Coinomi Wallet User Lost $70k Crypto Worth Because of the Spell Check

Coinomi Wallet User Lost $70k Crypto Worth Because of the Spell Check

 

The Coinomi wallet appears to be on the receiving end after it hit Reddit and the social media headlines for the last three days. The Coinomi wallet vulnerability has been the hacker target which makes it easy for them to access the user funds. The wallet apparently sent plain text seed to Google API for a spell check.

The vulnerability was exposed by a user who discovered between $60-70k worth of crypto were missing moments after installing the Coinomi wallet.  This is after the user used another wallets’ passphrase into the restore field to enable him to move some unsupported assets. Seven days after the transaction, over 90% Coinomi supported assets were missing from the main wallet funds.

Why Spell Check a Passphrase?

Spell checking a passphrase sound like fiction, however, after investigating further, it has been revealed that when the passphrase is entered into the “Restore Wallet” tab it is converted to plain text and send to googleapis.com to be checked for spelling thus creating a weak entry point for the hacker to get hold of your data.

This has exposed the Coinomi system since their wallet software has a spell check feature by default and an entry point for hackers to access the user’s sensitive data and eventual disappearance of their hard-earned crypto from the Coinomi wallet.

Once such data is sent as plain text, it is sent through a secure interface. The information can only be accessed and viewed by someone who can also access googleapis.com and any data therein. The system glitch might appear small but is a huge loss for Coinomi and the user confidence is poised to ebb away.

Choose Between Being Safe Rather than Safe

The wallet service provider has “secretly fixed the bug” on their system but are yet to fix the user confidence. The details of the seed phrases are still being held in a Google server in some location and moving your funds from the wallet now is the only logical thing to do.

The team behind the Coinomi project has however moved swiftly and awarded the user a bug bounty to safe the situation. However, the user is not happy about the experience especially after getting some unprofessional response from the platform’s CTO.

However, Coinomi have been able to track the addresses involved and they remain

The user whose funds were stolen has been awarded a bug-bounty by Coinomi, but isn’t happy with their response regarding his funds. For their part, Coinomi have identified the addresses where the funds remain untouched since the ‘incident’. These addresses have been blacklisted, so no exchange will deal with them, but the user is demanding a more immediate resolution.

Coinomi wallet privacy issues have been there since last year. This saw the wallet leak investor addresses in plain text upon opening and users have been on social media warning on the same:

Luke Childs

“I warned people to stay away from @CoinomiWallet last year after I discovered a major privacy issue where they were leaking all users address in plain text as soon as you open the app”