Immediately close Electrum, then don’t panic. — Download version 3.0.5, and make sure to verify it against the developer’s PGP signature (preferably kept from before).
If you have enabled the JSON-RPC API by setting
server=1 in nu.conf, you must make sure to use strong credentials for
It’s easy to set insecure RPC credentials for local use and assume access from the internet won’t be allowed, or neglect the risk out of ignorance, perhaps in a hurry to get it to work and then forgetting about it.
Regular use that prompts enabling the RPC is to control NuBits Wallet in a terminal shell with
./nud getinfo etc., and the wallet recommends strong credentials. You are only at risk if you set your own RPC password. Please use the password suggested by
./nud <command> when
rpcpassword is not set in nu.conf.
Check RPC configuration for NuBits Wallet
- Close NuBits Wallet.
- Locate nu.conf as instructed at https://nubits.com/wallet-manual.
- Read nu.conf and look for the text:
a. If you need the RPC, make sure that
rpcpassword= is set to a strong password.
b. If you don’t need the RPC, and it’s enabled, remove
server=1 from nu.conf.
We are not certain of the entire impact, but have no reason to believe the NuBits Wallet RPC is insecure when used with a proper password. One concern is privacy, if a website can know you’re running the wallet.
Electrum’s issue is illustrated well by https://twitter.com/h43z/status/950141260521787392.
Electrum by default allowed access even for password-less wallets. NuBits Wallet requires user action to enable the RPC and recommends a secure password.