In December 2018, Slow Fog first discovered and alerted an attacker to a messaging flaw using the Electrum wallet client, forcing an "update prompt" to pop up during a user's currency transfer operation, inducing users to update and download malware to carry out a currency theft attack, according to Slow Fog. Although electrum officials said in early 2019 that some security mechanisms would be in place to prevent this "update phishing", many users of Electrum are still in the old version (less than 3.3.4) and the old version is still under threat. However, we do not rule out a similar threat to the new version.
electrum can't download
Popular wallet developer Electrum has released an emergency patch for a key vulnerability in its Bitcoin wallet. The vulnerability allows any website hosting electrum wallets to potentially steal a user's cryptocurrency. A vulnerability means that the password is exposed to the JSONRPC interface, implying that the hacker has full control over the wallet. The first patch failed to fix the problem, forcing Electrum to release a second update on Sunday night.
In addition, Mark B. Lundeberg, one of the authors of the paper, made a detailed comparison between SLP and Cryptonized Cash and compiled it into writing.
If someone's Electrum wallet connects to one of these servers and tries to send a BTC transaction, they see an official message telling them to update their Electrum wallet, as well as a scam URL.
Of course, there are wallets that are not designed according to BIP rules, such as Electrum, which was the first wallet to use mnic patterns, and the first determinative wallet, which was introduced in 2011, and later The micound rule BIP-39, which became a recognized industry standard with its widespread use. Electrum is similar to BIP-39's monemone rules, but BIP-39 uses a fixed set of 2048 thesavers, and Electrum uses a different thesaver, but is compatible with BIP-39's monemone thesaver, and the reverse is not compatible.
According to the slow fog zone, the Phishing attack by Electrum forged upgrade tips has stolen at least 200 BTCs, and this attack cannot be avoided by upgrading Electrum alone, requiring the entire ecological service to make corresponding changes (because Electrum is not a full node, and then on the transaction broadcast and the corresponding server has a message communication, the attacker can also deploy a malicious server)
B: Electrum server can customize messages to appear in the user's electrum light wallet software, giving hackers a chance to broadcast phishing messages.
In August-September, Bitcoin wallet Electrum was hacked twice, and according to multiple sources, at least 1,450 BTCs worth $11.6 million were stolen from phishing attacks that faked Electrum upgrade tips.
By default, electrum wallets are randomly connected to a set of Electrum servers. From a privacy perspective, this is not a good thing because it discloses your wallet address and balance to unknown third parties. And unfortunately, many public Electrum servers are run by individuals or groups of blockchain analytics companies or worse. Therefore, if you are using an Electrum wallet, it is generally recommended that you run your own Electrum server and then connect the wallet to that server.
Dash releases Dash Electrum 126.96.36.199 version