{"id":7983,"date":"2020-01-29T23:23:25","date_gmt":"2020-01-29T21:23:25","guid":{"rendered":"https:\/\/forklog.media\/?p=7983"},"modified":"2020-01-30T23:47:58","modified_gmt":"2020-01-30T21:47:58","slug":"dont-trust-the-wallet-in-apartment-23-what-bitcoin-wallets-have-worst-reputation-and-why","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/dont-trust-the-wallet-in-apartment-23-what-bitcoin-wallets-have-worst-reputation-and-why\/","title":{"rendered":"Don\u2019t Trust the Wallet in Apartment 23: What Bitcoin Wallets Have Worst Reputation and Why"},"content":{"rendered":"

Choosing a crypto-wallet is usually one of the first challenges that a rookie cryptocurrency user has to face. Of course, the internet is full of guides on how to make the choice. Those guides can be good or bad, reasonable or silly, free or sponsored, and so forth. Still, while such reviews are abundant, there are much fewer pieces speaking about what NOT to choose.\u00a0<\/span><\/p>\n

<\/p>\n

We asked <\/span>Jeff Fawkes, a cryptocurrency investigator, to take a look at the wallets that he believes people should avoid. In this piece, he speaks about the bad seeds and explains in great detail what is wrong with them and why rookies should keep away. Even though it\u2019s Mr. Fawkes\u2019 personal opinion that we not necessarily share, his investigation shows that at least part of the crypto-community does. And this fact alone makes it worth the attention.<\/span><\/p>\n

Exodus<\/span><\/h2>\n

Having funds stolen is sadly a typical complaint on Exodus. The story is usually the same: people say that they have lost the money from their Exodus wallet and they don’t know how it happened. Then, some very attentive support officer helps the user to conduct an “investigation.” But the result is usually the same: the user can kiss their money goodbye. But why does this happen?<\/span><\/p>\n

When you have installed the wallet and launched it for the first time, it writes the seed phrase on the hard drive without encrypting it first.<\/span> The seed file is pretty important since it contains the key that allows spending your assets. Since the seed file is only encrypted with the user’s password, the wallet will remain largely unprotected for a while after the first launch. Exodus probably uses this as a psychological trick to make new users stay with the wallet. The app waits until the first deposit and only then gives the user a chance to encrypt the wallet’s seed file with a password and store the backup.<\/span><\/p>\n

Since the wallet file remains unencrypted for some time while the user “considers” using the wallet, malware on your PC can read the seed phrase in it. This is a huge security hole in the wallet because a hacker can theoretically access your wallet long before you send money there.\u00a0<\/span><\/p>\n

Another point of concern is the fact that Exodus uses closed-source code, which is generally not typical for the crypto-industry. Cypherpunks who love Bitcoin tend to check the code of the apps before storing coins in them. A closed-source app is a joke for the researcher. You cannot compile the binaries by yourself or study the code. The Exodus team\u2019s explanation is that making closed-source crypto wallets is a business model to them, and their code needs protection.<\/span><\/p>\n

There is also a high chance that Exodus stores seed files of all users on its servers.<\/span> How else can it use the “E-mail Backup Feature” to restore the private keys from the Internet link pointing to Exodus servers?<\/span><\/p>\n

\"Don\u2019t<\/a><\/p>\n

Exodus’ e-mail backup setting<\/em><\/span><\/p>\n

If so, the seed files again remain available for any hacker who manages to crack your wallet and e-mail. Since the wallet sends the recovery link to your mail, it looks convenient but is a fantastically large security hole. If a hacker obtains your wallet password, e-mail password, or both, they control your coins as well. Without taking the seed phrase off from the link itself or from the Exodus servers, the “backup feature” will not work.<\/span><\/p>\n

So if you had a password like 54321 or terminathr999, it’s very easy to brute-force it, and take control over the coins. The official website, however, claims that the user should maintain password complexity. Meanwhile, the app itself gives no warnings that this exact password will be used to encrypt the wallet file containing private keys and then to send it over to some servers. Presumably, Microsoft AZURE ones.<\/span><\/p>\n

We still don’t know the format in which Exodus servers store wallet files. Is it comfortable for hackers to brute-force them or not? What is the encryption method that the wallet itself uses? Some Reddit users <\/span>are not happy<\/span><\/a> about it.<\/span><\/p>\n

Additionally, in 2018, Exodus twitted that they “generally do not recommend storing the seeds online.”<\/span><\/p>\n

\n

Hi Andreas! You're not forced to save the email backup link, it's fine to skip that part of the backup process if you wish. We generally don't recommend storing seed phrases (especially unencrypted) online. Keeping multiple copies offline in secure areas should help with that -KC<\/p>\n

— Exodus (@exodus) September 24, 2018<\/a><\/p><\/blockquote>\n