Electrum Wallet Keys Could Be Snatched by Malicious Websites
Smart PlanetAnyone running Electrum is advised to shut down the application immediately and update to version 3.0.4, though Bitcointalk administrator Theymos advised against rushing to upgrade immediately, to “make sure everything is settled”.
The issue also affected Electrum derivative software such as the Electron Cash wallet for Bitcoin Cash and a version for Litecoin. however developer Jonald Fyookball posted on Github shortly after the patch release that Electron Cash had been updated as well.
New release: Electrum 3.0.4. Please upgrade, this is a security update. It fixes a vulnerability that was reported earlier today. See the release notes for details.
— Electrum (@ElectrumWallet) January 7, 2018
The project’s Github page described the issue as “a vulnerability caused by Cross-Origin Resource Sharing (CORS) in the JSONRPC interface. Previous versions of Electrum are vulnerable to port scanning and deanonimization attacks from malicious websites.”
In other words, simply having a non-password-protected Electrum wallet running and browsing the web left users at risk of losing their private keys and thus their entire BTC balances. Even wallets with passwords remain at risk, with protection at that stage being only as good as the password.
Was the Electrum Vulnerability Known for Months?
Github member “mithrandi” commented that the problem involved allowing cross-origin resource sharing (CORS) that exposed Electrum’s JSON-RPC interface, and may have been in the code for as long as Electrum has existed.
More serious, however, was the fact that Github user “jsmad” apparently first reported the issue back in November 2017, which was left untouched until a discussion flared up again yesterday.
“The JSONRPC interface is currently completely unprotected, I believe it should be a priority to add at least some form of password protection,” they wrote on November 25th.
Infosec news site BleepingComputer had also reported that week that hackers were busy deploying bots to scan the internet for filenames commonly used in bitcoin and ethereum wallets, such as wallet.dat and similar.
On Twitter, some were unimpressed by developers’ patching of the vulnerability only today:
“Vulnerability”
— CryptoStu (@CryptonumStu) January 7, 2018
Would that be the same one Travis reported earlier that has apparently been on your books since last year?
— (@ramriot) January 7, 2018
Github user “taviso”, who described himself as “not a bitcoiner”, responded to jsmad’s thread just yesterday demonstrating how a maliciously-coded website could sweep users’ computers for wallet files on Windows. The demo was able to find and display an Electrum wallet 12-word seed phrase in a matter of seconds, after that user loaded a website.
That post appears to have prompted the action to fix the vulnerability and issue the release today.
Bitsonline has reached out to Electrum’s development team, led by Thomas Voegtlin, on social media and will update this report if there is a response.