Threat Management, Threat Management, Network Security, Patch/Configuration Management, Vulnerability Management

Malicious websites can steal from vulnerable Electrum cryptocurrency wallets

The popular Bitcoin client Electrum has developed a patch for a critical vulnerability that allows malicious websites to steal from digital wallets that are not password-protected.

Patch release notes from Electrum described the bug, which is present in versions 2.6-3.0.3, as a cross-origin resource sharing flaw in the JSON-RPC protocol interface that leaves the crypto wallet prone to port scanning and deanonimization attacks. Version 3.0.4, issued on Jan. 7, helped address the problem, but was an incomplete fix. Thus, version 3.0.5 was subsequently distributed on Jan. 8.

A post on Bitcoin forum provided further details, advising Electrum owners to immediately close out the service and refrain from using it again until upgrading to the most recent version. The forum also warned that if at any time users had Electrum open while surfing the web, their wallets may already have been compromised.

“Particularly paranoid people might want to send all of the BTC in their old Electrum wallet to a newly-generated Electrum wallet,” the forum post read.

Even if one's wallet is password-protected, attackers could theoretically still steal address and transactional information and change the Electrum settings, which could possibly lead to further exploitation, the forum post said.

The vulnerability was originally uncovered in a November 2017 GitHub post from a commenter with the handle “jsmad,” who warned that the JSONRPC interface, which is used by web servers to remotely execute commands, “is currently completely unprotected,” adding, “I believe it should be a priority to add at least some form of password protection.”

“While the electrum daemon is running, someone on a different virtual host of the web server could easily access your wallet via the local RPC port,” jsmad continued in the post. “Currently, there is no security/authentication, giving someone access to the RPC port full access to the wallet.”

After spotting the same problem, Google Project Zero researcher Tavis Ormandy responded to jsmad's on the same forum – seemingly accelerating Electrum's remediation of the issue. Ormandy also expresses concern that password-protected wallets could still potentially be emptied of Bitcoin if they are weak enough to be guessed via brute force.

“Update your #electrum wallets. Only having the program running and surfing the web can be unsafe,” Ormandy said in a Jan. 7 tweet. “Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.