum 3.0.3 on Windows.
- Created a new wallet with all default settings. He left the wallet not encrypted with password- the default setting.
- Visited in Chrome. Now, it's time to guess the right port number. He used JSON RPC server by default. It does use a random port but a website (run by an attacker) can simply scan for the right port in seconds.
- After a few seconds he succeeded to guesses the right port, and then an alert() appeared with: seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
Am I at risk ?
Yes, you're at risk if you're currently using 3.0.3 or, any older version of Electrum Wallet. And the most important thing is that if you're using your Electrum wallet without encrypted it with password.
How to fix this issue ?
Electrum developer team is very aware of this serious vulnerability and has just provided a solution.
Electrum has just released a newer version with this vulnerability fixed. Everyone ... please, download the newer version 3.0.4 from their official website. And must check the PGP signature:
Electrum has just released a newer version with this vulnerability fixed. Everyone ... please, download the newer version 3.0.4 from their official website. And must check the PGP signature:
Download newer version 3.0.4 : https://electrum.org/#download
Release notes : https://github.com/spesmilo/electrum/blob/3.0.4/RELEASE-NOTES
Release notes of Electrum Wallet Version 3.0.4
Release 3.0.4 : (Security update)
- Fix a vulnerability caused by Cross-Origin Resource Sharing (CORS)
in the JSONRPC interface. Previous versions of Electrum are
vulnerable to port scanning and deanonimization attacks from
malicious websites. Wallets that are not password-protected are
vulnerable to theft. - Bundle QR scanner with Android app
- Minor bug fixes
Tags : Bitcoin, Cryptocurrency, Blockchain, Security, News, Hacks,
This Post Was Published On My Steemit Blog. Please, navigate to steemit and cast a free upvote to help me if you like my post. First Time heard about Steemit ? Click Here To Know Everything About Steemit
$3 Donation [Fixed]
$Any Amount
Comments
Post a Comment