A recap of the issue 👇

1/ Electrum is a light client, which means it must connect to the blockchain through a server, which by default is chosen from a list of public Electrum servers. Anyone can operate such a public server and some users will be randomly connected to it. https://twitter.com/verretor/status/1299920970011029505
2/ When broadcasting a transaction on Electrum, it gets sent to the Electrum Server you are connected to for propagation to the network. The server should try to add the transaction to its mempool and further propagate it to other Bitcoin nodes.
3/ In case the transaction is invalid, the Electrum Server the user is connected to can return an error message, which will be displayed an error popup on the user's Electrum client.
4/ Prior to Electrum v3.3.3, the error message returned was allowed to be free text, so the Electrum Server could return any message it wants and make it pop up on the user's client as an error message.
5/ Now the attackers here exploited this free-text capability, along with the fact that anyone can run an Electrum server to which clients will be automatically connected.
6/ The attackers then have set up a public Electrum Server, which was tweaked so that instead of propagating the user's transaction as it should, it always returns a malicious error message directing the Electrum clients to a phishing website to "upgrade" their Electrum version.
7/ So when users of Electrum got randomly connected to such a malicious server, they were given the malicious error message directing to the malware download site. Since it looks just like any valid error message within the app, it was easier for the attackers to fool the users.
8/ This did not affect users who were only connected to their own Electrum Server, since the problem is the error returned from an untrusted server. It is always best to use your own node, and when using Electrum, run and connect directly to your self-operated Electrum Server.
9/ This also did not affect users who properly validate their downloaded software and its download source, as well as users who do not store coins on a hot wallet (and properly verify addresses on the HWW device).
10/ As a note, this summary is based only on my own understanding of the issue, so there might be mistakes, which if you see please comment on.
You can follow @_benkaufman.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more