Latest on ATNET:

#crypto-opsec #crypto-fundamentals
#crypto-trading-strategy #crypto-tools
NEW STRATEGY   Nft trading  · 09/04/21

PSA - Jaxx Vulnerability (2017)

Altcoin Trading Blog
10/15/21 · Cryptocurrency wallets

About This Blog Post

  1. Filed as PSA
  2. Uses exodus ( + more posts) 
  3. Uses electrum ( + more posts) 
  4. Uses ledger ( + more posts) 
  5. On the same topic: Altcoin Wallets: Tried and True, 2021 Updated
  6. On the same topic: Monero Wallets: Your options in 2020
  7. On the same topic: Ledger Phishing Attacks: 3 Easy Tips To Protect Your Crypto Stash
  8. On the same topic: PSA - Jaxx Vulnerability (2017)
A 2017 version of the Jaxx wallet has a serious vulnerability that is being worked on - but at the moment is there.
Crypto Trading Strategy - 5 Weeks of Onboarding Reads: Subscribe and select "All Posts" or "Strategy & Security" as your preference.
 

NOTE: This is an article from 2017 and is not relevant to the current versions of Jaxx.

2017 Jaxx Vulnerability Report

Sourcevxlabs.com

Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.

With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.

The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)

This means we can easily read and decrypt the full recovery phrase from local storage using sqlite3 and some straight-forward code.

I successfully tested this vulnerability on the Jaxx Chrome extension v1.2.17 and the Jaxx Linux desktop app 1.2.13.

If you have BTC, ETH, ETC or other coins in Jaxx get them out now.

If you only ever used the Jaxx mobile apps your coins are apparently safe (not if you use both desktop and and mobile though).

Update: People report stolen ETH, ETC and ZEC

Latest Airdrops

FINN airdrop to token holders - snapshot 25-30 Oct
$FINN token holders will be airdropped up to 1000 $FINN tokens on November 1st. All airdrops must be claimed within 1 week via huckleberry.finance.
Vodra on CoinMarketCap (50k USD) - until 28 Oct
CoinMarketCap and Vodra are running an airdrop of airdrop 50,000 USD worth of Vodra Token to promote their upcoming IDO. To enter you need to add VDR to your CMC watchlist and follow them on all social media. Winners will be drawn on Oct 30.
Apricot Finance rewards (SOL) - from 19 Oct
Apricot finance launched its farming platform on 19th October and vaguely promises that early users will be retroactively rewarded for activity.