SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
10 Jan 2018

Electrum bitcoin wallets were vulnerable to hackers for two years

For almost two years, hackers could have easily stolen your prized stash of bitcoins if you were keeping them in the popular software wallet Electrum, thanks to a critical security vulnerability that went unpatched until now.

The vulnerability allowed any website (and anyone controlling the site a victim browsed, like a hacker) to steal bitcoins stored using Electrum, as long as the software was running and there was no encryption password set up, according to security researchers.

The bug was initially reported by Github user “jsmad” on November 24, 2017. Electrum, however, didn’t fully patch the bug until Sunday, January 7, and only after Google security researcher alerted them to how serious the bug really was. “The bitcoin wallet Electrum allows any website to steal your Bitcoins,” Ormandy tweeted on Saturday. “I was gonna report it… but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours.”

Mustafa Al-Bassam, a postgraduate researcher at University College London, told me over Twitter that the hackers could have exploited the bug since February 2016, almost two years ago, when developers released Electrum 2.6.

“[The bug] allows any malicious website to control your Electrum wallet, including stealing all your Bitcoin if the wallet isn't encrypted with a password,” Al-Bassam told me via Twitter direct message. Even if the wallet does have a password, he explained, a hacker could still redirect bitcoins from the wallet to their address.

An initial patch for the bug was released on Saturday, but confusion ensued as the patch didn’t actually fix the whole issue, according to Electrum itself. The company said on Twitter that its initial patch (3.0.4) “did not completely address the vulnerability.” The final patch only came later, on Sunday.

Electrum’s founder, Thomas Voegtlin, explained over email that the company didn’t realize how critical the bug was back in November, because even the researcher who made the initial report didn’t know. “That is why we did not consider the initial bug report as critically urgent,” Voegtlin told me in an email.

In January, once Google researcher Ormandy explained the bug’s serious effects to Electrum, the developers rushed to patch it, releasing a partial fix as soon as possible and then a complete fix a day later. According to Voegtlin, this staggered rollout was the plan all along.

“When a zero day exploit is made public, it is important to address the vulnerability as soon as possible, because attackers are going to use the exploit,” Voegtlin wrote me in an email. “This is why we released 3.0.4 immediately, before password protection was ready.”

For some, however, Electrum’s slow turnaround in patching the vulnerability is bound to bring up bad memories. Last year, millions of dollars worth of Ethereum’s cryptocurrency was locked up forever, allegedly by accident, thanks to a bug that was known to the wallet developers but left unaddressed for months.

The Electrum bug is now fully patched, but there’s a chance hackers could still take advantage of it, if users haven’t updated their software. Electrum doesn’t automatically update, so many victims might be vulnerable unless they proactively check and apply the patch, according to Al-Bassam.

“I think this bug will be exploited for a while, since Electrum doesn't have a built-in upgrade mechanism on Windows and Linux,” he added. Twitter user “h43z” showed how the bug can be easily exploited in a short proof-of-concept video showing a bare-bones site they developed to attack their own wallet.

The vulnerability was in Electrum’s JSON-RPC interface, which wasn’t properly secured. JSON-RPC is a simple protocol that allows data and other code to be exchanged between clients and servers, which is also used by several other digital wallets or software, such as wallets for Ethereum, a competing cryptocurrency.

It’s unclear if Electrum’s JSON-RPC vulnerability, specifically, was ever actually exploited by hackers. But in recent months, security researcher Dimitrios Slamaris and others noticed that criminal hackers have tried to find vulnerable Ethereum wallets by scanning the internet for JSON-RPC interfaces exposed on the internet. This interface should in theory be only exposed locally, but if it is exposed to the wider internet then it can be used to steal cryptocurrency.

Given how much hackers love to steal Bitcoins and any other cryptocurrencies, if you use Electrum, you should probably patch your wallet app immediately.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
Electrum bitcoin information leaks
Source:
Motherboard
1489
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015