Bitcoin Forum
December 15, 2018, 03:00:22 AM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: bitcoin is hackable on electrum-2.9.3-portable news may 2018  (Read 92 times)
silvertrade
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
May 21, 2018, 03:18:55 PM
 #1

hello friends just to let the bitcoin community know that to my best knowledge I have figured out that
on 10th may 2018 I lost BTC0.00564505 bitcoin worth $50 at rate $8900 due to a hacking issue and unauthorized transaction
caused inside my electrium-2.9.3-portable version which was encrypted with 24 digits complex password.

here I want to mention that it is my 3rd created electrium account for safety reason where I used new unique
seed to create my wallet and put password on it. and that my pc is never shared with anyone, not given
for repairmen and I have up to date windows 8.1 platform with avast antivirus and up to date router
which is not easily be hacked. so hope it will be a good notification to record for inquiry.

the transaction id is : http://blockchain.info/tx/af59d8a4cf4a7f0582055b6edf0d0ffecd4072974fc8c2631e3cd3de8d3152a5

its to be noted that the hacker took all my balance at once causing my account to be turned out to be 0.
PLAY NOW
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1544842822
Hero Member
*
Offline Offline

Posts: 1544842822

View Profile Personal Message (Offline)

Ignore
1544842822
Reply with quote  #2

1544842822
Report to moderator
1544842822
Hero Member
*
Offline Offline

Posts: 1544842822

View Profile Personal Message (Offline)

Ignore
1544842822
Reply with quote  #2

1544842822
Report to moderator
1544842822
Hero Member
*
Offline Offline

Posts: 1544842822

View Profile Personal Message (Offline)

Ignore
1544842822
Reply with quote  #2

1544842822
Report to moderator
LoyceV
Legendary
*
Offline Offline

Activity: 1330
Merit: 2363


Self-made Legendary!


View Profile WWW
May 21, 2018, 03:39:28 PM
 #2

electrium-2.9.3-portable version
Vulnerabilities in older versions of Electrum have been known since January this year, see Vulnerability discovered in Electrum 2.6 to 3.0.4: please upgrade.
You may want to move (see left-bottom of this page) this thread to the Electrum board.

achow101
Staff
Legendary
*
Offline Offline

Activity: 1610
Merit: 1810


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
May 21, 2018, 03:41:01 PM
 #3

Electrum versions between 2.6 and 3.0.4 are known to be vulnerable and you should upgrade immediately.

Unfortunately there is nothing that can be done to recover your Bitcoin.

silvertrade
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
May 21, 2018, 04:42:23 PM
 #4

hey yes just surfed a bit and found electrium 2.6 to 3.0.4 was vulnerable by jsonrpc command for 2 years already.
so nothing new , my bad actually, just updated elctrium to 3.1.3 latest version as of toady. thanks
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1218
Merit: 1146


bc1qdj5v2q8p398rdy6sexc0fapk4hcq0p54xz56ez


View Profile
May 21, 2018, 05:16:58 PM
 #5

electrium-2.9.3-portable version
Vulnerabilities in older versions of Electrum have been known since January this year, see Vulnerability discovered in Electrum 2.6 to 3.0.4: please upgrade.
You may want to move (see left-bottom of this page) this thread to the Electrum board.

The vulnerability shouldn't be too much of an issue if the electrum wallet is encrypted. Unless it gets decrypted while the user if on another page/has an established connection with a server untrustworthy.

Unless the payto field gets edited also via jsonrpc calls.

@op, I'd suggest a full virus scan on your computer before putting the new software on in case it's a virus. There's free software like malware bytes and free trials of other services like McAfee.

posi
Sr. Member
****
Offline Offline

Activity: 588
Merit: 271

Jarvis - Hybrid multi-asset exchange


View Profile
May 21, 2018, 06:39:33 PM
 #6

Well, like they said mistake made and lesson learn. i believe the OP was the one who don't the issue that electrum 2.9.3 is facing because the electrum wallet owner have announced the wallet to be vulnerable and they advice people to use the updated one.



                        █████
                        █████
                        █████
                        █████
                        █████
                        █████
                        █████
        █████           █████
        █████   █████   █████
        █████   █████   █████
        █████   █████   █████   █████
        █████   █████   █████   █████
█████   █████   █████   █████   █████
█████   █████   █████   █████   █████
█████   █████   █████   █████   █████
█████   █████   █████   █████   █████
█████   █████   █████   █████   █████
█████   █████   █████   █████   █████
█████   █████   █████
█████   █████   █████
█████   █████   █████
█████   █████
        █████
        █████



   Borderless Trading with Jarvis Exchange
Whitepaper | Twitter | Facebook | Medium | Instagram
NeuroticFish
Legendary
*
Offline Offline

Activity: 1694
Merit: 1110


The real one is http://bitcoin.ORG


View Profile
May 21, 2018, 06:47:49 PM
 #7

@op, I'd suggest a full virus scan on your computer before putting the new software on in case it's a virus. There's free software like malware bytes and free trials of other services like McAfee.

I even advise to burn a bootable CD and scan from it. Kaspersky or Avira are 2 pretty good options.
The idea is at the chance the Electrum vulnerability was used is smaller than the chance you have some surprise on your system. Afaik for the vulnerability to be exploited Electrum should have been kept running.
(And yes, I've read that you have Avast on, but no antivirus is perfect).

.BITSLER.                 ▄███
               ▄████▀
             ▄████▀
           ▄████▀  ▄██▄
         ▄████▀    ▀████▄
       ▄████▀        ▀████▄
     ▄████▀            ▀████▄
   ▄████▀                ▀████▄
 ▄████▀ ▄████▄      ▄████▄ ▀████▄
█████   ██████      ██████   █████
 ▀████▄ ▀████▀      ▀████▀ ▄████▀
   ▀████▄                ▄████▀
     ▀████▄            ▄████▀
       ▀████▄        ▄████▀
         ▀████▄    ▄████▀
           ▀████▄▄████▀
             ▀██████▀
               ▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄            
▄▄▄▄▀▀▀▀    ▄▄█▄▄ ▀▀▄         
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄      
█  ▀▄▄  ▀█▀▀ ▄      ▀████   ▀▀▄   
█ █▄  ▀▄   ▀████       ▀▀ ▄██▄ ▀▀▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█  ▀▀       ▀▄▄ ▀████      ▄▄▄▀▀▀  █
█            ▄ ▀▄    ▄▄▄▀▀▀   ▄▄  █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█ ▄▄   ███   ▀██  █           ▀▀  █ 
█ ███  ▀██       █        ▄▄      █ 
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
▀▄            █        ▀▀      █  
▀▀▄   ███▄  █   ▄▄          █   
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀    
▀▀▄   █   ▀▀▄▄▄▀▀▀         
▄▄▄▄▄▄▄▄▄▄▄█▄▄▀▀▀▀              
              ▄▄▄██████▄▄▄
          ▄▄████████████████▄▄
        ▄██████▀▀▀▀▀▀▀▀▀▀██████▄
▄     ▄█████▀             ▀█████▄
██▄▄ █████▀                ▀█████
 ████████            ▄██      █████
  ████████▄         ███▀       ████▄
  █████████▀▀     ▄███▀        █████
   █▀▀▀          █████         █████
     ▄▄▄         ████          █████
   █████          ▀▀           ████▀
    █████                     █████
     █████▄                 ▄█████
      ▀█████▄             ▄█████▀
        ▀██████▄▄▄▄▄▄▄▄▄▄██████▀
          ▀▀████████████████▀▀
              ▀▀▀██████▀▀▀
            ▄▄▄███████▄▄▄
         ▄█▀▀▀ ▄▄▄▄▄▄▄ ▀▀▀█▄
       █▀▀ ▄█████████████▄ ▀▀█
     █▀▀ ███████████████████ ▀▀█
    █▀ ███████████████████████ ▀█
   █▀ ███████████████▀▀ ███████ ▀█
 ▄█▀ ██████████████▀      ▀█████ ▀█▄
███ ███████████▀▀            ▀▀██ ███
███ ███████▀▀                     ███
███ ▀▀▀▀                          ███
▀██▄                             ▄██▀
  ▀█▄                            ▀▀
    █▄       █▄▄▄▄▄▄▄▄▄█
     █▄      ▀█████████▀
      ▀█▄      ▀▀▀▀▀▀▀
        ▀▀█▄▄  ▄▄▄
            ▀▀█████
[]
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1218
Merit: 1146


bc1qdj5v2q8p398rdy6sexc0fapk4hcq0p54xz56ez


View Profile
May 21, 2018, 07:21:36 PM
 #8

@op, I'd suggest a full virus scan on your computer before putting the new software on in case it's a virus. There's free software like malware bytes and free trials of other services like McAfee.

I even advise to burn a bootable CD and scan from it. Kaspersky or Avira are 2 pretty good options.
The idea is at the chance the Electrum vulnerability was used is smaller than the chance you have some surprise on your system. Afaik for the vulnerability to be exploited Electrum should have been kept running.
(And yes, I've read that you have Avast on, but no antivirus is perfect).

A single av software on its own is good, but it can be hijacked by the virus in some circumstances, no doubt the theif has tried that to get more money. It also needs for you to be sending a transaction while simultaneously on a website for that call to work if the wallet is password protected. (I'd suggest using preview before the send part and sign and broadcast it so you can verify that anything is acting normally).

pooya87
Legendary
*
Offline Offline

Activity: 1484
Merit: 1287


Buy bitcoin they said... who listened?


View Profile
May 22, 2018, 03:33:56 AM
Merited by Abdussamad (1)
 #9

terrible title because it is wrong. even with the JSONRPC vulnerability it is highly unlikely to lose any coins because first of all you have to have your Electrum wallet open and a malicious website that uses this vulnerability at the same time and that steals your coins. not to mention that the wallet has to have no password for this to work otherwise having the simplest passwords will prevent this.
there is a 99% chance that this is a human error that led to leakage of password or private keys or seed and then loss of funds.

audaciousbeing
Hero Member
*****
Offline Offline

Activity: 812
Merit: 555


View Profile
May 22, 2018, 09:49:19 AM
 #10

terrible title because it is wrong. even with the JSONRPC vulnerability it is highly unlikely to lose any coins because first of all you have to have your Electrum wallet open and a malicious website that uses this vulnerability at the same time and that steals your coins. not to mention that the wallet has to have no password for this to work otherwise having the simplest passwords will prevent this.
there is a 99% chance that this is a human error that led to leakage of password or private keys or seed and then loss of funds.

This is just the perfect explanation on what could have happened because by default, the software gives you the option of creating a password before proceeding to launching and even ask you for passwords before showing any sensitive information or transferring fund out of the wallet. If you then choose to ignore the opportunity to keep you safe at the minimum, then its your fault entirely and no one else. I am happy for him that he didn't lose more than that amount because the same reception of not upgrading and being out of date would still be the same and there is nothing anybody would be able to do about it.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!