Security problem of Jaxx Wallet - Anyone can Extract your Seed!

in #bitcoin7 years ago (edited)

I found a thread on Reddit in which an user shows how easy it is to extract the 12-word backup phrase (seed) from a Jaxx wallet, both in the desktop version and in the Chrome extension.

"Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen."

If a person gets your backup phrase they can restore your Jaxx wallet having access to all your private keys and therefore your coins.

All this is because the seeds are stored with an unsecured encryption

"The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password."

As I mentioned before it does not matter if you have a PIN activated or if you have a strong password, since that is not taken into account in the encryption process.


Although the team of Jaxx is aware of this flaw they don'tt plan to solve it

In the same thread, the JAXX CTO says that they don't intend to modify their security model because he states that it provides a balance between security and ease of use. And he point out that it should be used as a "hot wallet" and not to store large amounts.

By the way there are still 2 days to participate in the Dash campain where they are giving $20 for creating to a friend a Dash Wallet :D


Sources: Reddit, Vxlabs

Images: Image1, Image2

Sort:  

Hey Angelgarz,

Great Post! I read about this issue with JAXX today and just confirmed my feelings about the software. This weekend I had $1300 in DASH disappear from JAXX, nothing showed up in my balance. When I refreshed the DASH blockchain from JAXX, nothing, zero balance. So knowing that they use multiple wallet addresses I went to the backup wallet area in jaxx and got my private keys for all my DASH. I then proceeded to download the DASH wallet, and I imported my private keys to the wallet. And to my surprise my DASH appeared. I would suggest to all that you DO NOT use JAXX for these multiple reasons. Hope I can help our crypto community. - Cheers

Thanks @oceancoinz. What a fright! Another steemian told me that he is experiencing the same but idk if he finally recover his DASH. Definitely, I'm doing the same although before I recommended it to people starting in the cryptos, but with these flaws no way.

Thanks for comenting! I followed you.

Kind of worrying with Jaxx reaction to this issue. I'll definitely make sure to only store small amounts if using their wallet.

Yes it really is, you can see their full answer in the reddit link i just fixed it.

Perfect, thank you!

Never liked Jaxx anyway, Exodus and Nano Ledger all the way

Yeah me neither, but it's very popular and this flaw is pretty worrying

Thnaks man, very helpful - deleted from my PC :-D

Your welcome, thank you for reading. Hahahaha yeah! Is better to be safe. Welcome to Steemi!

;-) thanks

Thanks for your article. You could also help us to protect the Abongphen highland Forest in Cameroon. https://steemit.com/nature/@kedjom-keku/do-it-for-forest-why-humans-need-green-color-each-11usd-10x10-m-forest-saved

Your welcome! Thank you for reading. Sure I'll check it

Interesting find. I would like to point out that this doesn't really apply to the Android version of the Jaxx wallet since apps are sandboxed from eachother and it would take a lot more to extract the key. I'll also point out that after reading the original article, it seems the attacker would need actual access to your PC to read from your disk. In this case the attacker already owns you anyway.

Thanks. Yes, i mention in the article that only in the desktop version and in the chrome extension. Sure in that case you'd already be fucked but with a good encryption would be almost impossible or, at worst would take more time, extract your seed and at least your wallet would be safe

Great find. This should be spread around.

I love my Jaxx wallet. I'll have to make sure to scale down holdings in it though. Thanks for the insight.

Thanks @anotherjoe! Sure, i think you could help to spread this around ;) haha.

I think jaxx has a lot to offer and potential, although it's not the safest option, for its ease of use and its features, but if they do'nt solve this security flaw I will stay away a bit. Your welcome, thank you for read and coment!

Thanks for sharing this. I'm pretty new to cryptos so I've been trying to figure out how to keep coins secure especially when diversified in many different coins. There isn't just one wallet that holds everything securely yet so its confusing for me to figure out what to do. I mean, where in the hell are we supposed to store everything? Makes it difficult to justify putting anymore money into it when there's so many questions regarding the security. Should we just do paper wallets in the majority of our coins and only leave some on exchanges and wallets? I'm still trying to figure it out.

Your welcome, thank you for reading and coment!

Yes, such a wallet would be the best. Currently the nano ledger supports several currencies, but as you say there are many currencies and everything depends on your needs. It is best to look for what best fits you and take the security measures possible.

By the way I see that you joined this month (I joined the previous) welcome!

Thank you for the welcome and the info.

guys, is this issue solved now ?