PSA Freewallet and Jaxx Getting Robbed - Over 10 Million USD Stolen

in #bitcoin7 years ago (edited)

There was a bug found in Jaxx.io wallet lately - anyone with 20 second access to you PCs network can get all keys to your wallets due to seed Jaxx generates.

The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)

If you use Jaxx - move coins out ASAP.

Some people already claimed their coins were stolen. Full text - https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/

Literally right now, wallets from https://freewallet.org/ are getting cleared

If you used this service for some reason - move out ASAP.

The Wallet

Follow, Resteem and VOTE UP @kingscrown creator of http://fuk.io blog for 0day cryptocurrency news and tips!

Sort:  

This post is about people reporting they lost funds due to using 2 wallets. Its a PSA post - Please Stay Aware.

If super skilled guys like transisto or andu want to argue about Jaxx exploit - please do it with finder whos linked in article https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/

Im not as skilled as you two to say hes wrong.

And people moving coins to other wallets due to my post are not losing anything, but people NOT moving coins if this PSA is real will loose.

@kingscrown, while I've enjoyed a number of your posts, I am concerned that this one crosses the line into irresponsible reporting. For those of us who are sufficiently fluent in the technical underpinnings of this Jaxx "bug", the truth is that this is a far cry from "the sky is falling". Seeing the nature of responses below from folk new to crypto confirms that your directive to "move coins out ASAP" makes this sounds like everyone is screwed. Period. Which is unfortunately far from the truth. I really am sorry that I cannot Upvote this one.

As far as the "bug",

  1. Is this an undesirable feature of Jaxx, YES.
  2. Will everyone, everywhere lose all their coins, NO.
  3. Will Jaxx "fix it"? They have indicated they won't, but before you crucify them, speaking from experience as a developer the solution may be more complex than you imagine and could break more things than it fixes.

The best thing we can offer to all the newbies out there is accurate, understandable information on both the capabilities and the responsibilities of this technology. Some simple, basic steps when choosing a wallet and how we secure it can go a long way toward preventing all these supposed terrible things happening.

For those who have read this far, the effect this Jaxx function has on the safety of your coins can be compared to your physical wallet or purse(for those who carry one). Would you really want to walk down the street just hanging it out there for anyone to easily see or grab? Would you leave it unattended on a bench at the city park?

So, what should you do?

  1. If you are super paranoid, switch to a paper wallet. A good tutorial can be found here and some warnings here.
  2. If you want to keep your wallet on your computer or phone, then keep the device secure. That means:
    a. Keep it patched and updated.
    b. Make sure you have a "not easy to guess" password or passcode.
    c. As exciting as it might be to jailbreak your iPhone or Android, please don't keep your wallet on there. You are just asking for trouble.
  3. You know the whole "don't click on a link or open an e-mail you weren't expecting"? Seriously, that's how the bad guys get you almost every time. Stop it. You might have all the other precautions in place, but by clicking, you just opened the front door of the house and invited them in.
  4. Don't connect to the Internet without protection.
    a. Please put some kind of router/firewall between your computer and your internet connection at home (cable, DSL, fiber, whatever).
    b. Think twice (or thrice) before connecting to that "Free WiFi" when you are out and about. It always comes at a cost.

So, maybe I am just a minnow swimming upstream, but for me, I am keeping my Jaxx wallet and already had protections in place to ensure no one can get access to it for the ten minutes they need to crack my backup phrase.

Thanks, i did not say anywhere everyone on Jaxx will loose money, i said if you have money there - move them for safety ;) The post was done as PSA, nothing wrong moving your coins out till this bug is fixed!

anyone with 10 second access to you network

Also please notice this post is about TWO wallets of whom users reported lost coins.

All i say - move out and be safe.
Possibly most people dont get what PSA means.

PS. I do love Jaxx and my network is secure, but many people could have their networks hit.
Better be safe than sorry. If you know what your doing - good, if you are not sure - move for now.

Exodus wallet is good to use and pretty secure thanks for info 👍 Paper wallets all the way don't keep your wealth in a exchange get them off line soon as you can😀

In case if any of you are curious whether the Exodus Wallet shares similar vulnerability, I've emailed the exodus support and received the following reply:

http://prntscr.com/fk7lib

Thank you for the information. I have Exodus and was curious if the same could happen. Regardless, just reinforcement that larger amounts of coins should be kept in paperwallets.

I hear you. For small players, though, the mining fees to keep moving your coin around adds up.

Gauge the reaction of your readers and adjust as you go.

Cheers!

All good man :)

This is superbly put. Thank you!

Thank you for your kind words and vote!

Great post i saw that freewallet just scamming ETH out of so many users it is incredible.

Spread this to people who still have their money tied up on Jaxx.

Jaxx_Annie said on this reddit thread (https://www.reddit.com/r/jaxx/comments/6gpurq/limit_on_send/):

"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"

I like the Jaxx wallet so I hope they get this fixed.

Well I have been using Jaxx for the past 4 months and still using it. My Eth and Dash are still safe. And I'm going to stick to Jaxx as it is one of the best multiWallet.

I am sticking to Jaxx too as in my opinion its not one of the best but the best multi currency wallets out there for small amounts. I have the mobile iOS version which I think is safe enough for the small amounts i keep on there. BUT what might have been safe 4 months ago can be very unsafe today and I wont hesitate to move my funds the moment I read and article that convinces me that Jaxx is unsafe for iOS.

Yes, I keep small sums on Jaxx as well. I guess it is unwise to have very large sums all in one place. If I had a large amount of crypto I'd probably split it in different places.

Yeah that's the best way to do it. Luxury problems though, wish i had those issues. ;)

By itself this problem doesn't make your eth vulnerable

Just spread words on twitter , follow https://twitter.com/Soul_Eater_43 for bitcoin updates team

Soul_Eater_43 The Cryptofiend tweeted @ 13 Jun 2017 - 02:01 UTC

Very worrying: PSA #Freewallet and #Jaxx Getting Robbed - Over 10 Million USD #Stolen@Steemit #bitcoin @jaxx_io… twitter.com/i/web/status/8…

Disclaimer: I am just a bot trying to be helpful.

I'm not worried.

Such bad reporting,

anyone with 10 second access to you network can get all keys to your wallets due to seed Jaxx generates.

It's physical access to device storage, very hard on a pin locked phone.

This is proper reporting : https://steemit.com/cryptocurrency/@steemitguide/jaxx-security-and-exploit-allows-easy-extraction-of-the-jaxx-s-wallet-12-word-backup-phrase
(2 days ago)

Somewhat true. On a phone it's almost impossible to get to the files containing the encrypted mnemonic. Hard code encrypted as it is. The apps are sandboxed. If you choose to hold your coins on a rooted phone, well that's your problem right there.

Secondly, the desktop side which is more exposed. The hacker needs access to your drive, to your files. If you can't secure your computer to not be breached, then again, you shouldn't be holding Jaxx or any wallet on your desktop.

They are comfortable with this approach for the moment as some of the responsibility is also in the hands of the coin holder. There are also developments to increase security.
Stop spreading FUD @kingscrown. People that have these levels of breaching should get their own security on par with the industry trend. If you forget your credit card on a counter, is it the bank's fault that your funds get stolen?

Jaxx_Annie said on this reddit thread (https://www.reddit.com/r/jaxx/comments/6gpurq/limit_on_send/):

"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"

Thanks, for the info. I just lost some bitcoins to hackers that stole it from my third party wallet . Security is really a BIG challenge to cryptocurrency. This will discourage many from investing in crypto.

He could be a CIA mole on Steemit--tons into cryptos, trying to sabotage anyone who makes too much money like beating down silver and gold when they rise too high. Creates lack of trust in cryptos. Theft event may also be Fake News--may never have happened. Also all browsers are viewed by CIA, NSA--anything non-encrypted. Write down password immediately on a piece of paper and delete from laptop--breach could have occurred with unencrypted password viewed by owner on laptop.

I was wondering about this. Nobody has 10 second access to my phone. I treat that thing like a physical wallet.

True and most Democrats will try to sabotage Crypotocurrencies. Democrats live on triple bookkeeping entries and ledger legerdemain. Rogues are rogues and rogues by nature destroy--that's all they do--no values. A danger to cryptocurrencies. Hundreds of CIA Deep State guys and gals are surely into cryptocurrencies trying to destroy them.

Me think you're responding to wrong comment.

Wonderful times ahead as the crypto community try to avoid theses baddies. Decentralised exchanges are one way so we can avoid by bypassing the likes of Coinbase, Kraken and other centralised exchanges

Decentralization is probably the BEST security possible within the current system, as the per-account cost remains additive, rather than anti-log.
That will become moot when the baddies get access to quantum processing.

right... trolls everywhere . such bad reporting .

Do you use coinbase? How secure is it please and please is there any platform to trade btc in Africa?......am a crypto rookie please, pardon my intrusion!

coinbase is cool to buy crypto but don't store it there.. download Jaxx or get a Ledger S Nano hard wallet to store your crypto. Never keep crypto on an exchange like coinbase thinking it's a wallet...

If you cannot use Coinbase try Xapo

I guess if people leave heir mnemonic lying around and if people don' set up a pin code then safety is pretty much zero. Otherwise I think most wallets are more or less equally safe (or unsafe? lol).

Jaxx_Annie said on this reddit thread (https://www.reddit.com/r/jaxx/comments/6gpurq/limit_on_send/):

"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"

Dont think so, but two wallets are getting emptied now

Also...just found this article about the security flaw that was posted yesterday??
Weird
http://www.newsbtc.com/2017/06/11/anyone-can-extract-jaxx-wallet-mnemonic-seed-developers-will-not-fix-problem/
"To put this into perspective, it appears the Jaxx team is aware of this problem. However, the team has no intention of fixing this flaw by any means."
What is going on here?

I knew it since some time but didnt look like good enough for a post here. 2 hacks.. now we are talking!

The news is going to have a field day with this...

whoa; everything about that sounds super bad -

there isn't a flaw per se. If a hacker get access to your computer are you really concerned just about your Jaxx data. c'mon people... keep your devices secured and nobody will steal your funds.

wow....very troubling...
It is a bit strange because Coinbase also had a lot of issues today, ppl couldnt access funds etc..
https://steemit.com/cryptocurrency/@digicrypt/coinbase-having-major-issues
I know it is completely different and most likely not at all related, but it is weird to see this level of disruption in the sector, especially when the markets are in a sea of red. (Other than ETH) Thank you for the heads up I will resteem this.

My ETH transaction through coinbase has been pending for over 10 days now. Withdrawn from my account but something is going on and its starting to stink.

Horrible to see.

https://freewallet.org/ always looked like a scam. xD
Why else would you set up a shitload of wallets, and have no way to make profit.

Thanks for bringing this to the masses!

i have no idea, never heard of it till i saw all news of their wallets getting empty

damn.. never knew they had so many users...
it's always hard to trust online wallets

What kinds of Wallets do you trust most? -- SO far, I like wallets that give me both an app, and an online back up - but am wondering about the actual desktop (downloadable programs) if that makes sense; I'm thinking about getting into PeerCoin and looking for a good Ripple Wallet - (other than Gatehub)

I trust all wallets where I am the only person who has the private keys ;-)
-Openledger: Decentralized Exchange
-Core wallets
-Paper wallets

freewallet is still running and i still have my balance on it though

Ledger Nano S has announced support for Ripple and Stratis recently, I think Lisk soon. I have just bought a matched pair (1 for use, 1 for backup) for less than $200USDT - to distribute more amongst my present Ledger Nano and airgapped machine, and paper-wallet (gift-card) regimen. At this stage of the game, hardware wallets seem the pick of the bunch, now beginning to make sense for hodling altcoins.

Jaxx wallet? So where is the safe haven now?
So many people new to this and then find out the whole thing is as unstable as the damn banks! What does everyone recommend then?
If you download to Jaxx but then a hard wallet shouldn't you be ok?

take a look at the bitshares platform. similar security to steemit, built by @dan

good stuff.

Thanks will do

A hardware wallet is the safest bet at the current moment.

Are you talkin a wallet made from leather Or is a 'hardware wallet' a thing? Newbie here can you maybe expand on that ? :) Thanks

Look into Trezor, Ledger nano, paper wallets, etc..go from there.

Awesome, Thanks man.

Definitely, I would recommend having multiple hardware wallets (as backups) for redundancies, also make sure the wallets are offline (combination of USB Ledger + always offline laptop would work).

I can't agree more and it's like everything else it's either in your hand or not. At least a hard wallet is disconnected from any device. Thanks for the reply.

Myetherwallet.com is good, used it to register adrianroberttorres.eth which is my ether address now lol

The sooner Trezor supports much more cryptos the better for everyone.