A huge security flaw in the Electrum wallet has allowed a way for hackers to easily access your bitcoins for nearly two years, and send them to a different wallet. A user noticed the flaw and reported the issue on the official Electrum Github repository in late November of last year. Fortunately, the bug was successfully patched this month, on January 7th. The bug allows a person with malicious intent to access your Electrum wallet if the wallet isn't encrypted.
A tweet from Tavis Ormandy, a Google security researcher, may have contributed to its urgent patching:
The bitcoin wallet Electrum allows any website to steal your bitcoins. I was gonna report it...but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours. Update to 3.0.4 if you use it.
As the tweet says, if you use Electrum for your Bitcoin wallet, update to 3.0.4 as soon as possible to protect yourself from this vulnerability. A twitter user made a quick demo video of how the exploit can be used, just by visiting a malicious website:
Update #electrum. This is attacking my local wallet from which could be a "random" website. pic.twitter.com/h4dk1wYwkr
— h43z (@h43z) January 7, 2018
Electrum says they were unaware of how serious the bug was until recently, according to Motherboard's communication with the founder. The user who initially reported the bug reportedly didn't know about the security implications either, which is why no critical flags went off at the time.
Keep safe out there! If you use Electrum wallet to store your bitcoins, be sure to encrypt the wallet with a password and update to the latest patch immediately.
