Electrum

Post Reply
Ledger Nano S - The secure hardware wallet

Topic author
Sakurako
Fresh Unicorn
Fresh Unicorn
Posts: 26
Joined: 08 Jan 2018, 14:18
Cash on hand: 2,100.00
Bank: 7,897.40
Has thanked: 0
Been thanked: 0
Poland

#4999

11 Jan 2018, 00:27

Electrum users must upgrade to 3.0.5 if they haven't already.

JSONRPC vulnerability in Electrum 2.6 to 3.0.4
On January 6th, a vulnerability was disclosed in the Electrum wallet software, that allows malicious websites to execute wallet commands through JSONRPC executed in a web browser. The bug affects versions 2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of Electrum such as Electron Cash.

Can funds be stolen?
Wallets that are not password protected are at risk of theft, if they are opened with a version of Electrum older than 3.0.5 while a web browser is active.

In addition, the vulnerability allows an attacker to modify user settings, the list of contacts in a wallet, and the "payto" and "amount" fields of the user interface while Electrum is running.

Although there is no known occurrence of Bitcoin theft occurring because of this vulnerability, the risk increases substantially now that the vulnerability has been made public.

What should users do?
All users should upgrade their Electrum software, and stop using old versions.

Users who did not protect their wallet with a password should create a new wallet, and move their funds to that wallet. Even if it never received any funds, a wallet without password should not be used anymore, because its seed might have been compromised.

In addition, users should review their settings, and delete all contacts from their contacts list, because the Bitcoin addresses of their contacts might have been modified.

https://electrum.org/#download



aliakbar
BabyUnicorn
BabyUnicorn
Posts: 56
Joined: 10 Jan 2018, 12:49
Cash on hand: 496.24
Bank: 0.00
Has thanked: 0
Been thanked: 2 times
Pakistan

#25367

03 Mar 2018, 12:55

if they are opened with a version of Electrum older than 3.0.5 while a web browser is active.

In addition, the vulnerability allows an attacker to modify user settings, the list of contacts in a wallet, and the "payto" and "amount" fields of the user interface while Electrum is running.

Although there is no known occurrence of Bitcoin theft occurring because of this vulnerability, the risk increases substantially now that the vulnerability has been made public.

Was This Topic Useful?

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “MyEtherWallet (MEW)”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 1 guest