Strange Daedalus Glitch - Huge Security Problem

daedalus

#1

I tried recovering a wallet and closed the app before it could finish. When I tried reopening the app from a shortcut I pinned to my windows taskbar

(which did not bring up a user account control message asking if I wanted cardano-launcher.exe to make changes to the device),

I got a connecting to network message that went on forever… I tried to fix this by letting the program run over night and there was no effect but then I tried uninstalling Daedalus and reinstalling…

After reinstalling, I opened Daedalus with the shortcut created on the desktop by the installer

(which brought up a user account control message asking if I wanted cardano-launcher.exe to make changes to this device)

and it booted up. It showed the wallet that I had tried to recover before uninstalling the program and reinstalling which is really weird because there should of been nothing saved to the computer after uninstalling the program but the wallet that I attempted to recover opened up as if the uninstall never happened…

I have full functionality of the wallet as long as I use the desktop shortcut created by the installer and not a taskbar pinned shortcut… but the big concern here is that my wallet did not get erased when I uninstalled the program and that I did not need a 12 word recovery phrase to get back in…

If my laptop gets stolen and someone installs the wallet, my funds may just go “bye-bye” - This is a huge security risk…

someone help?

Wayne


Connecting To Network Forever -> FIXED :D
#2

It’s the same as if you hadn’t uninstalled the program: the sending password is required to move your coins (assuming you set one up – not sure whether it’s optional or not, but I don’t think it should be).


#3

If you are installing on a new computer, you have to set up a new password which sucks considering anyone can read the 12 words and take your money on a different computer and bypass the password


#4

That’s a different issue that’s been brought up before and I’m very sure will be addressed, but they’d have to be looking over your shoulder or get a screenshot anyway. Not saying everything’s fine, it’s not, but I think “huge security problem” is an exaggeration.


#5

This is true, but this is the exact same thing as for the hardware wallets like the Ledger Nano S. In order to recover your hardware wallet, you use the seed phrase as well and then reset up a PIN code.

For this reason, you should never store your “seed” phrase (12 words for daedalus and 24 for ledger) in a place that is hackable or on your person. It should be written down and stored in a secure place or secure places.

For example, you could have a few different copies of your seed phrase laminated (or ziplocked, or whatever) and stored in different secure places. Or, for more security, you could even split up your seed phrases into sections, like words 1-4, 5-8, and 9-12 and store them in different places. In this way, compromise of any one location would not allow for the restoration of the wallet. You would need to have access to all three places in order to restore the wallet.

Is this optimal? Probably not. However, it’s the probably the best system we have so far.