Vulnerabilities were found in Electrum and Electrum-LTC. It has been fixed in Electrum-LTC 220.127.116.11. If you are running an earlier version, update your software.
Electrum personal server
Although in early 2019 Electrum officials said they would take some security measures to prevent such updates from occurring, for example.
Electrum-LTC is Electrum's community maintenance port, Litecoin's Bitcoin wallet. It is not the official product of Electrum Technologies GmbH, and it is not supported.
Electrum Bitcoin Wallet.
Electrum is a popular software wallet that works by connecting to a dedicated server. These servers receive a hash of the Bitcoin address in the wallet and reply with transaction information. Electrum Wallet is fast and has few resources, but by default, it connects to these servers and can easily monitor users. In addition to Electrum, some other software uses public Electrum servers. By 2019, it is a faster and better alternative to BIP37.
Users of Bitcoin wallet Electrum are facing phishing attacks, according to Johnwick.io. Hackers broadcast messages to the Electrum client through a malicious server, prompting the user to update to v4.0.0, and if the user follows the prompt to install this "backdoor-carrying client", the private key is stolen and all digital assets are stolen. At the time of writing, at least 1,450 BTCs worth about $11.6 million had been stolen from phishing attacks that faked Electrum upgrade tips. DeViable Security Labs hereby suggests that versions of Electrum below 3.3.4 are vulnerable to such phishing attacks, and users using Electrum Wallet are requested to update to the latest version of Electrum 3.3.8 via the official website (electrum.org), which has not yet been officially released, and do not use the link in the prompt to avoid asset losses.
Shunto touch melon, open the github of the electrum, we find the following code in the electrum/electrum/ecc.py.
According to slow fog zone news, Electrum fake upgrade tips of the phishing attack has stolen at least 200 BTC, this attack by upgrading Electrum alone can not be avoided, the need for the entire ecological service to make corresponding changes (because Electrum this client is not a full node, and then on the transaction broadcast and the corresponding service side of the message communication, attackers can also deploy malicious server). Slow fog zones remind users that phishing attacks like Electrum require long-term vigilance. The slow fog zone has previously issued an alert for selectrum phishing updates, and hackers who attacked Electrum wallets used Electrum's software to unusually construct malicious software update prompts to induce users to update and download malware usage.
Although in early 2019 Electrum officials have said that some security mechanisms should be put in place to prevent this kind of "update fishing", for example.
eclair: v0.3.1 and above clients correctly address security concerns, and if the user uses bitcoin core as the back end, previous versions of eclair clients have security implications. The electrum user, on the other hand, checks only the script, not the quantity. (CVE-2019-13000)
Now that we understand the benefits of Electrum, we can start using Electrum. Before use, prepare pens and paper to facilitate the recording of safety seeds.
Attackers reportedly created their own Electrum servers, which hosted the attacked version of Electrum in order to implement the attack. When the user will be vulnerable.