Coinomi Pens Official Statement Regarding Cryptocurrency Attack and Spell Check Findings
There is a wallet that seems to be affected by a vulnerability and that has been downloaded more than 500,000 times. The vulnerability seems to be related to the software sending wallet recovery phrases to Google’s remote spell checker servers in plain text. However, the company released a blog post refuting these accusations.
Coinomi explains that the seed phrase transmission was encrypted using SSL (HTTPS). Google was the only recipient available to decrypt the message.
As per the security consultant that revealed this vulnerability, when you restore the seed of the wallet, Google employees can see it in a plain text.
Coinomi wrote that the seed phrase was not being transmitted using plain text, instead, it was being encapsulated inside a HTTPS request. The firm informs that their engineers confirmed that spell-check functionality and mentioned that it was indeed enabled for the Desktop wallet.
Moreover, Coinomi says that the seed phrase was not being transmitted at all unless the user chose to explicitly restore their Desktop wallets.
The company explained on the matter:
“The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request” and weren’t processed further by Google.”
As per Coinomi, the engineers were immediately able to track down the cause of this issue. They explained that it was not a bug in their source code but instead was a bad configuration option in a plug-in used in Desktop wallets only.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
— Luke Childs (@lukechilds) February 27, 2019
There is a user called Warith Al Maawali that created a support request on the company’s board related to a vulnerability that was in their wallet. As per the user, his wallet was hacked because of this issue. He then created a website called Avoid-Coinomi in which he warns users about Coinonmi’s problems.
According to information that was shared with Cointelegraph, Maawali requested the firm to refund the stolen assets or the equivalent in US dollars. He warned the company that he could share this on social media. Coinomi mentioned that they were going to report the issue to Chainalysis for blacklisting these funds.
The cryptocurrency market has been experiencing these situations fora very long time. There have been several attacks and hacks to crypto-related platforms and wallets as well. However, the best way to store virtual currencies is in cold storage wallets.