Developers surprising Respond to [Security & Exploit] that allows Easy Extraction of the Jaxx Wallet 12-Word Backup PhrasesteemCreated with Sketch.

in #cryptocurrency7 years ago (edited)

Altcoin Intelligence Bot (1).jpg

To those in the Crypto-space, there seems to be a newly-discovered vulnerability in the highly popular Jaxx cryptocurrency wallet that could possibility allow hackers easy access to your 12-word Wallet Back Up Phrase. It's been highlighted that Jaxx Developers are aware of this and have responded to the public that this Security Exploit does not fixing, reminding Users that Jaxx is a Hotwallet suitable for storing small amounts of Cryptocurrency

Monero Lead Developer Criticizes Jaxx Wallet Security

A Twitter post — tweeted by Riccardo “FluffyPony” Spagni, detailed how Vx Labs discovered the Jaxx vulnerability, as well as described how hackers could exploit the weakness:

FireShot Capture 422 - Jaxx Wallet Vulnera_ - http___bitsonline.com_jaxx-vulnerability-bitcoin-risk_.png

Even Charlie Shrem, a known Bitcoin Enthusiasts and Jaxx Director of Business & Community Development responded to the Tweet

jaxx.png

Unauthorized access to your Device Allows Hackers to retrieve your 12-word backup phrase, Vx Labs continued, they can easily recover your wallet and steal your money


“With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.”

Twitter post went on to provide a technical demonstration of the vulnerability and how it can be exploited, published by VxLabs. There is Link that describes in details about Jaxx Security vulnerability and how to take advantage of it, found at the Bottom of the Post

Jaxx Developer Response

Users soon react with skepticism, as it seems that Jaxx Developers say they are ‘Very Comfortable’ with how their Wallet works, regardless of this Security Flaws

Even Vx Labs Post on Reddit received a response from one of the Jaxx Developers

FireShot Capture 424 - Easy extraction of the Jaxx 12-word w_ - https___www.reddit.com_r_jaxx_comm.png

Jaxx CTO Nilang Vyas entered the thread to address these concerns regarding Jaxx Security, his response however has raised concerns as he confirms that this is not a critical Jaxx Security Flaw but instead used it as an opportunity to explain major points about Jaxx current Security Model. Users unaware of this and were left with the idea that Jaxx is not ideally the safest way of storing ''life-changing'' amount of Cryptocurrency, as mention by Charlie Shrem in his Tweet

Nilang told Users that Jaxx Wallet was not meant to be used for long-term Cryptocurrency Storage. Initially designed to be a Hotwallet, Nilang said, Users ensure the full security of their devices to prevent theft.

“We are very comfortable with this security model for Hotwallets ” Nilang wrote.

“The fact is there will always be tradeoffs between user experience, portability and security and we believe we’ve struck a great balance.”

If you thought that JAXX is one of the most secure Cryptocurrency Wallet, then you should consider doing some in-depth research as clearly Developers have stated that Jaxx is not a recommended solution for storing large amounts Cryptocurrency Tokens. Since money is on the line, it is important that you Trust any Third-party services involved!

The reason this is made possible is due to the way the Jaxx wallet encrypted the mnemonic phrase. It uses a hardcoded encryption key, which is not the best option. Even if users enable an additional PIN code or strong password, that is not taken into consideration in the encryption process. This allows anyone to read and decrypt the recovery phrase from local storage using a simple tool and code. It appears this issue affects both desktop clients and browser plugins alike.

The Safest way to store Cryptocurrency is to use a Hardware Wallet like Trezor or The Ledger, especially when it comes to safekeeping a large portion of your Cryptocurrency Holdings. If you don't have funds consider getting Exodus, however if you're still a fan of Jaxx Services because it offers more support more Cryptocurrencies then you should consider diversifying your Tokens and avoid keeping it all in one nest, this means using multiple Jaxx Accounts on different devices for safety

Visit the official Site of VxLabs, the group behind the discovery of the Jaxx Back up Phrase Security Flaw, they also have a temporary solution on how to secure your Jaxx Wallet, that's if you're interested enough to learn how securely store Cryptocurrencies using Jaxx in the first place. I personally have a lot of different Wallets in order to diversify my holdings and would never use one platform to store all of my Tokens even if it's a Hardware Wallet. Because you never know what could possibly go wrong, always question any Service you're using especially when it comes trusting them with your hard-earned money. I would still consider using Jaxx Wallet, however I wouldn't fully depend on it's software to fully protect my Assets since you never know what exactly is going in the Digital Realm.

With Cryptocurrencies, you have to be your own Bank and need to take full responsibility especially if you're Investing, it is important to know that your Assets are kept in a secure environment. Keep Steem in your Steemit Account via Steem Power or Savings instead of leaving it on a Crypto-Exchange and remember to stay safe Online


Source

Vxlabs.com; Extracting the Jaxx 12-word wallet backup phrase.


PASF Riccardo Spagni Official Twitter

Jaxx Reddit Forum

Sort:  

By all mean if you need to store many coins get a Ledger Nano S Hardware wallet. Jaxx is a toy and apparently forever will be.

Well those are out of stock till end of July, I ordered one 2 weeks ago and will get it only in August if lucky

Big Fan of Ledger Nano, definitely recommend those interesting in safekeeping large amounts Crypto to use a Cold Storage instead of a HotWallet. The chances of your Hardware Wallet getting Hacked is very slim, so definitely don't store on any Cryptocurrency on Exchanges, small amounts for Jaxx and large amounts are best kept stored offline on a secure dedicated device

Huh, well soon we will see worms written to seek for those keys on personal computers and the scale of the problem will increase folds and folds.. this how a leading product and brand can be killed.. bad customer approach, unless Jaxx is developing hardware wallet and can position those as a solution, they will face a churn towards more secure wallets.

I keep all of my wallets offline unless ther are in use. If the computer is powered off, it is hard to access.

2 coumputers. One for everyday use and one for crypto.

which offline wallet would you suggest?

Ironically, my favourite is still Jaxx. If you always assume that your wallet is not secure, then you try harder to protect it. ;-)

Very informational thanks!!

Security has always been an issue and people have lost lots of money to hackers..Offline wallet is the solution...good post indeed

not cool

this is serious issue.. i am resteeming it...

Yeah it is, I thought of Jaxx being one the most secure Crypto-Wallet out there. It probably still is, considering that many of us trust their services and when money is on the line, Security becomes our number priority now that we are in charge with being our own Bank. Even the Developers know the Risk of safely storing Cryptocurrency, recommending that we use Hardware Wallet, which is a good idea however you still got to trust a third party in the end of the day. Paper Wallets are the way to go but too complicated for some. It's best to just diversifying into multiple Cryptocurrency Wallets, since it's unlikely that Hacker can hack you on multiple devices at once

God dammit. Time to give Exodus a second chance!

Exodus might have the same issue, as their code was audited like last year and it is not open source, besides, one drop is enough to collect all private keys/seeds/etc and then act on those somewhere in the future.. it is never safe to create any wallet while connected, here's how to best create an offline one: https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet

Could be serious for Jaxx users. This is why I never just jump on the bandwagon of new products.

Resteeming this. Please polish up on some of the misspellings in here if you get the time. Thanks for posting @steemitguide

That is why i keep all my money on the exchange

That's far worse than having it on our desktop.. Looks like you never heard of Mt Gox , how they stole over 400MUSD in BTCs from users

That's even worse to be honest.