The popular Bitcoin client Electrum has developed a patch for a critical vulnerability that allows malicious websites to steal from digital wallets that are not password-protected.
Patch release notes from Electrum described the bug, which is present in versions 2.6-3.0.3, as a cross-origin resource sharing flaw in the JSON-RPC protocol interface that leaves the crypto-wallet prone to port scanning and deanonimisation attacks. Version 3.0.4, issued on 7 January, helped address the problem, but was an incomplete fix. Thus, version 3.0.5 was subsequently distributed on 8 January.
A post on Bitcoin forum Bitcointalk.org provided further details, advising Electrum owners to immediately close out the service and refrain from using it again until upgrading to the most recent version. The forum also warned that if at any time users had Electrum open while surfing the web, their wallets may already have been compromised.
“Particularly paranoid people might want to send all of the BTC in their old Electrum wallet to a newly-generated Electrum wallet,” the forum post read.
Even if one's wallet is password-protected, attackers could theoretically still steal address and transactional information and change the Electrum settings, which could possibly lead to further exploitation, the forum post said.
The vulnerability was originally uncovered in a November 2017 GitHub post from a commenter with the handle “jsmad,” who warned that the JSONRPC interface, which is used by web servers to remotely execute commands, “is currently completely unprotected,” adding, “I believe it should be a priority to add at least some form of password protection.”
“While the electrum daemon is running, someone on a different virtual host of the web server could easily access your wallet via the local RPC port,” jsmad continued in the post. “Currently, there is no security/authentication, giving someone access to the RPC port full access to the wallet.”
After spotting the same problem, Google Project Zero researcher Tavis Ormandy responded to jsmad's on the same forum – seemingly accelerating Electrum's remediation of the issue. Ormandy also expresses concern that password-protected wallets could still potentially be emptied of Bitcoin if they are weak enough to be guessed via brute force.
“Update your #electrum wallets. Only having the program running and surfing the web can be unsafe,” Ormandy said in a 7 January tweet. “Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin”