This article series will devote considerable time and energy to cover the litany of reasons why one should never use MyMonero under any circumstance.
Neither site nor the software itself is secure in any way, shape or form. With that being said, there are plenty of things that can be done to enhance the security of the software package and many of those ways are inherently obvious.
But for some reason, these efforts have not been made at all.
What makes this particularly egregious is the fact that this tool was packaged and shipped by the Monero team (specifically, it received its blessings from 'fluffypony', an individual widely regarded as the "founder" of Monero).
Some Background Information on MyMonero
For those that aren't familiar with Monero, it should be known that running the regular wallet client (i.e., the 'flagship' provided by the team to allow users to interact with the network), also requires one simultaneously running a full node.
While the Monero blockchain is not quite as large as the Bitcoin blockchain (at the time of writing), it is still pretty sizable.
At the time of writing, 'bitinfocharts' estimates that the blockchain is approximately 63.75GB.
While this isn't an overwhelming amount of data for most, its still quite a bit of bandwidth to expend if one does not have a Monero daemon running on their device at all.
Furthermore, this process would likely need to be repeated on every device one wishes to interact with Monero on (unless a robust internet-facing RPC module has been setup).
Where 'MyMonero' Comes in
MyMonero offers itself as an alternative for users that would like to interact with Monero without downloading the entire chain and running the daemon constantly on their computers (or being forced to re-sync every time they wish to send / check a transaction).
As noted on a website called 'hashedhealth' (for some reason) in a presentation covering the features of 'MyMonero', MyMonero is, "[A] web wallet founded in 2014 by Monero project Lead Maintainer Riccardo Spagni ("fluffypony") to improve usability of Monero for ordinary people; CLI for hackers."
It's currently unknown what is meant by the term "ordinary people" since wrapping one's head around the concept of 'MyMonero' may require even more of a grasp of Monero's technical underpinnings than using it via "regular" means.
Concerning Lack of Regard for Security by 'fluffypony'
As stated previously, the individual that goes by the alias, 'fluffypony' in the crypto community is Riccardo Spagni, widely regarded as the "founder" or 'Lead Maintainer' of Monero.
This is being mentioned as a preface to a particular comment that he made which we're going to examine in greater depth below.
Reddit Post Remarking on the Lack of Verification for Appstore Version of 'MyMonero'
~3 years ago, a user on the Monero subreddit put up a post remarking on the fact that users had no way of verifying that the app on the Appstore for 'MyMonero' contained the same codebase as the 'MyMonero' web service.
In a reply to that post, Riccardo Spagni wrote the following:
"We’re planning on releasing the official GUI on iOS / Android / Mac / Windows as well, under the Monero Distribution Company account. We won’t be able to do reproducible builds through it, but it’s not like users are going to check GPG sigs and SHA hashes anyway. Access to Monero is important, and we want to maximise access to the software, even if it’s in something of a trusted environment."
Millions of Things Wrong With This Post
Below is a brief numbered list addressing some of the issues with fluffypony's response.
This list should not be considered anywhere near exhaustive.
- If Monero is an open-source decentralized community, then why is it being distributed under the "Monero Distribution Company" account? What does that even mean?
- Why isn't the Monero team able to provide a reproducible build for their iOS / Windows / MacOS apps if the web version is open source? Once again, this seems to flagrantly violate the principles of open source coding.
- The fact that the Monero team refuses to provide an open source reproducible build of the wallet actually is well within their right (seemingly). However, that brings up the greater issue of their license - which actually violates the copyright of Crypotnote, which the project was forked from.* (more on this later)
- Riccardo could not have been more inaccurate in his statement that, "It's not like users are going to check GPG sigs and SHA hashes anyway." In an environment like crypto, some users are entrusting the software they use to protect funds in excess of tens of thousands of dollars. To suggest that those individuals wouldn't even bother to perform a cursory check of a GPG signature or an SHA hash (an act which takes less than 30 seconds with the right software), is ludicrous.
- Fluffypony's position on this issue 100% deprives users of the ability to ensure that they are using the "real" version of the MyMonero app (vs. an imposter).