Earlier this week, Coinomi, cryptocurrency wallet that enables users to trade, secure and manage their Bitcoin [BTC] and other cryptocurrencies, was recently under the scrutiny of the cryptocurrency space as an alleged vulnerability in the wallet was bought to light on Reddit by Warith Al Maawali. However, Coinomi has now addressed this issue on its official web page.
The user of the platform has claimed to have lost about $60,000 – $70,000 worth of cryptocurrency because of this vulnerability. According to the post, the wallet’s “poor implementation” has, in turn, resulted in users plain-text passphrase being shared to a third-party server. Here, the third-party under the limelight is Google servers. The user said on Reddit:
“Please note that this security issue cannot be exploited by anyone except by the people who created it or have control over the backend. To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later.”
This was followed by the user stating that the wallet’s seeds, otherwise known as a passphrase, are spell checked by Google servers in “clear plain text”, thereby enabling remote access to Google. He went on to say:
“So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check (how awesome is that!)”
When this news broke-out in the cryptocurrency space, several other users of the wallet-provider also came forth stating that they had also lost their funds on the platform recently. Nonetheless, the platform also spoke about this issue. In a blog post, the platform said:
“The report said that seed phrases were being sent over to Google in plain text due to a built-in spell-check functionality in Desktop wallets and that there was a wallet hacked due to this vulnerability. Our engineers confirmed that spell-check functionality was indeed enabled for the Desktop wallets only — the mobile apps were not affected by this.”
This was followed by the platform stating that the problem was not in its source code, but was, in fact, a “bad configuration option in a plug-in used in Desktop wallets only”, allowing the spell-check functionality to be a default. Nonetheless, this problem has now been fixed by the developer team and desktop users are required upgrade to the version and create a new wallet.
The post also read:
“Given the facts above, it’s extremely unlikely that this issue would ever result in loss of funds, however under no circumstances a seed phrase should go online even if this is in encrypted mode and for this we sincerely apologize. “
Luhe, another Redditor said:
“Which is more than likely true. I’ve never used this wallet, but their reasoning makes sense from a computer science perspective of view. Nobody else should have had even the theoretical possibility to see the content (I can see some possible attack scenarios, but they most likely wouldn’t be possible unless Coinomi really f***** up).”
Localether, a Reddit user said:
“Your coins are safu… as long as you trust that google employees are not grepping for pass phrases and then testing them against blockchain addresses.”