Electrum Bitcoin Wallets Left Exposed to Hacks for Two Years

[LASER_oneXM]

The administrators of the Electrum Bitcoin wallet app have released a security update that fixes a vulnerability that existed in the software for almost two years.

Ironically, it was a Bleeping Computer article that helped a user discover this bug.

Electrum wallet was exposing its JSON RPC interface
Three days after we ran a story about miscreants scanning the Internet for Ethereum wallets with exposed JSON RPC ports on the Internet, a user going by the name of "jsmad" reported to the Electrum team that their wallet was also exposing a similar JSON RPC online as well.

A JSON RPC interface is a standard software design element through which developers open their application to other software. Third-party software can make calls to this interface and interact with the original software's data and functions.

JSON RPC can be configured in many ways, based on the software's purpose, but the best security practice is to password-protect and bind the interface to localhost, meaning that only locally installed apps that know a password can interact with the JSON RPC endpoints.

Jsmad suggested that the Electrum team password-protect the JSON RPC interface, so only users and apps knowing the wallet's password could interact with it.

Issue addressed in Electrum v3.0.5
The Electrum team addressed the issue by releasing an emergency fix for the Electrum wallet —version 3.0.4— over the weekend, and a permanent patch this week —version 3.0.5.

According to a detailed incident response report, the Electrum team says the JSON RPC was introduced back in Electrum version 2.6, released in February 2016. Electrum devs are now urging all users to update to a new version of their wallet app.

Spurred by Ormandy's bug report, the Cisco Talos research team also reported several other issues with exposed JSON RPC endpoints in the CPP and the Parity Ethereum wallets. Details about the five issues Talos researchers found are available here.