Exodus wallet: looks pretty, works slick, does Shapeshift very well... but SECURITY? I'm Exiting Exodus!

in #bitcoin8 years ago (edited)

Exit-Exodus.jpg
After really liking this wallet, I upgraded to 1.28.1 today since it now can hold your Decred coins. I send a few coins to it and after confirmation about 10 min later, I requested another 'receive' address from Exodus for a second transfer. Guess what? It was the same address!

Yep, Exodus reuses addresses. After chatting with some local bitcoiners in one of my Telegram chats, I was shown this piece:

https://bitedge.com/blog/exodus-wallet-has-bad-privacy-and-security/

In short... not open source and they ignore a number of 'Security 101' best practices.

Well just DAMN IT right?

I had been touting this nice to use wallet for a few days to some people and I feel like I let them down.

I hope to hell they start doing security rather than the usual coin o' the week stuff, and do it soon!

Amended below with response from JP RIchardson of Exodus... this is encouraging.

---snip---

Hey James, Exodus co-founder here…

Thank you for writing this and sharing your thoughts and perspectives with everyone. Positive and negative feedback is what helps us to improve and to build a better product. Without feedback like this, we’d be blind to our own problems.

I’ll take each on of your criticisms one-by-one…

Exodus forces address reuse

Many people believe that multiple addresses increase privacy for a user. There is a degree of truth in this – if done properly and appropriately (UTXO selection matters). Exodus has always had many change addresses for UTXO based assets (BTC, DASH, DOGE, LTC) – so when you send funds, the change goes to a different address each time in your Exodus wallet.

Until recently, we forced a single ‘receive’ address. We viewed this decision partially through the lens of a new user. Eventually we got so many requests to change this, that we decided to allow multiple receive addresses for Bitcoin. You wouldn’t believe the amount of support requests we received stating that we had no right to change the customers’ Bitcoin addresses. Wow, did we mess that one up. So we tweaked the feature a bit, so it always shows the first receive address, but you’ll notice there’s more by clicking the right arrow next to the QR code. We started with Bitcoin first to get the UX correct. I’m still not convinced we have it right. When we do, we’ll start allowing it for other assets where it makes sense (not ETH).

Exodus accepts insecure passwords

I agree. We could do a much better job here. I dropped in the this code library from Dropbox https://github.com/dropbox/zxcvbn and never looked back. This is 100% my fault. I should have spent more time on how this all works and fits into Exodus. Moving forward, we may just have to remove the strength estimation altogether or see if we can improve it. I’ll have to put more thought into this, but thank you for pointing this out.

Exodus is closed source

Exodus is not 100% closed source as be seen here: https://github.com/exodusmovement/ – we’re working on open-sourcing more of Exodus.

Why is Exodus not 100% open-source? Because we haven’t validated our business model. That’s it. In the long-term, we’d like to open-source all of Exodus. I think I have credibility making this claim given how much I love open-source (https://github.com/jprichardson && https://www.npmjs.com/~jprichardson) so I have the track record to prove it.
However, we do understand that many people will not agree with this decision in the short-term and we are okay with these people choosing not to be our customers at this point. Fortunately there are so many desktop wallets in this ecosystem to fulfill most people’s preferences.

there is no 2 factor authentication available.

We are actively working on a solution to this now. Hopefully this will satisfy the security needs of most people.

Finally, I want to close by saying that we really appreciate the comments and criticisms. We realize we won’t be the perfect solution for everyone, but we like people telling us where we failed so that we can at least try to be the perfect solution for some.

All my best,
JP

Sort:  

This sucks. I was looking at Exodus myself but felt it didnt offer much apart from looking awsome.

What is your favorite wallet solution? So far im using blockchain and myetherwallet . Myetherwallet is painful atm as cant send due to congestion and ICOs

Back to Jaxx for some of those. Jaxx has a security issue too, but likely to be dealt with sooner than Exodus I think. I use Ledger Nano S for ETH and ETC. I'm looking into paper wallet for my Decred, and Litecoin to Trezor once their SegWit coding isn't 'beta'.

Thanks for your analysis, I just started using exodus on a very limited basis. It's a sleek wallet with a built in exchange but I was always weary about security issues

I amended the post with a response from Exodus. Seems reasonable and encouraging. I hope to move some coins back to Exodus in the future.

Thanks for the update on Exodus, glad they are hopefully working on a solution. We need more good wallet choices to pick from. Hope Jaxx gets their act together too!