Advisory: Vulnerability discovered in popular Electrum wallets
A vulnerability was found in the Electrum wallet software which potentially allows random websites to steal your wallet via JavaScript. The bug presumably also affects altcoin derivatives of Electrum such as Electron Cash. If you don't use Electrum or a derivative, then you are not affected and you can ignore this.
https://bitcointalk.org/index.php?topic=2702103.0
I actually really like the electrum wallets, they're one of the best in my opinion for bitcoin and litecoin. There is apparently an upgrade to fix the problem. We use them here locally for some auxiliary tasks. They're lightweight (don't require a lot of computing resources to use) so they're a great alternative to running a full node wallet, which uses quite a lot of hard disk space nowadays, but safer than using a web wallet (well, mostly safer, obviously there can be exceptions like this one).
I've temporarily shut down ours per the link above, and we'll upgrade tomorrow. The shutdown of these wallets doesn't affect our site in any way, we just use them for the occasional manual transaction to pay for something in crypto.
If you have a lot of money stored in wallets or even on exchanges get a crypto only PC that you keep updated, have little extra software on, and turn on rarely. It might cost a couple hundred but there’s a ton of hackers out there looking for easy money in the form of your crypto wallet.
EDIT: Trezor, Ledger, etc. are always best but for some people who keep coins on exchanges, or trade a lot it isn’t an option.
It might cost a couple hundred but theres a ton of hackers out there looking for easy maintenance in the form of your crypto wallet.If you have a lot of money stored in wallets or even around exchanges disturb to the fore a crypto by yourself PC that you save updated, have small count software upon, and slope upon rarely. @blocktrades
I really agree with your comment
I guess you are right. Thanks. And look at my blogs and give me a comments
Thanks for your post!
Please Follow, Upvote & Resteem my post to help us to travel & explore more
https://steemit.com/travel/@jonbee/travel-with-us-ep-01-kushtia-sugar-mills-kushtia-bangladesh-bd-steemian
Gbamest Counsel.
you are right.
I totally agree!
Thank you for the information
Maybe i am misunderstanding the change notes but it seems to me that that the fix that has been implemented in the newest release (v3.0.4 ~ 9 hours ago) has disabled default CORS approval which means the vulnerability could still be exploited by code running on the local computer; obviously a password protected wallet goes a long way to mitigate the chance of compromise.
While this is the case with most software i am not sure why the RPC is being enabled by default when 95% of users would have no use for it and the ones that did would be proficient enough to enable this for use.
Thanks for the heads up. Interesting to see it was first reported in Nov 2017 and not until today where a POC confirmed it as such a high risk
@steempower as I told @blocktrades too, you are very active in the steemit community, always informing people on everything, and your posts on Bitshares are really impressive. They helped me understand many more things about it!
I also wanted to stop by you and send you a big shout of appreciation for your support in one of the previous chapters of the guide. It was a huge support, and it really helped together with @blocktrades , @lukestokes , @starkerz , @cryptographic , @stephenendal , to reach many more people as expected, I have not counted again but all the first 4 chapters have reached the hands of more than 2,500+ people reach and 280+ comments and questions, and this is already amazing for me, because my aim of helping many new users, new visitors and minnows to understand as much as possible about steemit and the steem blockchain is becoming true!
Speaking about the 11 Chapter full Steemit guide, I was wondering your what do you think about it, and what feedback can you give me to improve it even more. I mentioned @blocktrades in Part 6, you can see the comment I sent to @blocktrades a few messages down here.
I will mention a lot from you in the future chapter about Steem a part of a larger ecosystem, were I speak about Bitshares!
Here is what Chapter 5 I posted today is about, and a link to it:
Chapter 5 of 11: Learning some of the many "Other ways to Earn Rewards on the Steemit Platform & Steem Blockchain" - This is part 5 of the 11 Chapters (Full Guide) to help new people make their way on Steemit
https://steemit.com/steem/@gold84/chapter-5-of-11-learning-some-of-the-many-other-ways-to-earn-rewards-on-the-steemit-platform-and-steem-blockchain-this-is-part-5
Looking forward to hear from you, in any comments section, of this or any chapter! As I told @blocktraes , your knowledge and experience together with @lukestokes @timcliff @starkerz @stephenkendal has been inspiring me to continue with the series, and even add more value and additions to it.
Regards, @gold84
Yes, from what I gathered the fix is to avoid you going to a web page that then transferred money from your electrum wallet when you unlocked it. A rogue program on your local machine can always steal money from your wallet when you unlock it. It's why I upvoted the guy who suggested you should keep a crypto computer where you don't install much software.
Just disabling RPC wouldn't really protect you from a rogue program. As soon as you unlock your wallet, a rogue program with enough privilege can send keystrokes to your wallet to do whatever it wants...
Thanks for your post!
Please Follow, Upvote & Resteem my post to help us to travel & explore more
https://steemit.com/travel/@jonbee/travel-with-us-ep-01-kushtia-sugar-mills-kushtia-bangladesh-bd-steemian
I have read your post now and I try to protect it from fake programs thanks to comments you make.Thanks for sharing sir.. @bloctrades
Apparently if a problem is identified it is half solved . Coin holders needs to be carefull. But i was complaining why not their is a coin personal holder which is not dedicated to any coin. Like a personal wallet can hold any cash right. Dollars, pound...... so i need a detached device which can handle any blokchain coin which is detachable like a flash disk. And when ever you want to have a transaction you will plugin and send or recive into your personal bank devise.
Daont you think we need one of those specially i make a daily exchange to ten or so coins by observing the markets so it becomes a tiresome job to open a wallet in every vender wallet.
Anyway good luck on all steemers to be profitable in cash and in the readings of blogs. Belive me i started my exchange market after reading steems. And i make a 250,000 dollars since three monthes.
Respect.
I think electrum wallets do not need a copy of the blockchain.The website needs to be revamped to make it clearer which wallet to use
Apparently this is the one with the fix: https://electrum.org/#download
They don't keep a copy of the blockchain, they are what's known as a "light wallet".
oh! great
Very good information and very useful for many people to be more careful again forwards
HELP
Forgot to mention the Memo while sending Steem to Blocktrades.
Please send me the steem back to me so that I can generate another Memo and rectify my mistake.
Thank you.
Here's the transaction details:
https://steemd.com/b/18765879#b346ab82166a9a9f982760612a64524e54ebd7c5
Electrum and Electron Cash potentially compromised? I find this news... shocking :)
Electrum has just released a newer version with this vulnerability fixed. Everyone ... please, download the newer version 3.0.4 from their official website. And must check the signature:)
Download newer version 3.0.4 : https://electrum.org/#download
Release notes : https://github.com/spesmilo/electrum/blob/3.0.4/RELEASE-NOTES