The administrators of the Electrum Bitcoin wallet app have released a security update that fixes a vulnerability that existed in the software for almost two years.
Ironically, it was a Bleeping Computer article that helped a user discover this bug.
Three days after we ran a story about miscreants scanning the Internet for Ethereum wallets with exposed JSON RPC ports on the Internet, a user going by the name of "jsmad" reported to the Electrum team that their wallet was also exposing a similar JSON RPC online as well.
A JSON RPC interface is a standard software design element through which developers open their application to other software. Third-party software can make calls to this interface and interact with the original software's data and functions.
JSON RPC can be configured in many ways, based on the software's purpose, but the best security practice is to password-protect and bind the interface to localhost, meaning that only locally installed apps that know a password can interact with the JSON RPC endpoints.
Jsmad suggested that the Electrum team password-protect the JSON RPC interface, so only users and apps knowing the wallet's password could interact with it.
The initial bug report did not convince the Electrum team that this was an issue that needed to be addressed.
The bug report was amended over the past weekend with more information on the bug's severity when famous Google security researcher Tavis Ormandy provided more context to why exposing the Electrum wallet JSON RPC interface is such a big issue.
"The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds," Ormandy said.
The Google researcher explained that attackers could trick Electrum users into accessing a malicious website that could scan and identify the Electrum's random JSON RPC port within seconds, and issue malicious commands to the wallet, stealing the user's funds.
Public proof-of-concept attack code is already available online. A Twitter user recorded a video of the attack described by Ormandy.
Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin pic.twitter.com/MYq1u9ZZbt— h43z (@h43z) January 7, 2018
The Electrum team addressed the issue by releasing an emergency fix for the Electrum wallet —version 3.0.4— over the weekend, and a permanent patch this week —version 3.0.5.
According to a detailed incident response report, the Electrum team says the JSON RPC was introduced back in Electrum version 2.6, released in February 2016. Electrum devs are now urging all users to update to a new version of their wallet app.
Spurred by Ormandy's bug report, the Cisco Talos research team also reported several other issues with exposed JSON RPC endpoints in the CPP and the Parity Ethereum wallets. Details about the five issues Talos researchers found are available here.