This article was published on January 8, 2018

Google dev found an Electrum wallet bug that let sites steal your Bitcoin


Google dev found an Electrum wallet bug that let sites steal your Bitcoin

Cryptocurrency enthusiasts relying on the popular Electrum wallet to store their Bitcoin ought to hurry up and update to the latest version of the app: Google researcher Tavis Ormandy discovered a critical flaw in the wallet that allowed any website to steal your coins.

Over the weekend, Ormandy took to Twitter to urge Electrum users to get the latest reiteration of the wallet as soon as possible, adding that he recently stumbled upon a severe vulnerability which has since been patched. The bug purportedly affected all versions from 2.6 to 3.0.3.

The Googler further noted that another sharp-eyed researcher had already reported the issue by the time he spotted it himself. Still, he had to reach out to Electrum to stress the urgency of the matter.

I was gonna report it…but there was already an open issue from last year,” Ormandy said. “I pointed out this is kinda [sic] critical, and they made a new release within a few hours.”

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Following Ormandy’s tweets, Electrum has released one more patch (version 3.0.5), which is currently available to download from their official website here.

In a statement attached to the update, Electrum notes that users “need” not to “rush the upgrade.”

“In fact, in cases like this it can be prudent to wait a while just to make sure that everything is settled,” the post read. “The important thing is to not use the old versions. If you have an old version sitting somewhere not being used, then it is harmless as long as you do not forget to upgrade it before using it again later.”

However, users that have in any point in the past left their Electrum wallet “open with no wallet passphrase set” and “had a webpage open” might want to remain extra careful.

Then it is possible [sic] that your wallet is already compromised,” the statement warned. “Particularly paranoid people might want to send all of the BTC in their old Electrum wallet to a newly-generated Electrum wallet.”

“[I]f you had a wallet password set, you can reduce your panic by a few notches,” the post continued. “[B]ut you should still treat this very seriously.”

The latest version of the Electrum wallet for Mac, Windows, Linux and Android is available to download here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with