Electrum to the public: “if you are running Electrum, shut it down right this second”

Getting your Trinity Audio player ready...

Electrum wallet just deployed an emergency patch to fix critical security risk.

On Saturday, Electrum devs were sent into a panic, pushing them to release an emergency patch along with an urgent message saying everyone using their Electrum wallets must stop doing so immediately and upgrade to the patched version. Apparently, having the wallet open while browsing the web allows any website to steal users’ BTC.

New release: Electrum 3.0.4. Please upgrade, this is a security update. It fixes a vulnerability that was reported earlier today. See the release notes for details. https://t.co/Y2DXoUyOgkhttps://t.co/HlynSNK8dx

— Electrum (@ElectrumWallet) January 7, 2018

Wallets with no passphrases set are also considered compromised, whether they surfed the web or not while the wallet was open. Those with weak passwords are also at risk.

Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin pic.twitter.com/MYq1u9ZZbt

— 尺ﾉ匚卄卂尺り (@h43z) January 7, 2018

The security notice on Electrum’s website links to a post by Theymos (r/bitcoin moderator) on BitcoinTalk, where they urged users to shut down the wallet and upgrade to the new version. The post has been updated to say that the first patch attempt is still vulnerable, and that users must upgrade to version 3.0.5. And that it in fact is safer to just move all their BTC to a newly generated Electrum wallet altogether.

White hat hacker and Google vulnerability researcher Tavis Ormandy says he stumbled upon it while checking out the software included in Tails, an anonymity and privacy-focused live operating system bootable from a USB stick.

Sadly I'm not a bitcoin millionaire, I was just browsing the list of software shipped in @Tails_live, and Electrum is included 😛

— Tavis Ormandy (@taviso) January 7, 2018

Ormandy says that although he just pointed out the issue to Electrum last Saturday, pushing them to start working on a fix, the issue has already been pointed out last year.

The bitcoin wallet Electrum allows any website to steal your bitcoins. I was gonna report it…but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours. Update to 3.0.4 if you use it.

— Tavis Ormandy (@taviso) January 7, 2018