Bitcoin and Litecoin vulnerable: Electrum (Bitcoin), Electron Cash (Bitcoin Cash) und Electrum-LTC (Litecoin) users at risk

The dogs are working, sadly the underground dogs. Electrum (Bitcoin), Electron Cash (Bitcoin Cash) and Electrum-LTC (Litecoin) users are currently at risk – more and more hackers switching to Monero in the meantime.

 

ferf
The dogs are mining: Picture: giphy (thanks to Wavy) 

 

Attackers can right now inject a website to steal your entire wallet, it’s also possible to deanonymize its users.

Affected systems

  • Electrum v2.6 until 3.0.4
  • All Electron Cash versions including 3.1.1
  • All Electrum-LTC version including 3.0.5

All three systems released Monday a new corrected version which should correct this hole. It’s highly suggested to update your client and close your current wallet ASAP until you have installed the fixed version.

The reason for such a huge problem was a JSON-RPC-Server failure, each time a user started the wallet a CGI was started with it (no matter if only the GUI was used or not) which allowed attackers to capture it’s traffic because the RPC-interface is unprotected.

electrum-jsonrpc
The CLI starts even than when python only requires the UI, the window gets opened in the background.

But the real danger is when a Browser and a Wallet running at the same time, an attacker could manipulate the Website via a JavaScript-JSON which was coded to predict specific inputs e.g. in case you want to sell with your Wallet. The communication then is handled trough JSON-Client <-> JSON-RPC server invisible in the background.

The attacker can check the current wallet status, the Master Public Key (MPK, xpub), steal the Wallet seed and transfer the money to another wallet. The developer saying you should create another wallet right now with a strong password, this could help at least right now.

 

Advertisements

One thought on “Bitcoin and Litecoin vulnerable: Electrum (Bitcoin), Electron Cash (Bitcoin Cash) und Electrum-LTC (Litecoin) users at risk

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: