A Problem With Jaxx Cryptocurrency Wallet Security

The word “crypto” may give off the impression that something is secure, but the world of cryptocurrency has quickly taught me that there’s still a lot to be cautious about. It doesn’t really take long to become fairly well-versed in cryptocurrency, but many beginners are going to find themselves stumped at times. And it’s those people who need the most protection.

At present, cryptocurrency hasn’t quite hit the mainstream, but it seems to be generally agreed-upon that a future with everyone using crypto would be a great thing. Payments will be easier, cheaper, and quicker. Plus, imagine being able to use the same currency regardless of the country you’re in. That’s the kind of reality a currency like Bitcoin, and the myriad other so-called altcoins, could make.

In my writeup of NiceHash a few weeks ago, I ousted myself as being a complete idiot at crypto. Friends have told me for ages to get into it, but for various reasons, I begrudged. When the time came to find a wallet, a friend told me he had great experiences with Jaxx, and with my limited experience, so did I.

As far as I can tell, Jaxx offers the same level of standard fare security as the majority of offline wallets, but if you stay strictly on mobile, and keep your own phone secure, you’re largely safe. On Windows, Linux, and Mac, I wouldn’t consider the same to be true.

I installed Jaxx on Windows about a month ago to check it out, but it had some UI bug that led me to uninstall it. I decided to try it out again last week, and to my surprise, after reinstalling the application, my cryptocurrency wallets were all left in-tact from last time. I figured the uninstall process was all-encompassing, but it clearly wasn’t.

More About Jaxx

Cryptocurrency wallets are a DOGE a dozen, but Jaxx’s claim to fame has been ease-of-use, especially with regards to creating additional wallets for many different currencies. Its cross-platform support hasn’t hurt, either. Even better: the app has ShapeShift built-in, allowing users to easily convert one crypto to another.

When you run Jaxx for the first time, you’ll be asked to go the express or custom route, and my biggest mistake was not choosing the latter from the get-go. At the time I first installed Jaxx, I really didn’t know what I was doing, so I assumed the express route would be good enough. Not so, because the custom route makes sure you actually know to backup your 12-word phrase, as well as set up a PIN.

If you happen to set up that PIN, you’re more secure than anyone who’s not, but a 4-digit PIN code is going to be a joke for those who know what they’re doing. Based on this article, that’s absolutely true. Again, on mobile, you’re much, much safer. Unless you also use a desktop version.

Based on that article, which I found only as I was writing this, this problem has always existed, and has even been known about. When I discovered it, I figured no one could have surely known that this issue existed and nothing had been done about it.

I mentioned a 12-word phrase before, and that’s just as it sounds: a simple set of English words that together create a protected wallet. On any other device, you can use these words to restore the entire “account” (if you will). If you lose this phrase, you lose access to your wallets.

Well, that’s unless someone finds your Jaxx profile folder on the desktop, because as soon as they have it, they can retrieve those 12 words with laughable ease. The same applies to every private key that cache holds. Maybe an attacker could use those words to rip you off immediately, or simply sit on them. You’d never know you were compromised, after all.

The Problem

Like many applications, Jaxx stores your user profile in the %APPDATA% folder, also known as ‘Roaming’. This is found inside your user folder, which is hidden by default. The ‘jaxx’ folder created after install is an effective cache, with every last bit of information needed to access the account.

If this data were protected, this article wouldn’t exist. What’s inside this folder doesn’t really matter, because simply reading the files isn’t going to tell you anything. But if you take the data inside the folder and move it to the same cache folder on another PC, you may be surprised to find out that you don’t need to re-authenticate anything.

Jaxx and its profile folder in Windows

... and Linux

... and macOS.

In a nutshell: if someone gains access to your Jaxx profile folder on Windows, Linux, or Mac, every single one of your cryptocurrency wallets will be compromised. I sent my profile folder to trusted friend and Techgage Senior Editor Jamie Fletcher, and within minutes, he sent money out of my Jaxx wallet to another address I provided, all without authentication. Because he had full access, he was also able to send me back the 12-word phrase that keeps everything “secure”.

If you test this out for yourself, and you don’t see your transactions on the second install, using the in-application option to regenerate the cache will fix the problem. The entire process can be seen in this video:

If Jaxx either required or offered as an opt-in an option to set a real password on the application, the entire thing could be encrypted, and this issue wouldn’t exist. But because convenience has been weighed above security here, these completely unsecure wallets just sit on PCs, waiting to be snatched. And again, a 4-digit PIN is not much of a foe for a skilled attacker.

Being that this unsecure folder requires access to the PC to fetch, it could be argued that this isn’t much of an issue. However, there are countless scenarios where this kind of weak security could rear its ugly head. Malware is a good start, along with phishing attacks, and other general scams. And if the attack vehicle isn’t software, it could be hardware.

What about computer shops with dishonest employees, or any other scenario where people could have physical access to the machine the wallets are stored on? A great example would be a dorm room. And look no further than vulnerabilities like Spectre and Meltdown, two of the widest-reaching hardware bugs ever that could give attackers access to what’s supposed to be protected memory.

Is this kind of reality not enough proof that we should be protecting our data better? Especially the data that houses our digital cash? It doesn’t matter if you have 1% of a Bitcoin, or 100 Bitcoin. Would we accept this from a bank application?

What Does Jaxx Say?

After I discovered this issue, I contacted Jaxx’s developer Decentral to submit a bug report. I heard back fast from a very helpful employee, although I could immediately tell that this wasn’t an issue that’d be fixed soon. I’m not going to publish the email, as it was never meant to be an official statement.

Ultimately, I emailed the right person at Decentral for an official statement, and told the company I’d hold off on publishing this article to give it a fair shake at determining whether or not, maybe, this issue deserves being fixed. This was before I realized this article I linked to before existed, which essentially reveals the problem, even if it’s not looking at it from the same explicit angle.

Official Decentral response on this issue from last summer

I found that article through an eight-month-old thread at Jaxx’s official subreddit. Inside the thread is Decentral CTO Nilang Vyas largely repeating what I was told. Decentral weighs convenience over security in some instances, and explicitly where this %APPDATA% folder is concerned (I am not saying all of Jaxx is unsecure by any stretch), the company’s fine with the trade-off.

In the same thread, Vyas gives some solid advice: “Please please please, if you do not feel comfortable with our security model do not use our products.” That’s a fair statement, and advice I’ll personally heed, but I’ll go out on a limb and say the vast majority of users are not even going to be aware of what the security model is. They’re just going to assume that they’re safe.

I’m waiting for the company to provide me with an official response (I didn’t expect one by this point), and will update this article when it’s received. Based on the response linked-to above from 8 months ago, and what I heard from customer support, I don’t believe the company is interested in changing anything. So if you’re a Jaxx user and think this is poor design, it wouldn’t hurt to let Decentral know.