Cryptocurrency wallets have always presented a mix of convenience and potential security issues. For the most part, the top cryptocurrency wallets do not suffer from any major vulnerabilities. In the case of Jaxx and Bitcoin.com’s Bitcoin Wallet, things are very different. Cheetah Mobile Blockchain Research Lab recently highlighted some major security flaws affecting both of these wallets.
Bitcoin.com’s Bitcoin Wallet Flaws
The research which Cheetah Mobile Blockchain Research Lab provided us paints a worrisome outlook for Bitcoin.com’s Bitcoin wallet. Given its widespread popularity, it is even more worrisome to learn that this software has a big problem under the hood. More specifically, the mnemonic phrases – or recovery seeds – used by the Bitcoin Wallet are stored in plain text in the local “mwallet” file. While that may not seem worrisome to the average consumer, it poses a big risk to users.
Given how easy it is to hack mobile phones these days, an assailant could easily access this unencrypted file. With the information stored inside this “document”, he or she could obtain the mnemonic phrase and import the user’s wallet into a different client without recourse. It is an unsafe practice in general, and it raises the question as to why the developers thought this would be a good idea in the first place.
What is even more problematic is that a hacker would not require root access to exploit this vulnerability. Once a mobile phone is infected with malware of any kind, the backdoor is created to give the assailant access to files such as this one. It is unclear if anyone has had their assets stolen in this way, but we can only hope to see the wallet developers address this problem in the very near future. Problems like these can have disastrous consequences for users and developers alike.
Jaxx Blockchain Wallet Risks
Unfortunately, it also seems the Jaxx Blockchain Wallet is at risk right now. Although no one should use this wallet to store large amounts of cryptocurrency for longer periods anyway, it seems there is a simple process associated with stealing user funds. More specifically, acquiring and decrypting one’s private key data files appears to be a piece of cake. Cheetah Mobile Blockchain Research Lab shared two methods by which these weaknesses may be exploited.
Firstly, having physical access to a phone with the Jaxx wallet can be problematic. More specifically, nefarious individuals can use Android’s backup mechanisms to save a user’s private key file on an unsecured device. This is made possible due to a lackluster attitude by the Jaxx developers regarding the “Android allowBackup” feature, which has been left enabled since day one. It’s a grave oversight by this team, but fortunately it’s one that can be fixed with relative ease.
Secondly, it is possible to exploit one of the many Android operating system weaknesses to bypass security barriers. Even though Jaxx does encrypt private key files, it is still possible to crack the AES encryption algorithm. It seems the Jaxx team made a “major mistake” in this regard, as they hard-coded the encryption algorithm in the app’s code. Nothing about it is randomly generated, which makes decrypting this information almost a cakewalk.
