Electrum is one of bitcoin’s longest-standing wallets, having been used heavily in the space since its inception in 2011. However, it has only recently been revealed to have a long undiscovered vulnerability, which was only fully on January 8th 2018
The vulnerability allows for remote access to a user’s funds by having an un-encrypted wallet open in the background while browsing the internet. All users with outdated wallets are still vulnerable to the exploit and are highly recommended to upgrade to version 3.0.5 as soon as possible. The original summary of the issue can be read here.
The issue was first pointed out on November 25th, 2017 on the Electrum repo by jsmad. The full extent of the vulnerability was not fully understood by the poster, nor the Electrum devs, and it was added to the non-critical backlog:
Only recently was the potential of the exploit fully realized by taviso, who stated “I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability?” along with a complete explanation. He posted this on Saturday, January 6th, approximately a month and a half after the issue was first disclosed:
It was confirmed by Electrum dev ecdsa that the exploitable code had been around, undiscovered, since a commit on November 30th, 2015, over two years ago
Once the extent of the exploit was revealed, a hotfix was released with Electrum version 3.0.4. But, open source contributors promptly revealed the quick patch to be insufficient:
Finally, the dev team followed up with Electrum 3.0.5 which has fixed the bug in its entirety.
Outdated wallets still vulnerable
This reveals a key issue still withstanding with the Electrum client: outdated and exposed wallets will not auto-update to the new, secure version of the client. Users who regularly scour social media would have promptly downloaded the upgrade manually, but the majority that haven’t will stillbe using outdated and vulnerable versions of the Electrum wallet none-the-wiser. Furthermore, with the exploit fully publicized, there are certainly now scores of bad actors intent on exploiting the vulnerability to those very wallets that have yet to be updated.
Crypto Insider emphasizes that users who are still operating outdated versions upgrade to the latest version via the Electrum download page immediately.