Important - Jaxx Vulnerability
Jaxx wallet is not secure, even with the PIN
Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.
With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.
The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)
This means we can easily read and decrypt the full recovery phrase from local storage using sqlite3 and some straight-forward code.
I successfully tested this vulnerability on the Jaxx Chrome extension v1.2.17 and the Jaxx Linux desktop app 1.2.13.
If you have BTC, ETH, ETC or other coins in Jaxx get them out now.
If you only ever used the Jaxx mobile apps your coins are apparently safe (not if you use both desktop and and mobile though).
If you lost coins report it on whalepool telegram
Disclosure: This article is not sponsored by anyone in any form.
Liked the article?
Sign up to the mailing list and select "News analyses ONLY".
About the author
Written by KarlVonBahnhof
KarlVonBahnhof also on Reddit, Chris belongs to the crypto trader class of 2013. Located in the Americas most of the time, you're most likely to meet at r/BitcoinMarkets though.
Opinions are author's own.
Comments are disabled for this article.
Author | Filed under Blog | Tickers: