On June 9, 2017, Dr. Charl Botha, owner and software engineer at vxlabs, published a brief analysis of the 12-word backup phrase used to restore Jaxx wallets. Botha positively identified the vulnerability on the Jaxx Chrome extension v1.2.17 and the Jaxx Linux desktop app 1.2.13. The Jaxx wallet does not need to be running for this weakness to be exposed.
Botha expressed the primary problem is that Jaxx encrypts the 12-word phrase using a “hard-coded encryption key.” Using relatively straightforward code, decryption from local storage is possible.
“Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down,” writes Botha. “With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.”
On Sunday, June 11, Jaxx CTO Nilang Vyas commented on reddit to address customer concerns.
“We are very comfortable with this security model for hotwallets,” writes Vyas. “The fact is there will always be tradeoffs between user experience, portability and security and we believe we’ve struck a great balance.”
Today, tenuous reports circulated claiming that Jaxx users have lost $400,000 to theft. Jaxx’s director of business and community development, Charlie Shrem, told ETHNews he categorically denies this allegation:
“There is no vulnerability, no one lost funds here. The author of the article basically says that someone can retrieve your 12 word backup seed if they have access to your device. If you aren't securing your device (pin, password, encryption, etc) how can you blame JAXX if someone steals your unsecured device and steals your money?
Do other wallets secure better? Yes! Can we do a better job? Yes! We are, and we have solutions for all security related matters including this one such as double encryption.”
These assurances did not allay Botha’s concerns. In a statement to ETHNews, Botha voiced his fears.
“I don't understand why Jaxx has not committed to the short-term improvement of implementing a user-supplied passphrase for backup phrase (mnemonic) encryption for their desktop / chrome extension products. This would really not be difficult to do, but it would reduce user risk significantly.”
Botha notes that Exodus (a competing multi-currency app) utilizes this additional layer of security.
“All Jaxx desktop users currently run the risk of malware (we saw how rapidly WannaCry spread; also think of various large botnets) or a malicious person lifting their wallet backup phrases. With the increasing amount of value in cryptocurrency, the cost of this risk realizing is significant.”
Cryptocurrency ownership is like defensive driving. Wallet vulnerabilities demand vigilance.