A vulnerability has been found in Electrum Bitcoin wallet's code in which the user's secret keys can be stolen, and their Bitcoins too. The problem was first noticed by one of the users of GitHub under the...
A vulnerability has been found in Electrum Bitcoin wallet's code in which the user's secret keys can be stolen, and their Bitcoins too.
The problem was first noticed by one of the users of GitHub under the nickname “jsmad” in November of last year. However, the developers of the wallet only started to seriously pay attention to the vulnerability after another indication - from Tevis Ormandy of Google's Project Zero. Having discovered the bug on January 6, Tevis saw that the vulnerability had already been reported earlier. He appealed to the developers and stressed the danger of the problem.
An emergency patch for the wallet was released on January 7 and the next day the developers released a new version of the wallet (3.0.5).
There were serious reasons for concern if the wallet was used without a passphrase and a browser was open on a computer.
Sites containing malicious code in Javascript could intercept user's data and steal user's coins when they visited these sites while Electrum was running. If the wallet was not password protected, then it was enough that the user simply went to the site for the data to be stolen. If there was a password, the data could only be intercepted if transactions occurred.
The site could access the wallet through the default JSON RPC interface and send the export command to the PGP signature.
The bug also allowed someone to steal cryptocurrency from other wallets based on Electrum, for example, Electron Cash.
Electrum refers to the so-called "light" wallets which allow you to avoid long synchronization of the whole blockchain. It's enough to download only the last part of the transaction history for it to work, about 200MB, and not the whole blockchain which is more than 150GB. The ease of use of Electrum has ensured its great popularity and so a vulnerability is of serious importance to a large number of Bitcoin holders.
Wallets do not update automatically. To ensure the safety of their funds, Electrum users must manually update the wallet to version 3.0.5 and confirm the PGP signature.
Share this with your friends!
Be the first to comment
Please log in to comment