Reports: Coinomi Wallet Critical Vulnerability Discovered
The Coinomi cryptocurrency wallet was reportedly discovered to have a critical vulnerability that has reportedly cost some users their funds. According to claims on the Internet, the wallet sends plain text seed phrases to a third party program for spellchecking.
The Coinomi team has not yet responded to a request for comment, nor have they commented on the issue through any channel. The wallet has more than half a million downloads on the Google Play Store.
Some people don't seem to be able to see the video because the quote tweet is shown instead, here's the video: pic.twitter.com/x592HW9sEi
— Luke Childs (@lukechilds) February 27, 2019
Warith Al Maawali, an IT security consultant, has been credited for discovering the issue. He created a website avoid-coinomi.com where he shared his version of events and later posted it on Reddit, also.
“First of all I admit it was my mistake trusting Coinomi wallet by inserting one of my main wallets (Exodus wallet) passphrase into their application,” Al Maawali explains, adding, “I wanted to shift some of the assets that were not supported by Exodus wallet using the same passphrase/seed.” According to the consultant, their main application, which was installed by the user on February 14, was not digitally signed, which he brought to the attention of the Coinomi team through Twitter – but he had already entered his Exodus wallet passphrase into the non-signed one.
On February 22nd, he noticed that “more than 90% of my Exodus wallet assets were transferred to multiple wallet addresses and the first transaction began with BTC on 19th February 2019 around UTC 3:30 AM. Then followed by ETH (including ERC20 tokens), LTC and finally BCH.”
When he started digging into the issue, he discovered that the whole passphrase, in plain text, was being sent to a domain name (googleapis.com) owned by Google for spellchecking purposes. “As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my USD 60K – USD 70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a cryptocurrency wallet,” u/warith explains.
He contacted Coinomi with his findings, but the results weren’t what he expected. “Coinomi’s team did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation,” he wrote, adding, “They kept reminding me (kinda threatening me) of the legal implications if I go public with the information I have and they forgot their legal responsibility for my stolen crypto assets as well as the risk that impacts other users of the wallet.” He concludes by saying that he is looking into taking legal actions against Coinomi LTD, the UK-based company, if they don’t take responsibility for this security bug.
Meanwhile, some other users also claim they’ve lost their funds: