Entering the cryptocurrency market has always been a risky move if you stay lax and uninformed. There has been news of coins being stolen from one exchange or the other over the years. Recently, a bug was discovered in Electrum which made it vulnerable to coin theft. If you use this wallet, this piece is for you.
Electrum is a popular Bitcoin wallet used by many people around the world. It's a relatively safe wallet, as it keeps your coins in cold storage and also gives you control over your private keys. But whenever you want to make transactions, you have to connect to the internet. But a recent discovery has shown that a bug in the wallet could make it vulnerable to attacks from malicious websites.
The bug was first reported in November 2017. It affects versions 2.6 to 3.0.4 of Electrum, on all platforms. Clones of the wallet such as Electron Cash (for storing Bitcoin Cash) are also affected. It makes your wallet vulnerable such that your coins can be stolen by third parties if you open it while connected to a malicious website.
A malicious bug
Wallets without passwords are the most vulnerable. An attacker can modify user settings, the list of contacts in a wallet, and the "payto" and "amount" fields of the user interface while Electrum is running and connected to the internet. Wallet data such as Bitcoin addresses, transaction labels, address labels, wallet contacts and master public keys could be stolen by the attacker.
But if you passworded your wallet, you're "safe" to some extent. The bug does not allow attackers to access your encrypted seed or private keys, which would be needed in order to perform an efficient brute force attack. To access your wallet, an attacker must try to guess your password while you're connected to a malicious page. This is much slower and the chances of you being hacked are much slimmer.
What Electrum users should do
Although there has been no record of users losing their coins due to this bug, the possibility has now increased since the information has been leaked to the public. Nevertheless, it is better to take precautions to prevent being hacked.
To escape this bug,
1. All Electrum users should upgrade their software, and stop using old versions. A new version of the software has been released and can be downloaded at electrum.org.
2. Users who did not protect their wallet with a password should create a new wallet, and move their funds to that wallet. Even if it never received any funds, a wallet without a password should not be used anymore, because its seed might have been compromised.
3. Users should also review their settings, and delete all contacts from their contacts list because the Bitcoin addresses of their contacts might have been modified.