Electrum 4.0.0 : Serious Error !!!

[Boutag]

Hello, I tried to send 0.00005 BTC, but when sending it sends all amount off my wallet to an unknowen adress !!! And it did not ask for password when sending !!! it is like a version stoling all my Bitcoin... Can someone explain or help me please. Thanks.

[sefrem]

@CherryDT What i meant by "too long" is that apart from having little note on the main page i don't see any other actions undertaken by devs to prevent this scam. Oh i've read that in the new updates it is not possible to display html in the popup. But hey, some kind of real popup from the devs for those who use older versions would've been helpful. One other thing that threw me off. I fought with Windows Defender for around 5 mins to install this "update" but i haven't found it suspicious cause on the electrum.org in downloads it says "Electrum binaries are often flagged by various anti-virus software. There is nothing we can do about it, so please stop reporting that to us." Maybe if it wasn't there i would've doublechecked the source from which the update was donwloaded. Anyway, that's just me being smart now after doing a stupid thing.

[The-Compiler]

that apart from having little note on the main page i don't see any other actions undertaken by devs to prevent this scam.

See https://github.com/spesmilo/electrum/issues/5084#issuecomment-461641700

But hey, some kind of real popup from the devs for those who use older versions would've been helpful.

Which is what they did as well: the honest servers started doing the "good attack", warning old clients that they are vulnerable and need to upgrade (when they broadcast a transaction, which is the only time a warning is possible)

[sefrem]

@The-Compiler I don't want to start a rant here so i'm gonna just answer one more time. Well, obviously they haven't done enough otherwise all these threads on the topic would be dead. But people are continuing to be robbed. Second, take my example as of someone who'd used their wallet 2 times. First to put some btc on it and second - to take out. I am usually quite a careful web user. I've never caught any malware or viruses or other stuff. But in this case i was caught off guard. And they failed to warn me about it. The only kind of attack i received was a "bad" one. I'll just state the obvious again - if this is continuing to happen there is a big possibility that someone allows it to happen. That's how these things usually work.

[CherryDT]

The devs can't go back and change history though... You downloaded the version at the time the bug existed. Now you have the version with the bug. And regardless whether you use that version today or in 30 years from now, the bug will be there. They can't undo that, they can only ask you to download a newer version through their website and social channels (which they did, and the warning on electrum.org is still there), and they can think about some creative means of catching a bit more of the cases, like what they did by intentionally making "good" servers also exploit the bug in order to show a legitimate message, but of course they can't control whether you will end up connecting to one of the good servers or one of the bad ones first. So 100% can't be caught.

I'm sure you have heard about the issue with the Samsung batteries that caught on fire a few years back. A mistake was made, and once they realized that, they put out a product recall. But, if you didn't see the recall announcment in the store, and you hadn't registered your purchase with Samsung so they could contact you directly (you just bought the phone somewhere with cash), and you didn't follow the relevant news channels, then you may still have such a dangerous battery in your phone today without knowing. And if you then take out your phone today, 3 years later, and it explodes, then it also doesn't make sense to say "weird that there are still Samsung phones exploding 3 years later, it must be intentionally, or at least they didn't do enough, otherwise the battery in my phone would have magically teleported back to Samsung and be replaced by a fixed one even though I missed the announcements".

(This example is just to explain my point and not intended to be condescending.)

Bugs can and will happen, in any software, and as soon as it became known, everything possible was done to limit the damage already caused by it and prevent it for the future as much as possible.

Please see my explanation above for details: https://github.com/spesmilo/electrum/issues/5183#issuecomment-5857130049

[laim2003]

Please be aware of any websites form the URL electrum-4.github.io!

This website will redirect you to a malicious download! I already reported this repository to the GitHub team.

[Liran-lavi]

The malicious payload was loaded by a compromised SSP’s cookie syncing code through the following URL: https://ipfs-hosting[.]tk/redirect.php, Which redirects victim’s browser to https://electrum-4.github.io/electrum.html. This page displayed the JS alert that is shown above, initiated a request to the following URL: microsoft-edge:https://electrum-4.github.io/ Which automatically opened Microsoft Edge browser with the malicious download page.

https://www.geoedge.com/cookie-syncing-compromised-global-bitcoin-malvertising-attack/

[plasticalligator]

Let's use ducktyped languages like Javashit and Python to make Web3. What could POSSIBLY go wrong?

[CherryDT]

Let's use ducktyped languages like Javashit and Python to make Web3. What could POSSIBLY go wrong?

...and how does that have anything to do with this issue...? It wasn't even a problem related to variable data types.

[9917131034]

Geret