Popular bitcoin wallet Electrum reportedly has a major vulnerability in it, that allows malicious websites to scan and discover user’s private keys. A security update has already been rushed out.. Reports suggest only non-password protected wallets were exposed and could potentially lose their bitcoin.
According to a recent announcement published by Bitcointalk administrator Theymos, anyone running Electrum is advised to immediately shut down the application, and update it to version 3.0.5. Users are advised not to rush to upgrade, as it can be prudent to wait while developers “make sure that everything is settled.”
As Theymos advised, it’s important not to use old versions of the Electrum wallet. Per his announcement, anyone who’s used Electrum with no password set while having an open webpage might’ve been compromised. Those who had a password protecting their wallet were somewhat secure, although weak passwords could be brute-forced.
The announcement reads:
“Particularly paranoid people might want to send all of the BTC in their old Electrum wallet to a newly-generated Electrum wallet. (Though probably if someone has your wallet, then they already would’ve stolen all of the BTC in it…)”
Reports suggest the vulnerability was found by Tavis Ormandy, a vulnerability researcher at Google.
The bitcoin wallet Electrum allows any website to steal your bitcoins. I was gonna report it…but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours. Update to 3.0.4 if you use it.
— Tavis Ormandy (@taviso) January 7, 2018
Note that since this tweet was published, version 3.0.5 was released.
Has Electrum been vulnerable for months?
According to Github user “mithrandi,” the vulnerability may have been there since Electrum’s original implementation. On November 24, 2017 another Github user, “jsmad,” noted that the JSON-RPC interface was completely unprotected. The user pointed to an article revealing hackers were deploying bots to scan the internet for filenames commonly used in cryptocurrency wallets, such as “wallet.dat.”
Notably the issue was left untouched until now. The vulnerability affected wallets from versions 2.6 to 3.0.3. In the announcement, Theymos noted 3.0.4 may still be vulnerable. On Github, Googler Tavis Ormandy, demonstrated how a malicious website could indeed reveal a wallet’s 12-word seed phrase. Regarding the issue, he stated:
“I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability? If this bug wasn’t already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.”
As reported by Core Media, security expert Lee Chen advised cryptocurrency related hacks would increase this year. Notably, so far, no reports indicate anyone has been compromised by the vulnerability.