Categories: CryptoNews

Bitcoin Wallet and Jaxx Blockchain Wallet Contain Major Security Flaws

Cryptocurrency wallets have always presented a mix of convenience and potential security issues. For the most part, the top cryptocurrency wallets do not suffer from any major vulnerabilities. In the case of Jaxx and Bitcoin.com’s Bitcoin Wallet, things are very different. Cheetah Mobile Blockchain Research Lab recently highlighted some major security flaws affecting both of these wallets.

Bitcoin.com’s Bitcoin Wallet Flaws

The research which Cheetah Mobile Blockchain Research Lab provided us paints a worrisome outlook for Bitcoin.com’s Bitcoin wallet. Given its widespread popularity, it is even more worrisome to learn that this software has a big problem under the hood. More specifically, the mnemonic phrases – or recovery seeds – used by the

Bitcoin Wallet are stored in plain text in the local “mwallet” file. While that may not seem worrisome to the average consumer, it poses a big risk to users.

Given how easy it is to hack mobile phones these days, an assailant could easily access this unencrypted file. With the information stored inside this “document”, he or she could obtain the mnemonic phrase and import the user’s wallet into a different client without recourse. It is an unsafe practice in general, and it raises the question as to why the developers thought this would be a good idea in the first place.

What is even more problematic is that a hacker would not require root access to exploit this vulnerability. Once a mobile phone is infected with malware of any kind, the backdoor is created to give the assailant access to files such as this one. It is unclear if anyone has had their assets stolen in this way, but we can only hope to see the wallet developers address this problem in the very near future. Problems like these can have disastrous consequences for users and developers alike.

Related Post

Jaxx Blockchain Wallet Risks

Unfortunately, it also seems the Jaxx Blockchain Wallet is at risk right now. Although no one should use this wallet to store large amounts of cryptocurrency for longer periods anyway, it seems there is a simple process associated with stealing user funds. More specifically, acquiring and decrypting one’s private key data files appears to be a piece of cake. Cheetah Mobile Blockchain Research Lab shared two methods by which these weaknesses may be exploited.

Firstly, having physical access to a phone with the Jaxx wallet can be problematic. More specifically, nefarious individuals can use Android’s backup mechanisms to save a user’s private key file on an unsecured device. This is made possible due to a lackluster attitude by the Jaxx developers regarding the “Android allowBackup” feature, which has been left enabled since day one. It’s a grave oversight by this team, but fortunately it’s one that can be fixed with relative ease.

Secondly, it is possible to exploit one of the many Android operating system weaknesses to bypass security barriers. Even though Jaxx does encrypt private key files, it is still possible to crack the AES encryption algorithm. It seems the Jaxx team made a “major mistake” in this regard, as they hard-coded the encryption algorithm in the app’s code. Nothing about it is randomly generated, which makes decrypting this information almost a cakewalk.

JP Buntinx

JP Buntinx is a FinTech and Bitcoin enthusiast living in Belgium. His passion for finance and technology made him one of the world's leading freelance Bitcoin writers, and he aims to achieve the same level of respect in the FinTech sector.

Share
Published by
JP Buntinx

Recent Posts

Cheems Surge On BSC Network: A Rising Star With Growing Market Value

The Cheems token on the Binance Smart Chain (BSC) is gaining significant momentum, surging by…

8 hours ago

Lester Token Crashes 40% Following Official Announcement

The value of $LESTER plummeted by 40% in the past 24 hours, leaving its market…

8 hours ago

From $30K To Millions: The Wild Journey Of $Quant And Xiaohaige’s Memecoin Stunts

In a bizarre turn of events, a young live-streamer known as Xiaohaige created the memecoin…

8 hours ago

Whale “convexcuck.eth” Makes Bold $CVX Move, Nets Significant Profit Amid Price Surge

The crypto whale known as "convexcuck.eth" has made waves in the DeFi world, spending $2…

8 hours ago

$ELIZA Token Launch Marred By Insider Trading Allegations

The launch of $ELIZA, a token introduced by Andreessen Horowitz (a16z) partner @shawmakesmagic, has sparked…

8 hours ago

Cardano’s Rally Highlights Diverging Moves Among Investors

Cardano ($ADA) has been making waves in the crypto market, breaking away from the altcoin…

8 hours ago