Bitcoin Wallet and Jaxx Wallet at Threat
March 5, 2018
Research by Cheetah Mobile Blockchain Research Lab gives causes for grave concerns about one of the largest bitcoin wallets Bitcoin.com. Putting it more exactly, mnemonic phrases used by the service are stored locally as “mwallet” test file.
Provided mobile phones can be easily hacked today, attackers can get access to this clear file without a hitch. With the information it contains they obtain a mnemonic phrase and irrevocably import client’s wallet to another user.
Another problem is that hacker has no need in root-access for making use of that vulnerability. It is yet unclear whether somebody already had their funds stolen this way.
Jaxx Blockchain Wallet is also at risk.
First, hackers may use Android’s backup tools for saving user’s private key file at unprotected device via «Android allowBackup».
Second, they may bypass one of the many Android OS vulnerabilities to beat its security. Despite Jaxx still ciphering privacy key files it is still possible hacking AES cryptographic algorithm. Tha Jaxx team has made a blunder in this respect as they have put cryptographic algorithm right in the app’s code. To put it another way, nothing is generated randomly here which makes deciphering this information a child’s play for hackers.