Cheetah Mobile, a Chinese mobile app company, recently released a report claiming to have found security vulnerabilities in two popular Bitcoin crypto wallets – Jaxx Blockchain Wallet and Bitcoin.com wallet.
Note that the company also just released their very own crypto wallet in the space called SafeWallet. Their white paper lists a number of tenets to follow when choosing a safe crypto wallet.
Cheetah Mobile has claimed to have notified both wallets of its findings.
Reported Vulnerabilities
The Blockchain Research Lab arm of the company discovered these problems within each individual app. For example in the Bitcoin Wallet, mnemonic phrases were saved in plain text format within the app. As this file format: “/data/data/com.bitcoin.mwallet” exists within the phone’s operating system as a plain text – there is a possibility that a rogue app could gain ROOT access to to the system. If a user installs a malicious app, one that’s targeting a known BTC holder for example – they could gain access to the mnemonic phrases and compromise their private keys.
The way that Jaxx decrypts their private key files is by using an AES encryption algorithm. The U.S. National Institute of Standards and Technology essentially considers this method as the gold standard of encryption, as it is the federal government standard. Cheetah Mobile makes no qualms into the security of this method, but claims that the Jaxx developer team has made a mistake in implementation. The AES-encryption was directly put into the app’s code rather than through random generation.
The fear is that once encrypted private key files have been taken and easily decrypted, user’s crypto wallets could be drained. Other third parties have found security flaws within Jaxx too. Like the fact that it stores your profile within an %APPDATA% folder. All of the information needed to access your account is within this file. If you were to take this data out and of the folder and open it up another PC – all of your information is there without the need to re-authenticate.
With this information a keen hacker could withdraw from your entire wallet in a few minutes without any additional authentication.
Room for Crypto Wallet Cooperation?
Throughout the years, there have been numerous hacks and attacks to both wallets and popular exchanges. Mt.Gox, which in 2014 was trading 70% of all bitcoins, was completely knocked out of commission. Popular exchanges like BItstamp have even been the victims of large scale hacks because of security flaws.
Rather than using security vulnerabilities in some one upmanship game of product differentiation, commercial entities within the wallet industry have an opportunity and responsibility to keep each other safe. A kind of Antivirus model in the crypto wallet space could foster an environment of increased security.
Standard security practices could be implemented and enforced so that the end consumer knows for a fact that they’re covered when they use a crypto wallet. This would by no means be a draconian measure forced on unwilling developers, but would instead set a guideline for security.
Have a favorite crypto wallet? Discuss it in our Telegram Group.
Comments