EF Blog

ETH top background starting image
ETH bottom background ending image
Skip to content

Security Alert 1 [windows+alethzero]

Posted by Jutta Steiner on August 7, 2015

Security Alert 1 [windows+alethzero]

This affects users of Alethzero GUI client on Windows. Users of eth CLI client or not on the Windows platform are unlikely to be affected but should take action detailed below. Users of Frontier command line interface geth are unaffected.

Issue description: While setting privacy permissions on the keys directory, insufficient error handling can cause the key files to not be written; this may be widespread on the Windows platform. As such, current versions of AlethZero and eth may include identities for which there exists no underlying key. Ether Presale Claim functionality of AlethZero may result in funds automatically being transferred to these lost identities.

Workaround: Users of AlethZero version 0.9.39 and earlier should NOT use the “Claim Presale Wallet” function; users of AlethZero and eth versions 0.9.39 and earlier should not attempt to mine or receive funds into their addresses.

Users of eth and AlethZero on all platforms should consider themselves safe once they have confirmed that they do indeed have the underlying key. To check (with your existing setup) run:

ethkey.exe --list

You may assume that all listed addresses do indeed have a key behind them and are not suffering from this issue.

Remedial action taken by Ethereum: New hotfix released with changes:

  • Identities for which there are no underlying keys are no longer displayed.

  • Key files are written regardless of whether setting directory permissions succeeded.

Fix: Versions 0.9.40 and onwards, available from circa 2015.08.07 18:30 CEST.

Subscribe to Protocol Announcements

Sign up to receive email notifications for protocol-related announcements, such as network upgrades, FAQs or security issues. You can opt-out of these at any time.