A vulnerability in the code of Coinomi’s desktop wallet sent the users’ passphrases to google for a spell check, potentially affecting all of those who decide to restore their wallets.
Warith Al Maawali, a wallet user who allegedly lost his life savings after restoring his wallet with an approximate 60 – 70 k in cryptocurrencies, disclosed the information.
@kimionis Funds stolen because of coinomi wallet more details on this #ticket https://t.co/FfXdSvOxfX @CoinomiWallet
— Warith Al Maawali – وارث المعولي (@warith2020) February 23, 2019
User Finds that Coinomi Sends Your Wallet Passphrase to Google for Spell Check
Warith tried several times to communicate with Coinomi’s team, yet could not reach a satisfactory solution, so he decided to write a post and raise awareness through social networks.
In a Reddit post, Warith explains that after using the passphrase of his Exodus wallet, he noticed a strange series of transactions, losing almost 90% of his funds. The first thing he verified was that the Coinomi Wallet was not signed, something that led him to think that it could contain some backdoor.
@CoinomiWallet Hi guys your windows wallet has the file Coinomi.exe which is not digitally signed are you aware of that ? That's the main wallet EXE I won't put my money on app that is not digitally signed 😬 pic.twitter.com/zkDzsQjl4z
— Warith Al Maawali – وارث المعولي (@warith2020) February 14, 2019
Later he contacted Coinomi, and they proceeded to fix this error, signing the app. However, he was able to verify that the software was exactly the same.
Then, he ran a program to monitor https, and https traffic and the results were surprising:
“I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address:
https://redirector.gvt1.com/edgedl/chrome/dict/en-us-8-0.bdicThen I clicked on restore wallet and pasted a random passphrase and suddenly the screen screamed SURPRISE MOTHER******** (boom puzzle solved!)
The WHOLE passphrase in plain-text is sent to googleapis.com a domain name owned by Google! It was sending it as a spelling check function! Here is sample of the screenshot of the HTTP request:
To see the whole “experiment” click the video below:
“The Coinomi meltdown is further evidence of why software wallets are a recipe for disaster. When entrusting a software wallet with your assets, you are exposing your private keys to the internet, leaving them vulnerable to attack. Simply put, cold storage on a hardware wallet is the only way for investors to ensure complete security of their private keys.”
Coinomi Responds
After this, Coinomi issued an official statement. The team quickly patched the desktop app, confirming that it did not affect mobile wallets. They also explained that while Warith’s findings are accurate, it is improbable that a hack could have occurred.
The team explains that it looks more like a “bribe” since the communication goes directly from the wallet to the google server, without going through Coinomi. Likewise, Google automatically rejects the connection.
They explain that it is false that they have refused to solve the problem. According to Coinomi, they responded to Warith asking for more information; however, the user declined to collaborate:
During these days, Warith Al Maawali repeatedly refused to disclose his findings and kept threatened to take this public if we didn’t pay right away the ransom of 17 BTC which would make up for the “hacked” funds (stolen by Google, according to Warith Al Maawali) that are possibly still controlled by him and couldn’t have been hacked because of Coinomi for a series of reasons:
- Coinomi Team never had access to these seed phrases or funds
- No one else except from Google could read the contents of the encrypted packets that contained the seed phrases
- Google rejected these requests initiated by jxBrowser/Chromium as they were badly formed (didn’t contain a valid Google API key) and never actually processed them
…
To sum things up: was there an issue with our Desktop wallets? Yes, there was, and it was fixed hours only after it was disclosed to us. Could this issue have resulted in loss of funds?
- Practically, no, it couldn’t have.
Warith has stated that he is considering taking “legal actions against the company behind Coinomi if they don’t act and take the responsibility”, but he has not provided any further information or comment on Coinomi’s statements.
The use of hot wallets, while safe, also carries significant risks that must be taken into account when storing large amounts of funds in crypto. If users are going to store large sums of money, the best option is a cold wallet or hardware wallet that eliminates any possibility of interception.
Ledger CEO Eric Larchevêque explained to Ethereum World News that right now, a hardware wallet is the safest (and most convenient) option for those who store large ammounts of money. Being the sole owner of the private keys to a wallet is the only way to prevent a hack or an attack similar to the one experienced by Coinomi and other hot wallets and exchanges:
“The Coinomi meltdown is further evidence of why software wallets are a recipe for disaster. When entrusting a software wallet with your assets, you are exposing your private keys to the internet, leaving them vulnerable to attack. Simply put, cold storage on a hardware wallet is the only way for investors to ensure complete security of their private keys.”
