PSA - Jaxx Vulnerability (2017) - #CryptoTrading

A 2017 version of the Jaxx wallet has a serious vulnerability that is being worked on - but at the moment is there.
News
     · [cryptocurrency-wallets]  · Author: KarlVonBahnhof

Sourcevxlabs.com

Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.

With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.

The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)

This means we can easily read and decrypt the full recovery phrase from local storage using sqlite3 and some straight-forward code.

I successfully tested this vulnerability on the Jaxx Chrome extension v1.2.17 and the Jaxx Linux desktop app 1.2.13.

If you have BTC, ETH, ETC or other coins in Jaxx get them out now.

If you only ever used the Jaxx mobile apps your coins are apparently safe (not if you use both desktop and and mobile though).

Update: People report stolen ETH, ETC and ZEC

If you lost coins report it on whalepool telegram



Posted in Cryptocurrency wallets
Tagged as  

 

Last added to Crypto Airdrops, Bounties & Opportunities
Airdropped Token or Opportunity Airdrop Date About the airdrop Link
Opportunity: DeFi Tokens on reputable exchange with lower fees 14 days after listing The Aussie exchange Independent reserve is listing new DeFi tokens these days. For each of the new markets has the fee reduced to 0.1% for the first 2 weeks. Currently those markets are yearn.finance, Aave and Kyber Network Crystal. sign up
LATOKEN Earn Nov 2020 10+ new Telegram airdrops available on LATOKEN exchange under "Earn" in the top navigation bar. (SAND, UNO, BXT, PZS, L2L, BIOG, DGB, OAP...) If you sign up with the link here you get 50 USD fee credit. sign up
Opportunity: Trade DeFi Tokens with NO FEES 14 days after signup The token exchange WhiteBit gives you 14 days of zero-fee trading if you sign up with a shill link. No KYC until 2 BTC/day withdrawal limit, lots of new DeFi projects get listed there. sign up
Staking without KYC on WhiteBit New! WhiteBit opened 17 different staking plans with 9 different currencies to choose from. 40% APR, available to the users without KYC. (Be mindful of risks) sign up
YoBit Get Free 1700 Dollars After signup YoBit is having a token giveaway. Sign up at YoBit and click the link "Get free 1700 dollars" in the top bar. This will take you to a Telegram bot where you can sign up to participate in the giveaway. sign up