In light of Electrum versions 2.6–3.0.3 allowing any website to access its API and transfer funds from your wallet if weakly protected. No password for your Electrum wallet means you can lose all funds to any website running JavaScript. Using a password means any website must guess or bruteforce the password before they can steal funds (or change Electrum settings).
Immediately close Electrum, then don’t panic. — Download version 3.0.5, and make sure to verify it against the developer’s PGP signature (preferably kept from before). https://electrum.org
NuBits Wallet
If you have enabled the JSON-RPC API by setting server=1 in nu.conf, you must make sure to use strong credentials for rpcuser= and rpcpassword=.
It’s easy to set insecure RPC credentials for local use and assume access from the internet won’t be allowed, or neglect the risk out of ignorance, perhaps in a hurry to get it to work and then forgetting about it.
Regular use that prompts enabling the RPC is to control NuBits Wallet in a terminal shell with ./nud getinfo etc., and the wallet recommends strong credentials. You are only at risk if you set your own RPC password. Please use the password suggested by ./nud <command> when rpcpassword is not set in nu.conf.
Check RPC configuration for NuBits Wallet
- Close NuBits Wallet.
- Locate nu.conf as instructed at https://nubits.com/wallet-manual.
- Read nu.conf and look for the text:
server=1
a. If you need the RPC, make sure thatrpcpassword=is set to a strong password.
b. If you don’t need the RPC, and it’s enabled, removeserver=1from nu.conf.
API security
We are not certain of the entire impact, but have no reason to believe the NuBits Wallet RPC is insecure when used with a proper password. One concern is privacy, if a website can know you’re running the wallet.
Electrum’s issue is illustrated well by https://twitter.com/h43z/status/950141260521787392.
Electrum by default allowed access even for password-less wallets. NuBits Wallet requires user action to enable the RPC and recommends a secure password.