Complete Patch Released to Address Critical Vulnerability Found in Electrum Bitcoin Wallets.
Electrum, a well-known bitcoin client, has developed a patch for the bug identified in version 2.6-3.0.3 of the JSON-RPC protocol interface. The flaw was identified by a commenter using the alias “jsmad,” in a Github post on 24 November 2017. Jsmad warned that the interface the completely unprotected and that some sort of password protection is necessary since the interface is used for remote execution if commands.
Jsmad wrote in his post on Github that; “while the electrum daemon is running, someone on a different virtual host of the web server could easily access your wallet via the local RPC port. Currently, there is no security/authentication, giving someone access to the RPC port full access to the wallet.”
The critical vulnerability allows malicious websites to access and steal from bitcoin wallets that are not protected by a password because the flaw leaves the crypto wallet at the risk of port scanning and deanonymization attacks. Furthermore, if the wallet is protected with a password, even then attackers can steal address and transactions related information as well as modify Electrum account settings. This would eventually lead to extended exploitation of the wallet.
Google’s Project Zero researcher Tavis Ormandy responded to the post from jsmad and notified Electrum regarding the issue while expressing concerns that both passwords protected and non-password protected wallets would be emptied of bitcoin if attackers can compromise them through simple brute forcing method. In his tweet posted on January 7, Ormandy warned Electrum users about the flaw:
“Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it’s easy to guess it can be brute-forced #bitcoin”
Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin pic.twitter.com/MYq1u9ZZbt
— `'"ᖇi𝘊ᕼᗩᖇᗪ (@h43z) January 7, 2018
Through the patch, Electrum has addressed the issue that was previously partially fixed in the version 3.0.4, released on 7 January, while the version 3.0.5 was released on January 8 to fully fix the problem.
According to the post on Bitcointalk.org, a popular Bitcoin forum, Electrum owners need to stop using the service until they upgrade it to the latest version and that if Electrum service is used while browsing the net, it would make their wallets vulnerable to hacking. The identified vulnerability is suspected to be present for the past two years (when Electrum version 2.6 was released) and makes cryptocurrency stored via Electrum vulnerable to stealing.
“The bitcoin wallet Electrum allows any website to steal your Bitcoins. I was gonna report it… but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours,” tweeted Ormandy.
It is worth noting that Electrum didn’t realize the gravity of the situation until Ormandy showed concerns. As stated by Thomas Voegtlin, Electrum founder, that the company identified the flaw as of critical nature back in November, when it was originally identified. When Ormandy explained how serious the bug was,
the developers rushed to release the patch. A partial fix was issued followed by a complete patch. In an email, Voegtlin noted that:
“When a zero-day exploits is made public, it is important to address the vulnerability as soon as possible because attackers are going to use the exploit. This is why we released 3.0.4 immediately before password protection was ready.”
Although the bug in Electrum is now fully patched chances are bright that hackers would still benefit from the flaw unless all the users have upgraded to the latest version of Electrum.