The Electrum Bitcoin Wallet team confirmed the presence of a critical vulnerability that allowed access to the user's tools through Javascript. Urgently released updates are said to have solved the problem.
The issue was raised on Reddit and Bitcointalk – as it became known, if the Electrum wallet was running, malicious sites could steal bitcoins when they were visited visited by the user. Access to the tools was possible through the default JSON RPC interface, through which arbitrary console commands, including the export of keys, were passed to hackers.
The most vulnerable in this case were wallets without a password. A fairly complex password supposed to guarantee relative security if the wallet owner did not make transactions at that time.
The vulnerability was partially corrected in version 3.0.4, and on Monday night, January 8, Electrum team posted version 3.05 of the wallet, which is supposed to close the vulnerability more reliably.
In particular, the JSON RPC interface is disabled when the wallet graphical interface is running, and by default the password protection of the wallet is enabled.
The vulnerability also applies to copies of Electrum, for example, Electron Cash.