Bug#921688: Electrum vulnerable to malware

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#921688: Electrum vulnerable to malware

darknetwhiteknight
Package: electrum
Version: 3.1.3-1~bpo9+1

When electrum connects to certain malicious servers they issue a warning
message telling the user to upgrade by following a phishing link. The
link prompts the user to enter their credentials and install malware
which results in the loss of all their funds. A new version of electrum
has been realeased to address these problems.

The issue is being discussed here:
https://github.com/spesmilo/electrum/issues/4968 complete with
screenshots of the phishing messages.

Given the severity and urgency of this exploit, the appropriate new
version should be added to the official Debian repos ASAP to avoid
further attacks on users.

I am using Debian GNU/Linux 9 (stretch) 64-bit
Kernel 4.9.0-8-amd64

Reply | Threaded
Open this post in threaded view
|

Bug#921688: Electrum vulnerable to malware

Vincas Dargis
Shouldn't we mark it as Critical or Grave?

Reply | Threaded
Open this post in threaded view
|

Bug#921688: Electrum vulnerable to malware

Vincas Dargis
Control: severity -1 serious

 From electrum.org:

"Warning: Electrum versions older than 3.3 can no longer connect to public servers, and must be
upgraded."

Electrum in Debian no longer "syncs", servers does not provide information for this version. It's
unusable, unless you install older electrumx server by yourself, and it is not available in Debian.

Reply | Threaded
Open this post in threaded view
|

Bug#921688: saw this

Joey Hess-8
In reply to this post by darknetwhiteknight
This is still happening, the legitimate public servers may not work with
electrum 3.3, but there are dozens of rogue servers that do and that are
exploiting this bug.

--
see shy jo

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#921688: electrum being actively used for phishing

Sam Hartman-5
In reply to this post by darknetwhiteknight

I realize that we normally don't care about packages only in sid, but
the version of electrum in sid is apparently only useful to funnel your
bitcoin to attackers.
The issue is that versions prior to 3.3  are vulnerable to mallware, and
as a result all the public servers refuse to talk to the version in sid,
but rogue servers are happy to  take your credentials and money.

The maintainer has not addressed this bug since Feb 7.

I don't have time to go look into the package and upgrade before leaving
on a trip tomorrow.

If we can't get this fixed really quick would ftpmaster accept a request
to remove the package?

--Sam

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#921688: electrum being actively used for phishing

Laurent Bigonville-5
On Tue, 30 Apr 2019 10:59:16 -0400 Sam Hartman <[hidden email]> wrote:
 >
 > I realize that we normally don't care about packages only in sid, but
 > the version of electrum in sid is apparently only useful to funnel your
 > bitcoin to attackers.
 > The issue is that versions prior to 3.3 are vulnerable to mallware, and
 > as a result all the public servers refuse to talk to the version in sid,
 > but rogue servers are happy to take your credentials and money.
 >
 > The maintainer has not addressed this bug since Feb 7.
 >
 > I don't have time to go look into the package and upgrade before leaving
 > on a trip tomorrow.
 >
 > If we can't get this fixed really quick would ftpmaster accept a request
 > to remove the package?
 >

FTR, I looked at 3.3.4 and it requires 2 new python modules that are not
yet in the archive: aiohttp_socks and aiorpcx

My work on the package is at https://salsa.debian.org/bigon/electrum

Reply | Threaded
Open this post in threaded view
|

Bug#921688: Updates

Antoine Amarilli
In reply to this post by darknetwhiteknight
Hi,

Are there any updates on packaging a new version of electrum in Debian?

Many thanks for your work on this!

Best,

--
Antoine Amarilli

Reply | Threaded
Open this post in threaded view
|

Bug#921688: Updates

Laurent Bigonville-5
In reply to this post by darknetwhiteknight
On Sat, 20 Jul 2019 11:46:37 +0200 Antoine Amarilli <[hidden email]> wrote:

 > Hello everyone,

Hello,

 >
 > This bug has been open and the electrum package has been unusable for
 > almost 6 months now. Tristan, are you planning on packaging a new
 > version at some point, or is the package no longer maintained?

I've just uploaded a NMU with the last version of electrum (3.3.8) to
unstable

My git branch can be found here: https://salsa.debian.org/bigon/electrum 
if anybody wants to merge it in the official git repository of the package

FTR, I'm not planning to take care of this package in the long run.

Kind regards,

Laurent Bigonville