Shrem: No Jaxx Wallet User Has Lost Funds Despite Recent Warnings
No Jaxx wallet user has lost funds in a hack recently, Decentral’s Charlie Shrem said. Although a research team recently expressed concern over a backup phrase vulnerability, he claimed no-one has reported an actual attack of this nature.
To date, over 750,000 wallets have been created with Jaxx and its predecessor KryptoKit, Shrem said. None of them have ever lost any money due to an issue with the Jaxx software or code.
Instances where users have lost funds were due to stolen devices or users not saving their backup phrase — which Jaxx regularly prompts them to do.
The Jaxx Vulnerability Warning
Bitsonline reported on 10th June that researchers Vx Labs had found a vulnerability in the way Jaxx stores its private key “seed phrase” (or backup phrase). This 12-word mnemonic creates private keys for all the token wallets on a single user’s device. It also enables the same wallets to be used on different devices, and recovered if a device is lost.
While Jaxx does encrypt the mnemonic on each device, Vx Labs found it uses a hard-coded encryption key to obscure it, which a skilled attacker could extract and discover the phrase. It affected only the desktop and Chrome extension Jaxx versions. Physical access to the device is not necessary, meaning an attacker could potentially steal Jaxx wallets by installing malware on the user’s computer.
When asked if Jaxx is doing anything specifically to address the issue, Shrem told Bitsonline the developers update the software “about every other week”, and constantly fixes bugs and makes other improvements.
For Real Secure Storage, Only a Cold Wallet Will Do
However Shrem did advise users not to keep all their coins (or other assets) in an internet-connected wallet.
“I tell people all the time: any device that’s connected to the internet 24/7; never keep large amounts of money there. Cold storage is the best way to go. A hardware wallet like Trezor, Ledger, even a wallet on a computer that’s not connected to the internet is a good deal.”
He added that any internet-connected device is vulnerable to attacks via a keylogger. Should a hacker successfully install a keylogger on your machine, they will have access to your entire digital existence.
Several users on Reddit also voiced this opinion, advising users to treat Jaxx as a “hot wallet” for spending amounts, and not as long-term storage for life savings. Others disagreed, saying even hot wallet security should be as robust as possible to be trustworthy.
In a Medium post called “Why you shouldn’t worry about the Jaxx hack”, security consultant Egor Homakov recommended desktop app sandboxing as a solution instead. Otherwise, “If your device is hacked it’s a game over.”
In its initial report, Vx Labs suggested a strong user-chosen password to login to a wallet would help fix the vulnerability. However, as Shrem noted, even that would not protect you against a keylogger.
The concerns are understandable — even if a hacker gains access to your bank or credit card account, regulated banks generally restore the previous balance. There are no such guarantees in cryptocurrency.
Shrem: Adding 70+ New Tokens Does Not Over-Complicate Jaxx
Shrem has been director of community and business development at Decentral, the company that makes Jaxx, since early May. His role is to promote Jaxx in the cryptocurrency community and manage partnerships.
Shrem said including so many new digital assets would not compromise security. Each Jaxx installation uses its one seed phrase to generate all token wallets. That seed can also be used to regenerate all the various wallets on other software, he said.
Is Jaxx any more or less safe than other “hot” wallets out there? Let’s hear your thoughts.
Images via Jaxx, Pixabay