Cryptocurrency enthusiasts relying on the popular Electrum wallet to store their Bitcoin ought to hurry up and update to the latest version of the app: Google researcher Tavis Ormandy discovered a critical flaw in the wallet that allowed any website to steal your coins.
Over the weekend, Ormandy took to Twitter to urge Electrum users to get the latest reiteration of the wallet as soon as possible, adding that he recently stumbled upon a severe vulnerability which has since been patched. The bug purportedly affected all versions from 2.6 to 3.0.3.
The Googler further noted that another sharp-eyed researcher had already reported the issue by the time he spotted it himself. Still, he had to reach out to Electrum to stress the urgency of the matter.
“I was gonna report it…but there was already an open issue from last year,” Ormandy said. “I pointed out this is kinda [sic] critical, and they made a new release within a few hours.”
The bitcoin wallet Electrum allows any website to steal your bitcoins. I was gonna report it…but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours. Update to 3.0.4 if you use it.
— Tavis Ormandy (@taviso) January 7, 2018
Following Ormandy’s tweets, Electrum has released one more patch (version 3.0.5), which is currently available to download from their official website here.
In a statement attached to the update, Electrum notes that users “need” not to “rush the upgrade.”
“In fact, in cases like this it can be prudent to wait a while just to make sure that everything is settled,” the post read. “The important thing is to not use the old versions. If you have an old version sitting somewhere not being used, then it is harmless as long as you do not forget to upgrade it before using it again later.”
However, users that have in any point in the past left their Electrum wallet “open with no wallet passphrase set” and “had a webpage open” might want to remain extra careful.
“Then it is possible [sic] that your wallet is already compromised,” the statement warned. “Particularly paranoid people might want to send all of the BTC in their old Electrum wallet to a newly-generated Electrum wallet.”
“[I]f you had a wallet password set, you can reduce your panic by a few notches,” the post continued. “[B]ut you should still treat this very seriously.”
Published January 8, 2018 — 11:20 UTC