Hackers have exploited a zero-day in Bitmessage client to steal Electrum wallet keys

Bitmessage developers have issued an emergency update for the PyBitmessage client that patches a critical remote code execution vulnerability that has been exploited in attacks.

Bitmessage development team has rolled out an emergency patch to address a zero-day vulnerability in the PyBitmessage client for Bitmessage, which a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users.

The flaw is critical remote code execution vulnerability that according to the experts was being exploited in the wild to steal Bitcoin wallet keys.

According to the security advisory published by the development team developers, hackers exploited the flaw in attacks against users running PyBitmessage 0.6.2.

“A remote code execution vulnerability has been spotted in use against some users running PyBitmessage v0.6.2. The cause was identified and a fix has been added and released as 0.6.3.2. If you run PyBitmessage via code, we highly recommend that you upgrade to 0.6.3.2. Alternatively you may downgrade to 0.6.1 which is unaffected.” reads the advisory.

The message encoding vulnerability has been patched with the release of version 0.6.3.2. The developers highlighted that PyBitmessage 0.6.1 is not affected by the vulnerability, this means that users can also downgrade their version to mitigate the attacks.

According to the security advisor, hackers targeted also the Bitmessage core developer Peter Šurda, his keys were most likely compromised for this reason he has created a new support address.

“Bitmessage developer Peter Šurda’s addresses are to be considered compromised.” continues the advisory.

Users are recommended to change their passwords and create new bitmessage keys.

Šurda speculates the attacker exploited the zero-day to create a remote shell and steal bitcoins from Electrum wallets.

“The exploit is triggered by a malicious message if you’re the recipient (including joined chans),”Šurda wrote on Reddit thread. “The attacker ran an automated script but also opened, or tried to open, a remote reverse shell. The automated script looked in ~/.electrum/wallets, but when using the reverse shell he had access to other files as well.”

Bitmessage developers are still investigating the attacks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – bitmessage app, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]