Electrum patches a critical flaw that exposed Bitcoin Wallets to hack since 2016

Pierluigi Paganini January 10, 2018

The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.

Electrum is a free application that’s used by many cryptocurrency sites to store bitcoin. Administrators can run their own Electrum server and the software supports hardware wallets such as Trezor, Ledger and Keepkey.

The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.

The vulnerability allowed any website hosting the Electrum wallet to potentially steal the user’s cryptocurrency.

The flaw seems to be present in the software for almost two years, it is related to the exposure of passwords in the JSONRPC interface.

The company first issued a security patch failed to address the issue, but it failed, then Electrum opted out to issue a second update on Sunday evening.

The story has begun in November when many researchers observed numerous massive scans going on for Bitcoin and Ethereum wallets in order to steal their funds.

The security expert Didier Stevens observed a significant scanning activity over the weekend, just two days before Bitcoin price jumped from $7,000 to over $8,000.

The researcher observed a huge number of requests to his honeypot to retrieve Bitcoin wallet files.

Of course, the crooks were exploring the possibility to target also other cryptocurrencies, such as the Ethereum. Very interesting the analysis proposed by Bleepingcomputer.com that reported the discovery made by the researcher Dimitrios Slamaris.

The security expert reported Internet wide Ethereum JSON-RPC scans.

The expert caught a JSON RPC call in his honeypot, someone was making requests to the JSON-RPC interface of Ethereum nodes that should be only exposed locally.

The access to the interface does implement any authentication mechanism and wallet apps installed on the PC can send command to the Ethereum client to manage funds. If the interface is exposed inline, attackers can send requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet.

Early November, Slamaris uncovered another massive scan that allowed the attacker to steal 8 Ethers (about $3,200 at current exchange).

Slamaris teamed with SANS Internet Storm Center expert Johannes Ullrich also uncovered a second campaign, they discovered two IP addresses were scanning specifically hard using these requests:
  • 216.158.238.186 – Interserver Inc. (a New Jersey hosting company)
  • 46.166.148.120 – NFOrce Entertainment BV (Durch hosting company)

A user going by the name of “jsmad” noticed that the Electrum wallet app was also exposing a similar JSON RPC online.

“The JSONRPC interface is currently completely unprotected, I believe it should be a priority to add at least some form of password protection.” wrote the user.

“Scans for the JSONRPC interface of Ethereum wallets have already started:
https://www.bleepingcomputer.com/news/security/theres-some-intense-web-scans-going-on-for-bitcoin-and-ethereum-wallets/

The knowledge of the Electrum password allowed attackers to interact through the JSON RPC interface with the wallers.

The Electrum developers were criticized by the claim of the popular Google white hat hacker Tavis Ormandy who contacted the company.

“Hello, I’m not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy ?.” wrote Ormandy.

“I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability? If this bug wasn’t already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.

The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.

I made you a demo. It’s very basic, but you get the idea. If you did set a password, some misdirection is required, but it’s still game over, no?

Here is how I reproduced:

  • Install Electrum 3.0.3 on Windows.
  • Create a new wallet, all default settings. I left the wallet password blank – the default setting.
  • Visit in Chrome.
  • Wait a few seconds while it guesses the port, then an alert() appears with: seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}

(Note: i dont use bitcoin, you can steal my empty wallet if you like)”

In a real attack scenario, hackers could trick Electrum users into accessing a malicious website that could scan for the Electrum’s random JSON RPC port and empty the wallet by issuing commands.

Below a video of such kind of attack shared by a Twitter user.

The Electrum development team released the version 3.0.5 that addresses the vulnerability, users urge to update their wallet app.

According to the developers, the flaw affects versions 2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of Electrum such as Electron Cash.

“In addition, the vulnerability allows an attacker to modify user settings, the list of contacts in a wallet, and the “payto” and “amount” fields of the user interface while Electrum is running.” reads the analysis published by the Electrum development team.

“Although there is no known occurrence of Bitcoin theft occurring because of this vulnerability, the risk increases substantially now that the vulnerability has been made public.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Electrum wallet,  Bitcoin)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment