Jaxx Hack: More Than $400k Stolen

By Amelia Tomasicchio
Published Jun 16th, 2017
Jaxx Hack: More Than $400k Stolen

According to a recent report, a vulnerability in the Jaxx wallet lead to about $400,000 funds being hacked. As written in the report, the 12-word set users use as a password is too easy to decipher and hackers can steal easily: “Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.” So the hackers are basically exploiting this failed wallet backup phrase storage method.

VX Labs Researcher Reports on Jaxx Hack

This is what the researcher from VX Labs highlighted on Friday: “The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. […] This means we can easily read and decrypt the full recovery phrase from local storage using sqlite3 and some straight-forward code.”

Jaxx Replies

After the publication of the VX Labs Report, the CTO of Jaxx and Decentral, Mr. Nilang Vyas, wrote a post on Reddit with some questionable answers to the VX Labs researcher. Vyas replied with a long post explaining the security features of Jaxx. They read as follows:

  • Jaxx is a hot wallet suitable for small amounts (similar to your regular wallet in your pocket) that connects to the internet in order to push transactions and show balances.
  • As a hot wallet, we believe we have found an appropriate balance between ease-of- use, portability, and security.
  • Jaxx IS NOT cold storage. For large amounts we recommend hardware wallets.
  • Jaxx master backup seed is created, encrypted, stored client-side and never sent to any servers.
  • Jaxx allows for easy pairing across all devices (thus seed cannot be encrypted by a secondary pin or password when pairing as it wouldn’t be portable / pairable without account / servers)
  • We expect Users to maintain control of their devices, and we strongly encourage the use of on- device security (ie pin, fingerprint, retina, etc.) in order to secure your ENTIRE device.
  • Jaxx offers the option of a 4 digit PIN to further secure your wallet. If activated this PIN will be required when sending, changing PIN, and when displaying the master seed.
  • Should someone get access to your device your lines of defense are a) on-board device features b) encrypted master seed c) Jaxx PIN

A Bad Feeling After the Jaxx Hack

So, this means that Jaxx is not a cold wallet. Basically, users should refrain from storing substantial amounts of cryptocurrency in the wallets. Larger amounts should be stored in hardware wallets and the Jaxx team won’t fix any security issue. This clearly sounds like an excuse and it doesn’t justify the theft. Jaxx had serious shortcomings, and it should have been clearer about the features of its wallet from the get go. There is no doubt that the Jaxx hack will go down as an infamous one, even if it was not on of the biggest hacks in the history of the industry.

Click here to read the VX Labs report.