Electrum litecoin wallet4/3/2023 ![]() Bleeping Computer reported last November about massive scans for Ethereum wallets. It’s likely this problem was already known to the bad guys. The usual response from the community is victim-blaming. The replies you get when you say the word "bitcoin" □ Įlectrum users have been reporting unexplained hacks for the last couple of years. But at least a random web page can’t clean out your wallet now.īitcoin users responded to news of the security hole as you might expect, including accusing Ormandy of not understanding computer security: The Electrum JSON RPC interface still doesn’t have password protection, though this is currently being implemented. A fix was committed and a new version released within hours. This hole has been open since then.Īlthough the problem had first been raised in November last year, Ormandy’s proof-of-concept was clear enough to get the project scrambling. The code implementing this dates back to the original implementation of the JSON RPC interface in August 2015. If you did set a password, some misdirection is required, but it’s still game over, no? The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds. I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability? If this bug wasn’t already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something. Ormandy had looked into it because “localhost RPC servers drive me crazy” - that is, applications that have a server running on your computer that accepts commands from software running locally. I pointed out this is kinda critical, and they made a new release within a few hours. I was gonna report it…but there was already an open issue from last year. The bitcoin wallet Electrum allows any website to steal your bitcoins. Tavis Ormandy is famous in computer security for his work at Google’s Project Zero initiative, finding unexpected and often quite creative security holes in common software and operating systems. a script running in your web browser - the software explicitly set a wide-open CORS policy.Įlectrum didn’t just have a security hole - it was literally running an open server, for anyone to come in and take your money. The problem is that the JSON RPC interface is completely open to anything else on your computer, e.g. ![]() The update has also made it to Electron Cash and Electrum Litecoin. If you use Electrum, get the latest version, 3.0.4, straight away. It turns out to have been completely insecure since 2015 - any web page you go to could have stolen your coins. It’s a “light” wallet, that doesn’t require you to download a 150 gigabyte blockchain before you can do anything. Electrum has long been one of the most popular Bitcoin software wallets.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |