Jaxx Wallet and Bitcoin Wallet Security Issues

[Kemarit]

According to Cheetah Mobile's blockchain research: (https://cryptovest.com/news/bitcoin-jaxx-wallets-have-security-issues-cheetah-mobile-warns/)

Bitcoin, Jaxx Wallets Have Security Issues, Cheetah Mobile Warns

The blockchain research division of Cheetah Mobile warned on Tuesday it had detected serious security weaknesses in two of the most commonly used mobile digital currency wallets - Bitcoin Wallet and Jaxx Blockchain Wallet.

Anyone heard about the security flaw on Jaxx and Bitcoin Wallet? Quiet surprise though the Jaxx still exist as there are problems with this wallet ever since. Just want to give a fair warning to those who still uses Jaxx to store their crypto coins. As I still some members still recommending it to newbies. Just be careful and until their is a fix, don't used this wallet as not to get compromise.

[1714628981]

1714628981

[hugeblack]

All this warnings because "unsecured encryption of wallets seeds" [Jaxx use hard-coded encryption key].

I think the source of this news is https://www.reddit.com/r/jaxx/comments/6gfl4d/easy_extraction_of_the_jaxx_12word_wallet_backup/.

Note that this was reported nine months ago, but many sites reposted it again a period of time.

[buwaytress]

Yeah, it's a security issue that's been floating around the forums for a really long time. It's been proven already to be doable (extracting the seed, read here: https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/ Flaw discovery was credited to fluffypony.) so I really don't know why they think it's not an issue. Think the Jaxx developers even came out and responded by saying it wasn't a flaw, and was a tradeoff for using their technology!

They themselves do not recommend Jaxx as a long-term storage or for large amounts, so if the developers don't think it's a good idea, I don't think we should either.

Their response here: https://www.reddit.com/r/EthereumClassic/comments/6gh2f5/jaxx_wallet_is_not_secure_seeds_are_stored/

[Mister1k]

According to Cheetah Mobile's blockchain research: (https://cryptovest.com/news/bitcoin-jaxx-wallets-have-security-issues-cheetah-mobile-warns/)

Bitcoin, Jaxx Wallets Have Security Issues, Cheetah Mobile Warns

The blockchain research division of Cheetah Mobile warned on Tuesday it had detected serious security weaknesses in two of the most commonly used mobile digital currency wallets - Bitcoin Wallet and Jaxx Blockchain Wallet.

Anyone heard about the security flaw on Jaxx and Bitcoin Wallet? Quiet surprise though the Jaxx still exist as there are problems with this wallet ever since. Just want to give a fair warning to those who still uses Jaxx to store their crypto coins. As I still some members still recommending it to newbies. Just be careful and until their is a fix, don't used this wallet as not to get compromise.

Hey dude, are you sure that security flaw in the Jaxx wallet's seed. I have around .4 ethreum at there but didn't find the issue from the past 6 months and above.
I have seen they give places for some tokens as well like how coinomi wallet is been used. They are accepting more 50 cryptos which is famous in the marketplace. Is that wallet works perfect!

[TryNinja]

Hey dude, are you sure that security flaw in the Jaxx wallet's seed. I have around .4 ethreum at there but didn't find the issue from the past 6 months and above.
I have seen they give places for some tokens as well like how coinomi wallet is been used. They are accepting more 50 cryptos which is famous in the marketplace. Is that wallet works perfect!

Well, you should read the article. You are not safe just because you never had any issue. In fact, the problem is that an attacker can easily steal your wallet seed if he gets physical access to your device. So until this happens, you will not have any "issue". You may think that this isn't a big deal but still is a security issue that should be fixed by the Jaxx team.

[Patatas]

Yeah, it's a security issue that's been floating around the forums for a really long time. It's been proven already to be doable (extracting the seed, read here: https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/ Flaw discovery was credited to fluffypony.) so I really don't know why they think it's not an issue. Think the Jaxx developers even came out and responded by saying it wasn't a flaw, and was a tradeoff for using their technology!

That was more like a loophole discovered.I was tracking the issue being actively discussed on a Github repo which had several PR's raised but not sure which one was merged.

They themselves do not recommend Jaxx as a long-term storage or for large amounts, so if the developers don't think it's a good idea, I don't think we should either.

I don't think they meant that.Do you have any direct links I can refer to support your comment ?

Well, you should read the article. You are not safe just because you never had any issue. In fact, the problem is that an attacker can easily steal your wallet seed if he gets physical access to your device. So until this happens, you will not have any "issue". You may think that this isn't a big deal but still is a security issue that should be fixed by the Jaxx team.

If any attacker gets physical access to your device,there are really less chances of an application to implement protocols which would stop him from stealing your seed since that isn't direct associated with the wallet.An additional level of security can be introduced though.

[buwaytress]

They themselves do not recommend Jaxx as a long-term storage or for large amounts, so if the developers don't think it's a good idea, I don't think we should either.

I don't think they meant that.Do you have any direct links I can refer to support your comment ?

Sure! The Reddit link I provided above is a direct response from Jaxx CTO (Vyas). I'll quote parts of it below.

As a hot wallet we believe we have found an appropriate balance between ease-of- use, portability, and security.

This comment is their way of saying they can't find a way to engineer the appropriate security levels without compromising ease and portability. They admit to the flaw (never denied it) but say this is a necessary trade off.

Jaxx IS NOT cold storage. For large amounts we recommend hardware wallets.

Until that time, please use Jaxx as a hot wallet for small amounts, and use hardware wallets for larger amounts.

This is the developer saying don't use Jaxx for cold storage or large amounts. Pretty sure they mean exactly what they say, unless I didn't understand what they were trying to imply.

[warningsigns]

The developer has other wallets which have had their fair share of warnings about vulnerabilities. Their Rushwallet will soon be disabled

https://rushwallet.com

KryptoKit is their Chrome extension wallet. What's bad about it is the mining fee. It's a static 0.0002 BTC and you can't adjust or change it based on network congestion levels.

A shame their wallets are riddled with vulnerabilities and security issues. I like Jaxx's Shapeshift exchange feature incorporated within the wallet. Allows one to seamlessly convert cryptos. Haven't tried it yet but I wish other wallets had the same feature.

[Zocadas]

The developer has other wallets which have had their fair share of warnings about vulnerabilities. Their Rushwallet will soon be disabled

https://rushwallet.com

KryptoKit is their Chrome extension wallet. What's bad about it is the mining fee. It's a static 0.0002 BTC and you can't adjust or change it based on network congestion levels.

A shame their wallets are riddled with vulnerabilities and security issues. I like Jaxx's Shapeshift exchange feature incorporated within the wallet. Allows one to seamlessly convert cryptos. Haven't tried it yet but I wish other wallets had the same feature.

You can use shapeshift also on Coinomi, no need to risk your funds because of this feature. Coinomi has also a second exchanger, Changelly, but I wouldn't recommend it, because you don't see the exchange rates, you will get. What you see at the order and what you get, differs significantly. So better stay at Shapeshift.
.
To the OP:.
Many thanks for warning.

[figmentofmyass]

This comment is their way of saying they can't find a way to engineer the appropriate security levels without compromising ease and portability. They admit to the flaw (never denied it) but say this is a necessary trade off.

Jaxx IS NOT cold storage. For large amounts we recommend hardware wallets.

Until that time, please use Jaxx as a hot wallet for small amounts, and use hardware wallets for larger amounts.

This is the developer saying don't use Jaxx for cold storage or large amounts. Pretty sure they mean exactly what they say, unless I didn't understand what they were trying to imply.

in general, that's not unreasonable. i would never expect a multi-coin wallet with flashy UI (made primarily for mobile use) to have ideal security. that'll never happen. the problem these days is that new investors want exposure to multiple altcoins in addition to BTC. naturally, they look for a wallet solution where they can store as many coins as possible in one wallet. so they dump all their funds into a jaxx or coinomi wallet (which they continue spending from) rather than devising a cold storage solution.

i'm not sure what the big difficulty with allowing a complex passphrase is. jaxx should at least expand the PIN number past 4 digits.

A shame their wallets are riddled with vulnerabilities and security issues. I like Jaxx's Shapeshift exchange feature incorporated within the wallet. Allows one to seamlessly convert cryptos. Haven't tried it yet but I wish other wallets had the same feature.

it's sort of a gimmick, though. ledger wallet + radar relay (for ERC-20 tokens) is much more impressive---no rate-limiting to jack up your fees like shapeshift does either. and with things like blocknet, crypto-bridge and others being actively developed, things are getting better on this front.

[pinkflower]

All this warnings because "unsecured encryption of wallets seeds" [Jaxx use hard-coded encryption key].

I think the source of this news is https://www.reddit.com/r/jaxx/comments/6gfl4d/easy_extraction_of_the_jaxx_12word_wallet_backup/.

Note that this was reported nine months ago, but many sites reposted it again a period of time.

This is old news. Try googling "Jaxx seeds unencrypted Javascript". The link to the research team who first exploited the security issue will show how to extract the wallet seeds with a few lines of JS.

Jaxx said they did this on purpose or cross platform convenience.

[timerland]

Jaxx has long been found to have security concerns.

Apparently as long as someone has 20 secs of network access, they are able to exploit this security vulnerability and write down your backup phrase which can be used to access your coins. And someone seems to have already been hacked for over $400k worth of ETH as well(unconfirmed to be actually Jaxx). So based on this, I would avoid the desktop version of Jaxx. But all of this is old news.

I personally prefer Exodus to Jaxx just because it's got no former or current complaints, it's got great support, and just an overall better user experience. But all hot/desktop wallets will have risks, especially closed source ones.

[crairezx20]

Jaxx wallet is a well-known wallet and I heard many people complaints that they are hacked.

That is why I stop using Jaxx wallet due to many complaints And I switch to use Coinomi this wallet is way more better and safe until now never had any issue using Coinomi wallet but some altcoin is not supported, unlike Jaxx wallet that supports more coins.

However, I heard some GPU miners in the facebook group that they are still using Jaxx wallet when mining other altcoins until now they are still using it without any problem.

[Wipro]

Jaxx wallet is a well-known wallet and I heard many people complaints that they are hacked.

That is why I stop using Jaxx wallet due to many complaints And I switch to use Coinomi this wallet is way more better and safe until now never had any issue using Coinomi wallet but some altcoin is not supported, unlike Jaxx wallet that supports more coins.

However, I heard some GPU miners in the facebook group that they are still using Jaxx wallet when mining other altcoins until now they are still using it without any problem.

While install Jaxx android wallet. It would asks for the wallet seed to be added there. You can find the better security with the coinomi itself as my belief. But many times I have used this wallet while having the trade on localbitcoins to exchange the bitcoin for ethereum.
So far I dd not find the any issue on this and having around 0.65 ethereum on jaxx as present.

[Happiest]

OP, I have known Jaxx wallet for some time now and I must say it was a good wallet when I used it. Though, this recent news of security issues is sort of new to me. I can't really say because STORM (one of a potential new coins in the market) are using it to claim STORM tokens and they have been recommending it to their every users. They developers never issued out any news concerning this security risk in their Telegram channel nor their Twitter Channel. Recently, i have been planning to buy Storm tokens and hold till it moon; but with this sort of news, I am confused.

[GoldenLad]

They are always on it. Few months ago, Jaxx was experiencing some issues ( both technical and security issues) and i heard then that they have resolved the issue. I don't know if this recent news is authentic but I have used Jaxx before and sometimes its messes up; that is what i dont like about them.Though, I still have tokens I used them to store but it won't be for long. I just wish they can find a permanent solution for it.

[Kemarit]

OP, I have known Jaxx wallet for some time now and I must say it was a good wallet when I used it. Though, this recent news of security issues is sort of new to me. I can't really say because STORM (one of a potential new coins in the market) are using it to claim STORM tokens and they have been recommending it to their every users. They developers never issued out any news concerning this security risk in their Telegram channel nor their Twitter Channel. Recently, i have been planning to buy Storm tokens and hold till it moon; but with this sort of news, I am confused.

Well that's why I wanted to community to know, whether its a old news or not, this sort of vulnerabilities will somewhat cause a lot of doubts in the crypto market again. So its better to be safe that sorry. A lot has commented on the issues, so make your own judgment call here. I also used Jaxx before, but because of the said exploits, look for other alternatives because I don't want to blame myself later if chances are I lost all my tokens in the future. I guess its the responsibility of the wallet provider to keep us updated if the issues is already resolved, otherwise we will hear a lot of members (usually newbies) bitching around saying how they lost this and that because they didn't know that it was vulnerabilities in the first place.

[felicita]

thanks for this information i got still some Ethrium Classic left on jaxx its now more than 200 e so i will move that to other wallet XD