Electrum wallet users should stop using the wallet immediately and upgrade it to the newest version in order to patch a major security flaw that could result in a complete loss of users’ coins. The flaw also affects altcoin wallets that are forks of Electrum – including ‘light’ wallets for Litecoin, Bitcoin Cash, Dash, and many others.

Major Electrum Security Flaw Exposes Private Keys to Attackers

Electrum posted details of the security problem, along with updates patching the holes. The flaw allows a website running malicious Javascript code to exploit the wallet’s JSONRPC interface to gain control of the wallet, exposing most functions of the wallet to an attacker.

This includes some very disturbing possibilities for an attacker:

• Theft of your entire wallet balance
• Changing your wallet settings
• Editing entries in your wallet’s address book
• Changing the “amount” and “payto” fields in your wallet while it is running

Even wallets holding no funds are potentially at risk. If the private keys have been exposed to an attacker, any future balance could be stolen later on. An edited address book entry could even result in the legitimate user sending the funds to the attacker themselves without realizing.

Password-Protected Electrum Wallets Still At Risk, But So Far Unaffected

Electrum users who added a password during setup appear to be protected from the attack. Setting a password is optional during wallet setup, although it is highly recommended. The password is different from the wallet seed passphrase.

Even if it never received any funds, a wallet without password should not be used anymore, because its seed might have been compromised.

Setting a password encrypts the seed, which improves security. An attacker with control of the wallet would need to guess the password on sending in order to unencrypt the stored seed. The only way for an attacker to overcome it would be by guessing passwords while the wallet is open. That is very unlikely, though not impossible

Electrum wallets set up with multi-sig or 2FA implemented are also more secure, since attackers would need to compromise multiple wallets or devices simultaneously.

Security Patch in Electrum v3.0.5 Fixes the Problems

Update v3.0.5 fixes all of the problems in the bug report by completely disabling JSONRPC in the GUI wallet, and requiring appropriate password-only access in other versions.

1. ALL Electrum users are advised to upgrade the wallet to v3.0.5 immediately.
2. Electrum users without password protection are advised to move all their funds to a secure address in a newly-generated wallet.
3. Check with the developers of any altcoin Electrum versions to see about any relevant upgrades.

Electrum is one of the most popular bitcoin wallets. It is unknown whether any users had actual losses due to the announced security flaw. Electrum is open source and offers several options that allow users to improve their wallet security. Even with this major vulnerability, those added options protected many users’ balances from theft.

Always set a password for your cryptocurrency wallets, and keep the password in a safe place.

• Chat about Steem and share a dank meme on my Discord
• Follow my curation trail on Streemian
• Improve your discoverability and get more followers with SteemFollower

Keep on Steemin'!

"By mutual confidence and mutual aid,
great deeds are done, and great discoveries made."
The Iliad, by Homer