Security Release: Upgrade to Electrum 3.0.5

A security vulnerability was discovered in Electrum. It allows malicious websites to access your wallet and possibly get at your wallet seed/private keys. Users are advised to upgrade to Electrum 3.0.5 immediately.

What is the vulnerability?

By default Electrum accepts JSON RPC commands via a port on localhost. This interface is not protected with any sort of password so malicious websites can scan for and send commands to Electrum via this port.

Who is affected by this?

All users with version 2.6 – 3.0.4 are affected by this

You are especially vulnerable if you haven’t set a password on your wallet. In that case you should create a new wallet and move your coins to a new wallet after upgrading to 3.0.5.

How do I upgrade?

Write down your seed words if you haven’t already done so. You can get them via wallet menu > seed. Then install electrum the same way you did the last time. You can download from electrum.org. Electrum will automatically upgrade your wallet file but in the event it fails to do so you can restore from seed.

Where can I learn more?

The bug report in question is given here. An official statement has been put out here.

 

Leave a Reply

Your email address will not be published. Required fields are marked *