You are viewing a single comment's thread from:

RE: Advisory: Vulnerability discovered in popular Electrum wallets

in #blocktrades7 years ago (edited)

Maybe i am misunderstanding the change notes but it seems to me that that the fix that has been implemented in the newest release (v3.0.4 ~ 9 hours ago) has disabled default CORS approval which means the vulnerability could still be exploited by code running on the local computer; obviously a password protected wallet goes a long way to mitigate the chance of compromise.
While this is the case with most software i am not sure why the RPC is being enabled by default when 95% of users would have no use for it and the ones that did would be proficient enough to enable this for use.

Thanks for the heads up. Interesting to see it was first reported in Nov 2017 and not until today where a POC confirmed it as such a high risk

Sort: