PSA - Jaxx Vulnerability (2017) - #CryptoTrading

A 2017 version of the Jaxx wallet has a serious vulnerability that is being worked on - but at the moment is there.
News
     · [cryptocurrency-wallets]  · Author: KarlVonBahnhof

Sourcevxlabs.com

Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.

With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.

The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)

This means we can easily read and decrypt the full recovery phrase from local storage using sqlite3 and some straight-forward code.

I successfully tested this vulnerability on the Jaxx Chrome extension v1.2.17 and the Jaxx Linux desktop app 1.2.13.

If you have BTC, ETH, ETC or other coins in Jaxx get them out now.

If you only ever used the Jaxx mobile apps your coins are apparently safe (not if you use both desktop and and mobile though).

Update: People report stolen ETH, ETC and ZEC

If you lost coins report it on whalepool telegram



Posted in Cryptocurrency wallets
Tagged as  

 

Last added to Crypto Airdrops, Bounties & Opportunities
Token and platform Date How to get the airdrop Link
Opportunity: Trade DeFi Tokens with NO FEES 14 days after signup The token exchange WhiteBit gives you 14 days of zero-fee trading if you sign up with a shill link. No KYC until 2 BTC/day withdrawal limit, lots of new DeFi projects get listed there. sign up
Elrond Catalyst Sale 25% Bonus on Bitfinex 10:00am - 10:15am UTC 23rd September 2020 Bitfinex will hold the EGLD token sale on 23rd Sep 2020. Users who want to buy Elrond are invited to pledge the amount they want to purchase. During the 15-minute "contribution window", successful contributors will receive an additional EGLD bonus of 25%. more here
Markaccy Bounty Launch promo Until 30 September 2020 MKCY is a token that is starting to trade on HOTBIT in September 2020. There are weekly social media bounties that must be reported into the linked bitcointalk thread. report here
Cloudbet Turbo Thursday Reload Bonus Every Thursday between 05:00-23:59 UTC Make a deposit of 0.1 mBTC or more today, Cloudbet gives you a 100% Reload Bonus of up to 50 mBTC/1 BCH. Remember you must activate the bonus in your player dashboard before making a deposit for the bonus to be credited! The bonus is only available for the Casino, not the Sportsbook. details
Opportunity: Negative Fees on Vaultoro Gold markets Since 22nd of July 2020 The gold trading platform Vaultoro is now offering negative fees for market makers. The rebate is 0.05% at any traded volume, however it only applies to crypto markets there - not to gold markets. At least the gold fees got cut back to pre-COVID levels on Vaultoro. more here
OKEx Crypto Signup Bonus Bonus for Signup OKEx, formerly called OKCoin and known as OKCasino, was the BitMEX of 2015 but has fallen out of favour since. They are now running a similar campaign as Coinbase did to get their signup rates up: If you sign up and buy 100 USD worth of BTC, you get 10 USD bonus. details