Critical Vulnerability in Electrum Bitcoin Wallets Finally Addressed

Haythem Elmir

Complete Patch Released to Address Critical Vulnerability Found in Electrum Bitcoin Wallets.

Electrum, a well-known bitcoin client, has developed a patch for the bug identified in version 2.6-3.0.3 of the JSON-RPC protocol interface. The flaw was identified by a commenter using the alias “jsmad,” in a Github post on 24 November 2017. Jsmad warned that the interface the completely unprotected and that some sort of password protection is necessary since the interface is used for remote execution if commands.

Jsmad wrote in his post on Github that; “while the electrum daemon is running, someone on a different virtual host of the web server could easily access your wallet via the local RPC port. Currently, there is no security/authentication, giving someone access to the RPC port full access to the wallet.”

The critical vulnerability allows malicious websites to access and steal from bitcoin wallets that are not protected by a password because the flaw leaves the crypto wallet at the risk of port scanning and deanonymization attacks. Furthermore, if the wallet is protected with a password, even then attackers can steal address and transactions related information as well as modify Electrum account settings. This would eventually lead to extended exploitation of the wallet.

Google’s Project Zero researcher Tavis Ormandy responded to the post from jsmad and notified Electrum regarding the issue while expressing concerns that both passwords protected and non-password protected wallets would be emptied of bitcoin if attackers can compromise them through simple brute forcing method. In his tweet posted on January 7, Ormandy warned Electrum users about the flaw:

“Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it’s easy to guess it can be brute-forced #bitcoin”.

To read the  original article:

Critical Vulnerability in Electrum Bitcoin Wallets Finally Addressed

Laisser un commentaire

Next Post

Wi-Fi Alliance launches WPA3 protocol with new security features

The Wi-Fi Alliance has finally announced the long-awaited next generation of the wireless security protocol—Wi-Fi Protected Access (WPA3). WPA3 will replace the existing WPA2—the network security protocol that has been around for at least 15 years and widely used by billions of wireless devices every day, including smartphones, laptops and […]