Electrum Vulnerability

On 2017-11-24 an issue was posted to the Electrum repository. Open source code that exposed the mnemonic seed generated when creating a new Electrum wallet, had remained unchecked since the software’s inception. By default, Electrum enabled a JSON RPC server, which opened a random port and could be accessed over the internet (specifically by a website looking to steal seeds).

The code that enabled the data leak may be seen below:

class RequestHandler(SimpleJSONRPCRequestHandler):   

    def do_OPTIONS(self):
       self.send_response(200)
       self.end_headers()

    def end_headers(self):
       self.send_header("Access-Control-Allow-Headers",  
              "Origin, X-Requested-With, Content-Type, Accept")
       self.send_header("Access-Control-Allow-Origin", "*")
SimpleJSONRPCRequestHandler.end_headers(self)

The Electrum developers quickly resolved the issue and released an update. A full explanation on the vulnerability by the developers may be found here. All versions of Electrum following 3.0.5 (inclusive) are free of the error. The most recent version of Electrum may be downloaded at the official Electrum website.

Support us and the authors of this article by donating to the following address:

3CiArA7KNyZqfbCbc4HLWnoS7aBS2d3QxK

Comments powered by Talkyard.