There was a bug found in Jaxx.io wallet lately - anyone with 20 second access to you PCs network can get all keys to your wallets due to seed Jaxx generates.
The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)
If you use Jaxx - move coins out ASAP.
Some people already claimed their coins were stolen. Full text - https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/
Literally right now, wallets from https://freewallet.org/ are getting cleared
If you used this service for some reason - move out ASAP.
The Wallet
Follow, Resteem and VOTE UP @kingscrown creator of http://fuk.io blog for 0day cryptocurrency news and tips! |
---|
This post is about people reporting they lost funds due to using 2 wallets. Its a PSA post - Please Stay Aware.
If super skilled guys like transisto or andu want to argue about Jaxx exploit - please do it with finder whos linked in article https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/
Im not as skilled as you two to say hes wrong.
And people moving coins to other wallets due to my post are not losing anything, but people NOT moving coins if this PSA is real will loose.
@kingscrown, while I've enjoyed a number of your posts, I am concerned that this one crosses the line into irresponsible reporting. For those of us who are sufficiently fluent in the technical underpinnings of this Jaxx "bug", the truth is that this is a far cry from "the sky is falling". Seeing the nature of responses below from folk new to crypto confirms that your directive to "move coins out ASAP" makes this sounds like everyone is screwed. Period. Which is unfortunately far from the truth. I really am sorry that I cannot Upvote this one.
As far as the "bug",
The best thing we can offer to all the newbies out there is accurate, understandable information on both the capabilities and the responsibilities of this technology. Some simple, basic steps when choosing a wallet and how we secure it can go a long way toward preventing all these supposed terrible things happening.
For those who have read this far, the effect this Jaxx function has on the safety of your coins can be compared to your physical wallet or purse(for those who carry one). Would you really want to walk down the street just hanging it out there for anyone to easily see or grab? Would you leave it unattended on a bench at the city park?
So, what should you do?
a. Keep it patched and updated.
b. Make sure you have a "not easy to guess" password or passcode.
c. As exciting as it might be to jailbreak your iPhone or Android, please don't keep your wallet on there. You are just asking for trouble.
a. Please put some kind of router/firewall between your computer and your internet connection at home (cable, DSL, fiber, whatever).
b. Think twice (or thrice) before connecting to that "Free WiFi" when you are out and about. It always comes at a cost.
So, maybe I am just a minnow swimming upstream, but for me, I am keeping my Jaxx wallet and already had protections in place to ensure no one can get access to it for the ten minutes they need to crack my backup phrase.
Thanks, i did not say anywhere everyone on Jaxx will loose money, i said if you have money there - move them for safety ;) The post was done as PSA, nothing wrong moving your coins out till this bug is fixed!
Also please notice this post is about TWO wallets of whom users reported lost coins.
All i say - move out and be safe.
Possibly most people dont get what PSA means.
PS. I do love Jaxx and my network is secure, but many people could have their networks hit.
Better be safe than sorry. If you know what your doing - good, if you are not sure - move for now.
Exodus wallet is good to use and pretty secure thanks for info 👍 Paper wallets all the way don't keep your wealth in a exchange get them off line soon as you can😀
In case if any of you are curious whether the Exodus Wallet shares similar vulnerability, I've emailed the exodus support and received the following reply:
http://prntscr.com/fk7lib
Thank you for the information. I have Exodus and was curious if the same could happen. Regardless, just reinforcement that larger amounts of coins should be kept in paperwallets.
I hear you. For small players, though, the mining fees to keep moving your coin around adds up.
Gauge the reaction of your readers and adjust as you go.
Cheers!
All good man :)
@kingscrown what is PSA?
This is superbly put. Thank you!
Thank you for your kind words and vote!
Great post i saw that freewallet just scamming ETH out of so many users it is incredible.
Please help spread the word on Twitter:
Spread this to people who still have their money tied up on Jaxx.
Jaxx_Annie said on this reddit thread (~~~ embed:jaxx/comments/6gpurq/limit_on_send/): reddit metadata:fGpheHh8aHR0cHM6Ly93d3cucmVkZGl0LmNvbS9yL2pheHgvY29tbWVudHMvNmdwdXJxL2xpbWl0X29uX3NlbmQvKTp8 ~~~
"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"
I like the Jaxx wallet so I hope they get this fixed.
Well I have been using Jaxx for the past 4 months and still using it. My Eth and Dash are still safe. And I'm going to stick to Jaxx as it is one of the best multiWallet.
I am sticking to Jaxx too as in my opinion its not one of the best but the best multi currency wallets out there for small amounts. I have the mobile iOS version which I think is safe enough for the small amounts i keep on there. BUT what might have been safe 4 months ago can be very unsafe today and I wont hesitate to move my funds the moment I read and article that convinces me that Jaxx is unsafe for iOS.
Yes, I keep small sums on Jaxx as well. I guess it is unwise to have very large sums all in one place. If I had a large amount of crypto I'd probably split it in different places.
Yeah that's the best way to do it. Luxury problems though, wish i had those issues. ;)
By itself this problem doesn't make your eth vulnerable
Just spread words on twitter , follow https://twitter.com/Soul_Eater_43 for bitcoin updates team
The Cryptofiend tweeted @ 13 Jun 2017 - 02:01 UTC
Disclaimer: I am just a bot trying to be helpful.
I'm not worried.
Such bad reporting,
It's physical access to device storage, very hard on a pin locked phone.
This is proper reporting : https://steemit.com/cryptocurrency/@steemitguide/jaxx-security-and-exploit-allows-easy-extraction-of-the-jaxx-s-wallet-12-word-backup-phrase
(2 days ago)
Somewhat true. On a phone it's almost impossible to get to the files containing the encrypted mnemonic. Hard code encrypted as it is. The apps are sandboxed. If you choose to hold your coins on a rooted phone, well that's your problem right there.
Secondly, the desktop side which is more exposed. The hacker needs access to your drive, to your files. If you can't secure your computer to not be breached, then again, you shouldn't be holding Jaxx or any wallet on your desktop.
They are comfortable with this approach for the moment as some of the responsibility is also in the hands of the coin holder. There are also developments to increase security.
Stop spreading FUD @kingscrown. People that have these levels of breaching should get their own security on par with the industry trend. If you forget your credit card on a counter, is it the bank's fault that your funds get stolen?
Jaxx_Annie said on this reddit thread (~~~ embed:jaxx/comments/6gpurq/limit_on_send/): reddit metadata:fGpheHh8aHR0cHM6Ly93d3cucmVkZGl0LmNvbS9yL2pheHgvY29tbWVudHMvNmdwdXJxL2xpbWl0X29uX3NlbmQvKTp8 ~~~
"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"
Thanks, for the info. I just lost some bitcoins to hackers that stole it from my third party wallet . Security is really a BIG challenge to cryptocurrency. This will discourage many from investing in crypto.
He could be a CIA mole on Steemit--tons into cryptos, trying to sabotage anyone who makes too much money like beating down silver and gold when they rise too high. Creates lack of trust in cryptos. Theft event may also be Fake News--may never have happened. Also all browsers are viewed by CIA, NSA--anything non-encrypted. Write down password immediately on a piece of paper and delete from laptop--breach could have occurred with unencrypted password viewed by owner on laptop.
I was wondering about this. Nobody has 10 second access to my phone. I treat that thing like a physical wallet.
True and most Democrats will try to sabotage Crypotocurrencies. Democrats live on triple bookkeeping entries and ledger legerdemain. Rogues are rogues and rogues by nature destroy--that's all they do--no values. A danger to cryptocurrencies. Hundreds of CIA Deep State guys and gals are surely into cryptocurrencies trying to destroy them.
Me think you're responding to wrong comment.
Wonderful times ahead as the crypto community try to avoid theses baddies. Decentralised exchanges are one way so we can avoid by bypassing the likes of Coinbase, Kraken and other centralised exchanges
Decentralization is probably the BEST security possible within the current system, as the per-account cost remains additive, rather than anti-log.
That will become moot when the baddies get access to quantum processing.
right... trolls everywhere . such bad reporting .
Do you use coinbase? How secure is it please and please is there any platform to trade btc in Africa?......am a crypto rookie please, pardon my intrusion!
coinbase is cool to buy crypto but don't store it there.. download Jaxx or get a Ledger S Nano hard wallet to store your crypto. Never keep crypto on an exchange like coinbase thinking it's a wallet...
If you cannot use Coinbase try Xapo
Lol upvoted
I guess if people leave heir mnemonic lying around and if people don' set up a pin code then safety is pretty much zero. Otherwise I think most wallets are more or less equally safe (or unsafe? lol).
Jaxx_Annie said on this reddit thread (~~~ embed:jaxx/comments/6gpurq/limit_on_send/): reddit metadata:fGpheHh8aHR0cHM6Ly93d3cucmVkZGl0LmNvbS9yL2pheHgvY29tbWVudHMvNmdwdXJxL2xpbWl0X29uX3NlbmQvKTp8 ~~~
"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"
Is there a link between jaxx.io and freewallet?
Dont think so, but two wallets are getting emptied now
Also...just found this article about the security flaw that was posted yesterday??
Weird
http://www.newsbtc.com/2017/06/11/anyone-can-extract-jaxx-wallet-mnemonic-seed-developers-will-not-fix-problem/
"To put this into perspective, it appears the Jaxx team is aware of this problem. However, the team has no intention of fixing this flaw by any means."
What is going on here?
I knew it since some time but didnt look like good enough for a post here. 2 hacks.. now we are talking!
The news is going to have a field day with this...
whoa; everything about that sounds super bad -
there isn't a flaw per se. If a hacker get access to your computer are you really concerned just about your Jaxx data. c'mon people... keep your devices secured and nobody will steal your funds.
wow....very troubling...
It is a bit strange because Coinbase also had a lot of issues today, ppl couldnt access funds etc..
https://steemit.com/cryptocurrency/@digicrypt/coinbase-having-major-issues
I know it is completely different and most likely not at all related, but it is weird to see this level of disruption in the sector, especially when the markets are in a sea of red. (Other than ETH) Thank you for the heads up I will resteem this.
My ETH transaction through coinbase has been pending for over 10 days now. Withdrawn from my account but something is going on and its starting to stink.
Horrible to see.
https://freewallet.org/ always looked like a scam. xD
Why else would you set up a shitload of wallets, and have no way to make profit.
Thanks for bringing this to the masses!
i have no idea, never heard of it till i saw all news of their wallets getting empty
damn.. never knew they had so many users...
it's always hard to trust online wallets
What kinds of Wallets do you trust most? -- SO far, I like wallets that give me both an app, and an online back up - but am wondering about the actual desktop (downloadable programs) if that makes sense; I'm thinking about getting into PeerCoin and looking for a good Ripple Wallet - (other than Gatehub)
I trust all wallets where I am the only person who has the private keys ;-)
-Openledger: Decentralized Exchange
-Core wallets
-Paper wallets
freewallet is still running and i still have my balance on it though
Lucky!
Ledger Nano S has announced support for Ripple and Stratis recently, I think Lisk soon. I have just bought a matched pair (1 for use, 1 for backup) for less than $200USDT - to distribute more amongst my present Ledger Nano and airgapped machine, and paper-wallet (gift-card) regimen. At this stage of the game, hardware wallets seem the pick of the bunch, now beginning to make sense for hodling altcoins.
follow me and IFollow you Back.
Sorry Newbie here.😣
Definitely a scam! Wrote a post about it. https://steemit.com/steemit/@louisnelza/do-no-use-freewallet-org-steem-wallet-dodgy
Jaxx wallet? So where is the safe haven now?
So many people new to this and then find out the whole thing is as unstable as the damn banks! What does everyone recommend then?
If you download to Jaxx but then a hard wallet shouldn't you be ok?
take a look at the bitshares platform. similar security to steemit, built by @dan
good stuff.
Thanks will do
A hardware wallet is the safest bet at the current moment.
Are you talkin a wallet made from leather Or is a 'hardware wallet' a thing? Newbie here can you maybe expand on that ? :) Thanks
Look into Trezor, Ledger nano, paper wallets, etc..go from there.
Awesome, Thanks man.
Definitely, I would recommend having multiple hardware wallets (as backups) for redundancies, also make sure the wallets are offline (combination of USB Ledger + always offline laptop would work).
I can't agree more and it's like everything else it's either in your hand or not. At least a hard wallet is disconnected from any device. Thanks for the reply.
Myetherwallet.com is good, used it to register adrianroberttorres.eth which is my ether address now lol
The sooner Trezor supports much more cryptos the better for everyone.
Upvoted and resteemed. I wanted to try this wallet before as it is the only IOS wallet for Ethereum I know so far. I am so glad that I didn't do so. The wallet is close-source and I use Bittrex to store most of my cryptocurrency instead, except Bitcoin.
get a Trezor - it can accept btc, dash, zcash, eth, etc, and all eth tokens - at the moment, I'm sure more are to follow
And recently litecoin, although its on a beta wallet server.
hmm, cool did not know that
After hearing about free 20$ dash, i wanted to give it a try but after seeing it's rating on Google play i held myself back, and went for Coinomi, glad i did.
This post received a 45% upvote from @randowhale thanks to @kingscrown! For more information, click here!
If we can get STEEM in the news, we can get it over $5 each.
Everyone should use this Media email list (3000+ contacts)
https://steemit.com/steem/@marsresident/how-you-can-help-get-steem-in-the-news-simply-using-your-email
And send them this:
http://www.reuters.com/article/us-currency-steem-idUSKCN0ZS2MF
And this:
https://coinmarketcap.com/currencies/steem/
God thats HORRIBLE! Not the first time this happened..
Why people use online wallets?!Stop it!
So what is a safe multi currency alternative for iOS?
I've been looking for something for weeks but keep coming up empty. I'd rather have my coins stored on my device with a paper backup but so far nothing out there is sufficient to keep my various coins in one place and accessible from my mobile so I can spend if I need them. I'd LOVE any suggestions.
Hey found you again ! Thanks good read!
And this is why closed source wallets are evil.
https://steemit.com/cryptocurrency/@kyle.anderson/no-jaxx-for-monero-not-as-big-of-a-deal-as-you-might-think
Congratulations @kingscrown!
Your post was mentioned in my hit parade in the following categories:
The Freewallet incident hasn't been confirmed yet. The guy who started the Reddit thread may have gotten the pitchforks in too early. He's currently in communication with their support staff.
While I do not use Freewallet (I haven't even heard of it until today) I do hope that no one is actually affected and that the issue will be resolved tomorrow. I recommend that people just keep calm and wait.
If it turns out that nothing actually happened, just maintenance or something like that, I'm sure that a lot of people will feel stupid and the company's public image terrible. It already looks like it is destroyed.
Thats why its PSA - move out, wait, see what happens
did some research and found this blog from Jaxx CTO. Jaxx is a hot wallet suitable for small amount of fund
http://decentral.ca/jaxx-balance-security/
scary stuff.
THANKS KINGSCROWN! :) FEPE APPROVES THIS IMPORTANT MESSAGE :)
HEY GUYS - REMEMBER!!!! ...your cryptocurrencies are safe ONLY in a cold storage wallet
Damn, thats no good
Man, this sucks. Thanks for getting the word out.
Is this FUD? Is this real? Does anyone close to jaxx knows more details?
I can't say for certain but I doubt that kingscrown would be circulating FUD around
it is FUD. The pin is being put on Jaxx yet is everyone forgetting that a hacker would need to access your actual storage first? Why aren't you securing your devices in the first place?
Its not FUD, its PSA. I dont make any money if you loose or keep your BTC, i give advice on what currently people report.
FUD is a method used to make something worth less to gain profit. I dont get any profits, i only give a friendly hand but im sure any way to attack me is great.
Say im a bad man for trying to help others not loose money. Im sure loads of Steemit users did use wallets in wrong spots and could have their passwords extracted.
Your are causing panic with this article.
This is incorrect. A bug means something is not working at it should. The current encryption design is intended.
Ensure that you don't let intruders on your network or let them access your files and you're 100% safe.
You are not mentioning all the facts and spreading Fear, Uncertainty and Doubt.
Non-rooted Androids and non-jailbreaked iPhones are not exposed to this at all due to app sandboxing! You don't make that clear and it's certainly bad reporting to mention only the sensational part.
YOU ARE MAKING MONEY form the rewards of this post. If you were so concerned about the user's safety why no post it with denied payments? Stop acting like you're doing others a favor c'mon, you're pocketing close to 2 grand from this foolish news.
And howdoes the hacker open sqlite from another device on your lan?
Hi @pastzam i wrote a post about that at the bottom are the sources
https://steemit.com/bitcoin/@angelgarz/security-problem-of-jaxx-wallet-anyone-can-extract-your-seed
Thanx
Jaxx wallet so tough
Thanks for the news- that's awful!
Making long story short. People using this wallets should keep the Jaxx desktop app’s local storage directory on an encrypted filesystem which you only mount when you’re using Jaxx.
Hi kingscrown good to see your here at Steemit (I usually read your stuff at https://forum.bitcoin.com/kingscrown-u1564/posts/ too!!)
Thanks for the helpful info regarding Jaxx.io
you must be a bot since i post rarely there, but im a moderator :)
No I'm not a bot... I'm a moderator over there too.. https://forum.bitcoin.com/nandibear-u4151/
Seems like all some people do is resteem and they're making a fortune...
Where do I sign up...???
@pocketechange
So why is Eth skyrocketing? Shouldn't a massive dump be incoming?
Apparently it's a centralized wallet and they are just moving money around.
That would be great! For now all people are scared and keep posting about stolen funds.
Jaxx bug is known since some time though, its real for sure.
Very possible stolen, at first I tought 8m ETH, no dump, impossible, 20k ETH is nothing... so quite irrelevant.
Jaxx_Annie said on this reddit thread (~~~ embed:jaxx/comments/6gpurq/limit_on_send/): reddit metadata:fGpheHh8aHR0cHM6Ly93d3cucmVkZGl0LmNvbS9yL2pheHgvY29tbWVudHMvNmdwdXJxL2xpbWl0X29uX3NlbmQvKTp8 ~~~
"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"
Some hope for people who still have their money tied up on Jaxx.
Help spread this to people who haven't heard!
This is bad news for the crypto world!
Wowzerz!!! Always protect your money guys! 🙌🏼🙌🏼🙌🏼
Everywhere scammers... sad.
what wallet is recommended and stood the test of time?
follow me and IFollow you Back.
Sorry Newbie here.😣
no problem....we all start somewhere....at Steemit we pay it forward and now you can help another :-)
Thanks. . I saw your profile..Wow.. I think you've got a huge Pay.. Is it real? ...
not me.....you have me mxied with somebody else.
you have a lot of followers too.. Wow.
:-)
I mostly use the coin's official wallet. For Ethereum I use Mist. It's a pain in the ass to sync but then I realized there's a quick sync option which finished the whole thing in less than 5 minutes. As long as you make backups of your keystore, you should be fine.
thank you....
What about bitaddress. org for online cold storage? Any thoughts?
follow me and IFollow you Back.
Sorry Newbie here.😣
God....I am using Jaxx
They have to make money by any ways, Never trust non open source projects
@kingscrown thank you very much for this article. It is very challenging to keep everything secured in cryptocurrency. And also followed you.
WTF
update, I was able to get my eth out last night around midnight central time. The first transaction i did earlier in the day is still pending and it says becuase of the bancor ico. that was for only .01 eth though. Im not worried. I just got everything out. So it went through, I just dont know how...
Thanks. I've been running Jaxx for 2 weeks...thought it was the safest way to go. Any recommendations for macOS?
thanks for suck a good news :)
Thank for sharing the news..worried about my coin.upvoted & resteemed
Upvoted & Resteemed... I use Coinomi because I've heard good things. Can this hack happen to any wallet or only the idiots running these companies?
Watch the address taking all the ether: https://etherscan.io/txs?a=0x11b85b4e2fadaebe04a251377aa35b9be3c785f0&p=92
No, it can only happen to idiots who do not PHYSICALLY SECURE their hardware- which, given the attitude of Jaxx management, they assume they're immune to this attack, and probably are.
Love will save the world!