Reports are surfacing of a ‘vulnerability’ in Jaxx wallet leading to at least $400,000 customer funds being stolen.
A report on the insufficient wallet backup phrase storage methods this weekend has now updated to include reports that hackers are already exploiting the problem to steal cryptocurrency from users.
A researcher from Vx Labs highlighted the problem Friday, saying they had “successfully” tested the vulnerability and seen that it worked.
“Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down,” the report reveals. “Jaxx does not have to be running for this to happen.”
An update subsequently linked to users confirming they had lost Ethereum (ETH), Ethereum Classic (ETH) and Zcash from Jaxx. These appear to total at least $400,000.
Nonetheless, Nilang Vyas, CTO of Jaxx & Decentral, said on Reddit there were no plans to alter the wallet’s security setup.
“We are very comfortable with this security model for hotwallets,” he wrote.
“The fact is there will always be tradeoffs between user experience, portability and security and we believe we’ve struck a great balance.”
Vx meanwhile “strongly recommended” users “avoid” Jaxx in future.
“In the future users will be able to secure their Jaxx wallet with both Trezor, Ledger and our own hardware wallets,” Vyas continued. “Until that time, please use Jaxx as a hot wallet for small amounts, and use hardware wallets for larger amounts.”
Correction: After publication of the article below, Jaxx requested acknowledgment that the "theft" of coins referred to is based on unsubstantiated source material, and that definitive proof that a security vulnerability or any other error on the part of Jaxx has not been proven.