Although cryptocurrencies themselves are extremely difficult to hack, the same cannot be said about the ecosystem of applications that provide everyday people with the ability to work with them.
A vulnerability was found in Electrum’s software that allows hackers to execute scripts that give them complete access to the user’s wallet.
The developers worked quickly to patch it, but only just finished doing so months after the vulnerability was reported.
According to user “jsmad” at Github, the JSON remote procedure call interface does not ask for any credentials, leaving it completely open to attack.
After another user interjected, hoping that the wallet still has some fail-safes that potentially address this issue, “jsmad” clarified that this applies mostly to wallets that are managed through web interfaces.
Developers posted an announcement just hours ago, suggesting that users should switch to version 3.0.5 immediately to avoid any compromise.
“If at any point in the past you had Electrum open with no wallet passphrase set, and had a webpage open, then it is possible that your wallet is already compromised. Particularly paranoid people might want to send all of their BTC in their old Electrum wallet to a newly-generated Electrum wallet,” the announcement said.
So far, it isn’t clear how long this vulnerability existed, or whether anyone was victimized before Electrum’s developers could patch it.
After auditing the code through multiple versions, it is safe to assume that Electrum’s daemon has been susceptible to this kind of attack ever since its original implementation.
Electrum isn’t the only wallet that is in danger of exposing its users to attack.