Exodus wallet has bad privacy and security

Contents

    When I started looking to make the move from bitcoin to bitcoin and altcoins the biggest hindrance was where to put all the different cryptos. I did not want to bother with 5 different wallets. Good multi-currency wallets are key to diversifying and decentralizing the crypto ecosystem.

    I tried Exodus and within 5 minutes I could see the privacy and security were unacceptable. All the problems I mention are quite easy to fix and have minimal impact on ease of use.

    Exodus forces address reuse

    For each crypto you get 1 receiving address, that’s it. This goes against a basic crypto 101 privacy and security best practice. Don’t reuse address, use unique address for every transaction.

    Using 1 address for all your receiving transactions makes it easy for anyone you get a payment from to look up all the other payments you have received and to see the total amount of funds you have in that currency on Exodus!

    It makes it easier for spies, hackers, advertises, et cetera to see patterns, make a profile and connect your crypto transactions to your real world identity.

    Exodus accepts insecure passwords

    In Exodus’ own promotional video you can see the founder using what he and the software call a very strong password, “bob-the-fish”. Other password strength indicators grade it as weak and say a computer would crack it in about 1 day.

    Exodus does not enforce what it calls very strong passwords. Here are examples of what Exodus allows as “okay” passwords.

    123a
    abc1
    bitcoin
    ether
    dash
    litecoin
    dogecoin
    password!
    password12
    Passwor
    1234567891
    9571 (any 4 characters that don’t make a word or pattern)
    qwertyuio (top row of keyboard)

    Password strength indicators rate these as very weak and estimate they would take less and 1 second to crack! Yet Exodus thinks this is acceptable security for a software that holds money with irreversible transactions and no recourse for theft!

    Also note that passwords are displayed in plain text as you enter them as per the image above. All of this violates basic info security 101.

    An adversary could use this password to take your funds if they had access to your machine or to your email, because Exodus email you a backup link.

    Exodus is closed source

    These obvious major flaws in basic privacy and security that I found in 5 minutes suggest Exodus either don’t care and/or are incompetent when it comes to privacy and security for their users.

    That is why Exodus being closed source is such a problem. You have no way to know what other mistakes they have made. Given the above it’s reasonable to assume there are more mistakes hiding in the code and that they are potentially serious.

    And another thing!

    Also note that there is no 2 factor authentication available.

    All of this also makes me wonder about the glowing reviews I have seen for Exodus. I guess reviewers like Cryptocompare, 99bitcoins and all these youtubers just see a pretty design and give 9/10.

    Exodus is a beautiful wallet with huge potential if they fixed these few issues.

    Alternatives

    A great multi currency wallet is Edge. It’s from the team that previously made Airbitz. It has ver y good security and is beautiful and easy to use. Unfortunately it is mobile only with no desktop version. This is the multi-currency wallet I recommend.

    A multi-crypto wallet I tried on desktop is Jaxx. With Jaxx you can use unique addresses. Jaxx’s pin is weak but an adversary can only take advantage of that if they have access to your machine (with Exodus’ password it’s your machine or your email).

    Jaxx is from the guys at Decentral who have a long and positive history in the space. They have come under criticism for security problems themselves though.

    Coinomi is an often recommended, open source, multi-currency wallet for android but I have not used it myself.

    Have fun multi-coining!

    39 comments

    1. Anonymous

      Please do not recommend JAXX over Exodus. Jaxx has seed encryption problems. Anyone with access to the OS has access to the master seed. You are doing a disservice to people by recommending JAXX over EXODUS. Exodus properly encrypts the seed and is there for superior in security.

      • BitEdge

        I don’t recommend either of them. I would love to know a good multi currency software wallet available on Mac and iPhone.

        Edit: I now use and love Edge wallet.

    2. Anonymous

      Where is Exodus based?

      • BitEdge

        I think the USA but I am not sure.

      • Anonymous

        Actually, it is based in Lincoln Nebraska USA

    3. Polar Nadir

      Wow! I am so glad I came across these postings. So many similarities to what I have seen in what happened to my last Wed Nov 29, 2017 when BTC reached 10,000. I stood on the fence as activity indicated a hard push then a hard drop. As the frenzy got going and BTC started to drop I decided to move BTC from my Exodus wallet to Coinbase, sell BTC while still high, then buy at a lower price.

      Activity was hectic and I had problems trying to connect to Coinbase. Eventually I did connect, and tried to send some BTC, but then I got an error message on the connectivity, so I cancelled the transfer, which had started. Lo and behold! When I went back to Exodus I was missing about 1.0 BTC and Exodus did not register such transfer to any place in the block chain. I rescanned the blockchain multiple times (hit the top/middle BTC icon). I checked my Coinbase account. Nothing there. Checked again, and again, Exodus and Coinbase. Nothing, nothing, nothing. Days later, nothing in either Coinbase or Exodus. **poof!!** 1.0 BTC or so gone!

      I also got hacked (different, long sad story, and that was MY stupid mistake). Now I don’t feel safe with Exodus. I believe the hackers may have all my Exodus info (12 words, they got my email as well). I was going to download Exodus onto another laptop, but now I don’t feel like Exodus, as nice as it looks, is safe for my BTC’s. Darn! Some suggest Jaxx, some suggest to keep in Coinbase (have an account with them), Kraken, etc. But with the opinions flying all over with all these (including cold wallets), I still wonder which is the safest, and convenient way to store not just BTC, but some ETH and LTC, and other (Monero) in the future.

      • Anonymous

        Get a hardware wallet, such as Ledger or Trezor. When you contact Exodus, they said that the BTC you had was never there in the first place. It’s a mistake cause you have an older version that recorded you had one extra BTC you never had, and you should update to a newer version. If you believe it. I don’t know if I believe it.

    4. Anonymous

      I’ve read many comments from people in Youtube chat and other forums where people are completely baffled as to why their funds are missing from their Exodus wallet. Developers need to answer for what is a very serious matter. Just what the hell is going on? Anyone with a head screwed on and is keeping funds in Exodus knows a thing or two about basic security of their own computer. I highly doubt all the users reporting missing funds for unexplained reasons have had their machines compromised. Do feel free to comment, JP Richardson.

      • Anonymous

        Agreed – this is very sketchy – devs skimming it?

      • Anonymous

        Reply to JP Richardson. I am one of the people who had around 0.033 BTC not accounted for, equal to 200 some US dollar at that time. I have always been keeping good record of my exodus transactions on my owner journal. That’s why I am confident to say that it was missing from my Exodus BTC wallet. Just before BTC was missing , I tried a few times to exchange from BTC to other coin. All attempts were somehow all failed. While I continued to check what happened, I came across Clif High’s comment. Since he’s tech savvy, I paid attention. He said there could be a GLITCH while doing the exchange or transaction. The transaction is still in the block chain. Just need to be recovered. I was going to talk to your support staff about it and follow up. Although he was polite the last time we communicated but said couldn’t help me anymore. Maybe you can shed light onto it. Thanks.

    5. James

      The real problem is with hackers because they are getting smarter nowdays. The hackers normally will copy the sender and receiver wallets address and monitor the transactions. These hackers are working in group about 3 to 4 of them. They had cracked the Exodus wallet and somebody else wallet address can be put in to conflict the transactions. When this happened , the coins transaction goes to the hackers wallets. The best methods are we must use secure wallet like Coinbase,Gemini, Luno, Kraken, Poloniex, etc which G2FA is available and our coins are secured. If they wants to hack the wallet, the hackers must have our handphone , PIN and password. In Exodus, the hackers can crack the Exodus software easily and make duplicate wallets on targeted persons. The hackers would delete the outgoing address and make the transaction is not happened. We should think ahead of the hackers mind and security is our concern.
      I had experienced with Exodus wallet where the Bitcoin just received in Exodus disappeared after 15 minutes and I did traced that the hackers are trying to copy the my Exodus wallet receive address with cracked password. I keep my Exodus wallet online and after 12 hours, the bitcoin was returned to my exodus wallet after the hackers failed to crack the password. The hackers are very good in creating conflict receiver wallet address and if they won, they will get easy money.

    6. Anonymous

      I still have not clue why my was missing. Don’t think my record is wrong. Still investigating. Wish JP Richardson can comment on it. Inside connection??

    7. Anonymous

      On Nov 1, 2017 0.0334 (rounded number) bitcoin missing from my Exodus wallet. Around $227 USD. Seems very strange. It should have been 0.965, but it showed 0.630. I first rescan then close my Exodus wallet and opened again, did that a few times but did not help. So I decided to contact Exodus support. DB of support team checked and said I had no transaction after Oct 13. 0.630 was the last balance. That’s why it is very strange to me. I record my transaction on my own journal regularly. On Oct 20 it was recorded as 0.965, exactly the same number on Oct 25 and exactly the same on Oct 31. Nov 1 I checked my balance and it was 0.965. That day I wanted to exchange from my bitcoin wallet to other coins using their built-in ShapeShift. Each time using bitcoin wallet ended being notified as “fail”. Did it a few times, all failed. So I rescan, I closed Exodus and opened Exodus again a few times. It is around that time I noticed my balance was 0.630, 0.0334 less of what should be. I referenced back to my journal and noticed that 0.630 was my balance on Oct 13. But what happened after that. Why my journal record shows 0.0950 on Oct 20, 25 and 31? There’s got to be at least one transaction after that to bring my balance from 0.0630 to 0.0950. Support said none showing after Oct13 and block chain don’t make mistakes. My journal record is not wrong. What’s the chance of recording something wrong three times in a roll? Very slim. What’s the chance of being right after recording 3 times the same amount. Close to 100% chance. I am not saying block chain did not record it, I am saying the record is missing from my bitcoin wallet. Very strange

      • M

        Wow. Get this – I have the exact same amount missing. I keep a running total of my bitcoin and a few days ago noticed that I was missing was 0.033. I started to wonder if my record system was flawed (though I can’t see how, especially with such a large $ amount). Is this a breach across multiple accounts, each taking 0.033??

    8. Anonymous

      I have lost all my assets on exodus, now i am concerned about using them again, I’m not blaming them I don’t know exactly how things went wrong but obviously I am disappointed to say the least; any suggestions of another wallet I should use ?

      • Anonymous

        How did it happened? Checked my post below you. 0.0334 bitcoin, equal to $226 missing on Nov 1st. After that I ordered Nano Ledger, the stick. Other people recommend Jaxx. But I couldn’t download it so used Exodus instead.

    9. Anonymous

      I am currently in choice among 3 desktop wallets, namely Exodus or Electrum or Jaxx. Assuming up to date they are similar in most of features, it seems not easy to decide.
      Recently there have been some troubles with security of Jaxx, more or less real, more or less rumours, anyway that has brought doubts about it.
      On the other hand, Exodus is a newcomer to this and info about it looks mostly kind of sponsored, not yet many feedbacks from real users of Exodus.

      So, what one would say about Electrum at this point?
      Shapeshift is not integrated there, as I understand, indeed for me this is not important. Stylish UI is also not a pro for decision. What really matters here are safety and stability as it’s about money. How is it about Electrum compared to Exodus or Jaxx, any opinion?

      Or maybe, as BitEdge mentioned in one comment here, the better option today is Coinomi although it has no desktop version?

      • BitEdge

        This discussion is about multi-coin wallets such as Exodus, Edge, Jaxx and Coinomi.

        Electrum is not a multi-coin wallet If you just want to a bitcoin wallet I recommend Copay on all platforms.

    10. Anonymous

      You realize how insecure Jaxx is correct?

      • BitEdge

        Yes you see I mentioned and linked to that. Seems like we are still waiting for a good multi-currency wallet then…

        Edit: Edge wallet is great.

    11. Anonymous

      A follow up to the above, JP has been a true gentleman. I did resolve my issues- was with the 3rd party exchange and NOT Exodus.
      JP did get in touch with me and as I explained to him, my transaction was pending for 10 days + – I just wanted to no where my coins had disappeared to – no fault of JP or Exodus- I take that last comment above back.

      Thansk JP for all your support

    12. Anonymous

      Hi JP Richardson, Over the last 6 months, our family have multiple Exodus Accounts. It is a very user friendly interface and we prefer to use it compared to other sites.

      However, 8 days ago I sent some coins ( ether) from Changelly to Exodus. The trandaction has been succssful but the coins have not arrived in my exodus wallet. I have checked all details of the transaction and they are correct. I have also rescanned the blockchain as advised on various sites.

      Its been 8 days since the trade was completed, ive emailed your customer support numerous times with a holding email replied back to me by Faris.

      I really need to no where my coins have gone as I am finding myself to be more fustrated day by day.

      And if this resolution is not fixed this week, I will be making it aware for other individuals to avoid using Exodus as there seems to be an inherent issue.

      As I said, we have had no issues with Exodus interface prior to this, but we just want a good after care service so that if this issue comes up again, we need to no and trust you will resolve it.

      Thank you for reading this and I really hope you will resolve my issue before it escalates further.

      Thanks

    13. CoinSutra

      I have a question regarding email phrase backup. So you offer a backup link via email. How does that work? Do you store the backup phrase elsewhere online?

      • Anonymous

        No reply for this very important question.

      • JD

        It’s my understanding that the “backup” is backing up the history of transactions, not private keys, password, or seed phrase. The Exodus website is not clear about this. I’d like to see some clarity.

        • JD

          Actually, I’ve no idea. What’s the answer?

    14. Anonymous

      I so much love how JP Richardson responded to the above criticisms. The impression I got from that is that Exodus is very ready to take good correction and that will usher it to the top.

      • Anonymous

        i agree, im comparing jaxx and exodus and that excellent reply means a lot!

    15. Albert Joseph Gaviria

      Hi JP,
      When I recive bitcoins transfer from clubs such as, AirbitClub or from Kryptonbit or say Gladiacoin.
      do you have a way for me to know in your Esodus wallets from which of these clubs are these bitcoins coming? I dont have an account yet with Esodus. Coinbase dont
      Thanks,
      Albert

      • BitEdge

        That is a good use case for multiple addresses. If you could have multiple addresses and label them you could keep track of which one you gave to which sender and therefore keep track of who sends you how much. Electrum has that.

        • JP Richardson

          Agreed. Electrum is a good fit for this.

      • JP Richardson

        No, there is no current way to label incoming transactions, sorry.

    16. JP Richardson

      (my response copied from Reddit)

      Hey Bitedge, Exodus co-founder here…

      Thank you for writing this and sharing your thoughts and perspectives with everyone. Positive and negative feedback is what helps us to improve and to build a better product. Without feedback like this, we’d be blind to our own problems.

      I’ll take each on of your criticisms one-by-one…

      > Exodus forces address reuse

      Many people believe that multiple addresses increase privacy for a user. There is a degree of truth in this – if done properly and appropriately (UTXO selection matters). Exodus has always had many change addresses for UTXO based assets (BTC, DASH, DOGE, LTC) – so when you send funds, the change goes to a different address each time in your Exodus wallet.

      Until recently, we forced a single ‘receive’ address. We viewed this decision partially through the lens of a new user. Eventually we got so many requests to change this, that we decided to allow multiple receive addresses for Bitcoin. You wouldn’t believe the amount of support requests we received stating that we had no right to change the customers’ Bitcoin addresses. Wow, did we mess that one up. So we tweaked the feature a bit, so it always shows the first receive address, but you’ll notice there’s more by clicking the right arrow next to the QR code. We started with Bitcoin first to get the UX correct. I’m still not convinced we have it right. When we do, we’ll start allowing it for other assets where it makes sense (not ETH).

      > Exodus accepts insecure passwords

      I agree. We could do a much better job here. I dropped in the this code library from Dropbox https://github.com/dropbox/zxcvbn and never looked back. This is 100% my fault. I should have spent more time on how this all works and fits into Exodus. Moving forward, we may just have to remove the strength estimation altogether or see if we can improve it. I’ll have to put more thought into this, but thank you for pointing this out.

      > Exodus is closed source

      Exodus is not 100% closed source as be seen here: https://github.com/exodusmovement/ – we’re working on open-sourcing more of Exodus.

      Why is Exodus not 100% open-source? Because we haven’t validated our business model. That’s it. In the long-term, we’d like to open-source all of Exodus. I think I have credibility making this claim given how much I love open-source (https://github.com/jprichardson && https://www.npmjs.com/~jprichardson) so I have the track record to prove it.
      However, we do understand that many people will not agree with this decision in the short-term and we are okay with these people choosing not to be our customers at this point. Fortunately there are so many desktop wallets in this ecosystem to fulfill most people’s preferences.

      > there is no 2 factor authentication available.

      We are actively working on a solution to this now. Hopefully this will satisfy the security needs of most people.

      Finally, I want to close by saying that we really appreciate the comments and criticisms. We realize we won’t be the perfect solution for everyone, but we like people telling us where we failed so that we can at least try to be the perfect solution for some.

      All my best,
      JP

      • Anonymous

        I am currently on vacation and I just tried to log into my Exodus wallet and got an “invalid password” message. Since I have stored my LTC there that I bought the other day, I feel quite anxious about this issue. I mean, how can my password not work? I tried 10 times more and the same thing happened. My immediate thought is catastrophic telling me that someone else have taken over my account and sent the money elsewhere. This scares me a lot. I feel stupid to have trusted this wallet and I should have known better than to trust a wallet that doesn’t have a 2 verification installed. I contacted support but they said they would respons in 48 hours. This doesn’t feel good at all 🙁

        • Anonymous

          Hi, I’m so sorry to hear about this experience! Did someone via support help you get your problem solved?

        • Anonymous

          you know what happens to me ? if I copy and paste the p.w. it says is wrong….. But but if i type it completely than it works !
          reading you Now I am very unsecure …

      • Anonymous

        Exodus wallet is useless!!!!!!!!.. It does not ask for a password on each original opening.. I can simply click the icon and the wallet opens from when i last used it….If someone stole my laptop – they could just open the wallet and send all the coins to their own wallet. STAY AWAY FROM THIS WALLET IT IS USELESS

        • Anonymous

          Well first they’d have to log into your laptop so obviously don’t leave it lying around unlocked. Second, try actually following updates because I have had Exodus installed for several months and unless I open the wallet, say, 10 minutes after I closed it, I will ALWAYS prompt me for a password. Lastly, grammar really is important if you want your comment to be taken seriously. That means, one exclamation point is plenty, only one period at the end of each sentence is required, hyphens aren’t the same as commas, and typing in all caps just makes you look dumb. Have a lovely day!

      • M

        JP,

        Thanks for your high engagement when customer’s have questions or concerns. Do you have any thoughts on the recent messages on this board where several people have independently found a gap of 0.033 coins from the Exodus wallet? I find it hard to believe that we are all making an accounting error in our records that exactly equals 0.033 for all of us.

        Your response would be appreciated.

    Leave a comment

    Your email address will not be published.

     

    Edge alerts

    We have set up alerts when there are opportuntites to gamble crypto with the odds in your favor. We guarantee 100% privacy, your information will not be shared.

    Settings