ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
Thursday Nov 23rd 2017
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Event

Submit an event for consideration on ETHNews

Submit Event

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Events
Contact Us

Vxlabs Reveals Jaxx Wallet “Vulnerability”

By

Matthew

De Silva

WriterETHNews.com

A report by Dr. Charl Botha of vxlabs raises concerns about the security of Jaxx, a “permissionless,” multi-chain wallet.

On June 9, 2017, Dr. Charl Botha, owner and software engineer at vxlabs, published a brief analysis of the 12-word backup phrase used to restore Jaxx wallets. Botha positively identified the vulnerability on the Jaxx Chrome extension v1.2.17 and the Jaxx Linux desktop app 1.2.13. The Jaxx wallet does not need to be running for this weakness to be exposed.

Botha expressed the primary problem is that Jaxx encrypts the 12-word phrase using a “hard-coded encryption key.” Using relatively straightforward code, decryption from local storage is possible.

“Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down,” writes Botha. “With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.”

On Sunday, June 11, Jaxx CTO Nilang Vyas commented on reddit to address customer concerns.

“We are very comfortable with this security model for hotwallets,” writes Vyas. “The fact is there will always be tradeoffs between user experience, portability and security and we believe we’ve struck a great balance.”

Today, tenuous reports circulated claiming that Jaxx users have lost $400,000 to theft. Jaxx’s director of business and community development, Charlie Shrem, told ETHNews he categorically denies this allegation:

“There is no vulnerability, no one lost funds here. The author of the article basically says that someone can retrieve your 12 word backup seed if they have access to your device. If you aren't securing your device (pin, password, encryption, etc) how can you blame JAXX if someone steals your unsecured device and steals your money?

Do other wallets secure better? Yes! Can we do a better job? Yes! We are, and we have solutions for all security related matters including this one such as double encryption.”

These assurances did not allay Botha’s concerns. In a statement to ETHNews, Botha voiced his fears.

“I don't understand why Jaxx has not committed to the short-term improvement of implementing a user-supplied passphrase for backup phrase (mnemonic) encryption for their desktop / chrome extension products. This would really not be difficult to do, but it would reduce user risk significantly.”

Botha notes that Exodus (a competing multi-currency app) utilizes this additional layer of security.

“All Jaxx desktop users currently run the risk of malware (we saw how rapidly WannaCry spread; also think of various large botnets) or a malicious person lifting their wallet backup phrases. With the increasing amount of value in cryptocurrency, the cost of this risk realizing is significant.”

Cryptocurrency ownership is like defensive driving. Wallet vulnerabilities demand vigilance.

Matthew De Silva

Matthew is a writer with a passion for emerging technology. Prior to joining ETHNews, he interned for the U.S. Securities and Exchange Commission as well as the OECD. He graduated cum laude from Georgetown University where he studied international economics. In his spare time, Matthew loves playing basketball and listening to podcasts. He currently lives in Los Angeles. Matthew is a full-time staff writer for ETHNews.

ETHNews is commited to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest vxlabs, Jaxx Wallet or other Ethereum wallets and exchanges news.