According to a report from Vx Labs, a vulnerability that allows hackers to steal cryptocurrencies from users has been discovered in popular cross-platform cryptocurrency wallet Jaxx, and has reportedly already led to $400,000 being stolen.
The report, published on Friday, shows its possible for hackers to extract a 12-word backup phrase, copy it, and then use it to restore the user’s wallet with all the private keys in it, so then all that’s left to do is transfer the funds to a wallet the hacker’s wallet.
The report reads:
Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.
Monero developer Riccardo “FluffyPony” Spagni tweeted about the report, presumably so something could be done about the vulnerability now that it was public, but nothing was done before users started reporting lost funds, as hackers took advantage of the vulnerability.
An update published on Altcoin Trading shows that users have already reported losing as much as $400,000 in Bitcoin, Ethereum, Ethereum Classic, and Zcash. Users who only use Jaxx on their smartphones are reportedly safe, although those who use desktop versions of the wallet may be at risk.
On Reddit, Jaxx & Decentral CTO Nilang Vyas stated that Jaxx is a hot wallet in which users shouldn’t keep large amounts, and that they believe to have found a balance between easy-of-use, security, and portability.
The CTO asked users not to use Jaxx if they are not comfortable with its security model, stating:
Please please please, if you do not feel comfortable with our security model do not use our products. We’re are creating for the masses a multi-platform, multi-coin interface for the blockchain ecosystem where users are in full control of their digital lives.
According to the post, the team behind Jaxx is “very comfortable” with its security model for hot wallets, and recommends users store large amounts of funds in hardware wallets. At the end of the post, he pointed out that in the future users will be able to secure their wallets using Trezor, Ledger, and Jaxx hardware wallets.
Based on the Nilang’s response, Vx Labs recommends users stay away from Jaxx if it does not fix the vulnerability.
Featured image from Shutterstock.